[Samba] samba4 and sssd and user mapping

Márcio Merlone marcio.merlone at a1.ind.br
Fri Jan 24 10:20:49 MST 2014

Em 24-01-2014 13:51, Björn JACKE escreveu:
> On 2014-01-23 at 08:14 -0200 Márcio Merlone sent off:
>> Em 22-01-2014 19:04, Björn JACKE escreveu:
>>> On 2014-01-20 at 11:25 +0100 Denis Cardon sent off:
>>>> on a server running samba4 with sssd for nsswitch mapping, I
>>>> realized recently that on windows workstation in the "folder
>>>> propery/security tab", users are mapped as "Unix user\userlogin"
>>>> instead of "DOMAINNAME\userlogin".
>>> (...)
>>> Because I read the sssd recommendations so often on the list recently - once
>>> more: sssd is NOT the right thing for Samba member server setups.
>> Scary. Why you say so? Any rationale?
> winbind is interacting with smbd for id mapping and authentication. If you
> configured it right, it will work nice, even if you can read rants on winbind
> of one or two people in this list over and over again.
Winbind does not provide extended unix attributes (homedir, shell, etc) 
as sssd does. Is this kind of rant you are referring to? If not, you may 
add this. :)

> sssd supports user authentication for the pam stack nicely but this is not what
> smbd needs.
I understood it was the other way around: winbind needs smbd to get the 
users list so the underlaying operating system (linux for instance) 
knows about them. That's what I (and suppose most users) need.

> sssh also just provides a flat view on the users and groups from an
> AD domain with no distinction between local acccounts or accounts from domain A
> or domain B.
Right, so on a single-domain setup this is no problem. Check?

>    sssh uses samba libraries but it does not play information back
> to smbd like winbind does.
Sorry to abuse you, can you elaborate what kind of information winbind 
gives back to smbd, or point to good documentation?

> As written before you would have to configure idmap
> nss and run winbind in addition to sssd but you will still have the problems
> with the flat view on the user and group name space. If someone on the list
> writes that sssd in Samba member servers is supported, than this is a personal
> opinion of that person but this is the opposite what the samba developers tell
> you.

> The problem that Denis descibed in the beginning of this thread are a result of
> such a sssd/smbd misconfiguration. If you see any recommendation about sssd in
> combination with smbd member server setups in the wiki, please let me know, so
> we can correct it.
The picture I have in my mind: I have a samba4 AD DC with one or more 
BDC to make windows users happy. I also have a mail server, proxy, 
intranet and other services running on other servers that does not need 
to know about windows information, just user database and 
authentication. As I understand, those are member servers, with no 
specific role on Windows networking, or at most, some filesystem 
sharing. Does that need winbind? Seems to me that in such case sssd is 
better since it provides more extensive information.

[ ]'s

*Marcio Merlone*
TI - Administrador de redes

*A1 Engenharia - Unidade Corporativa*
Fone: 	+55 41 3616-3797
Cel: 	+55 41 9689-0036

http://www.a1.ind.br/ <http://www.a1.ind.br>

More information about the samba mailing list