[Samba] samba4 and sssd and user mapping
marcio.merlone at a1.ind.br
Fri Jan 24 10:20:49 MST 2014
Em 24-01-2014 13:51, Björn JACKE escreveu:
> On 2014-01-23 at 08:14 -0200 Márcio Merlone sent off:
>> Em 22-01-2014 19:04, Björn JACKE escreveu:
>>> On 2014-01-20 at 11:25 +0100 Denis Cardon sent off:
>>>> on a server running samba4 with sssd for nsswitch mapping, I
>>>> realized recently that on windows workstation in the "folder
>>>> propery/security tab", users are mapped as "Unix user\userlogin"
>>>> instead of "DOMAINNAME\userlogin".
>>> Because I read the sssd recommendations so often on the list recently - once
>>> more: sssd is NOT the right thing for Samba member server setups.
>> Scary. Why you say so? Any rationale?
> winbind is interacting with smbd for id mapping and authentication. If you
> configured it right, it will work nice, even if you can read rants on winbind
> of one or two people in this list over and over again.
Winbind does not provide extended unix attributes (homedir, shell, etc)
as sssd does. Is this kind of rant you are referring to? If not, you may
add this. :)
> sssd supports user authentication for the pam stack nicely but this is not what
> smbd needs.
I understood it was the other way around: winbind needs smbd to get the
users list so the underlaying operating system (linux for instance)
knows about them. That's what I (and suppose most users) need.
> sssh also just provides a flat view on the users and groups from an
> AD domain with no distinction between local acccounts or accounts from domain A
> or domain B.
Right, so on a single-domain setup this is no problem. Check?
> sssh uses samba libraries but it does not play information back
> to smbd like winbind does.
Sorry to abuse you, can you elaborate what kind of information winbind
gives back to smbd, or point to good documentation?
> As written before you would have to configure idmap
> nss and run winbind in addition to sssd but you will still have the problems
> with the flat view on the user and group name space. If someone on the list
> writes that sssd in Samba member servers is supported, than this is a personal
> opinion of that person but this is the opposite what the samba developers tell
> The problem that Denis descibed in the beginning of this thread are a result of
> such a sssd/smbd misconfiguration. If you see any recommendation about sssd in
> combination with smbd member server setups in the wiki, please let me know, so
> we can correct it.
The picture I have in my mind: I have a samba4 AD DC with one or more
BDC to make windows users happy. I also have a mail server, proxy,
intranet and other services running on other servers that does not need
to know about windows information, just user database and
authentication. As I understand, those are member servers, with no
specific role on Windows networking, or at most, some filesystem
sharing. Does that need winbind? Seems to me that in such case sssd is
better since it provides more extensive information.
TI - Administrador de redes
*A1 Engenharia - Unidade Corporativa*
Fone: +55 41 3616-3797
Cel: +55 41 9689-0036
More information about the samba