[Samba] samba4 and sssd and user mapping

Rowland Penny rowlandpenny at googlemail.com
Fri Jan 24 09:47:39 MST 2014

On 24/01/14 15:51, Björn JACKE wrote:
> On 2014-01-23 at 08:14 -0200 Márcio Merlone sent off:
>> Em 22-01-2014 19:04, Björn JACKE escreveu:
>>> On 2014-01-20 at 11:25 +0100 Denis Cardon sent off:
>>>> on a server running samba4 with sssd for nsswitch mapping, I
>>>> realized recently that on windows workstation in the "folder
>>>> propery/security tab", users are mapped as "Unix user\userlogin"
>>>> instead of "DOMAINNAME\userlogin".
>>> (...)
>>> Because I read the sssd recommendations so often on the list recently - once
>>> more: sssd is NOT the right thing for Samba member server setups.
>> Scary. Why you say so? Any rationale?
> winbind is interacting with smbd for id mapping and authentication. If you
> configured it right, it will work nice, even if you can read rants on winbind
> of one or two people in this list over and over again.
I agree if you configure winbind right it works, problem is too many 
people get it wrong, because it kept changing and is just too complex
> sssd supports user authentication for the pam stack nicely but this is not what
> smbd needs. sssh also just provides a flat view on the users and groups from an
> AD domain with no distinction between local acccounts or accounts from domain A
> or domain B.  sssh uses samba libraries but it does not play information back
> to smbd like winbind does. As written before you would have to configure idmap
> nss and run winbind in addition to sssd but you will still have the problems
> with the flat view on the user and group name space.

Just what does winbind relay back to smbd? and to get sssd to work does 
not require winbind.

>   If someone on the list
> writes that sssd in Samba member servers is supported, than this is a personal
> opinion of that person but this is the opposite what the samba developers tell
> you.
Just what do you mean by member servers?

> The problem that Denis descibed in the beginning of this thread are a result of
> such a sssd/smbd misconfiguration. If you see any recommendation about sssd in
> combination with smbd member server setups in the wiki, please let me know, so
> we can correct it.
I personally think the problem was a lack of attributes in AD rather 
anything to do with either sssd or smbd, problem is Denis hasn't 
reported back yet.


> Cheers
> Björn

More information about the samba mailing list