[Samba] samba4 and sssd and user mapping

steve steve at steve-ss.com
Sun Jan 26 04:40:00 MST 2014


On Fri, 2014-01-24 at 16:51 +0100, Björn JACKE wrote:
> On 2014-01-23 at 08:14 -0200 Márcio Merlone sent off:
> > Em 22-01-2014 19:04, Björn JACKE escreveu:
> > >On 2014-01-20 at 11:25 +0100 Denis Cardon sent off:
> > >>on a server running samba4 with sssd for nsswitch mapping, I
> > >>realized recently that on windows workstation in the "folder
> > >>propery/security tab", users are mapped as "Unix user\userlogin"
> > >>instead of "DOMAINNAME\userlogin".
> > >(...)
> > >Because I read the sssd recommendations so often on the list recently - once
> > >more: sssd is NOT the right thing for Samba member server setups.
> > 
> > Scary. Why you say so? Any rationale?
> 
> winbind is interacting with smbd for id mapping and authentication. If you
> configured it right, it will work nice, even if you can read rants on winbind
> of one or two people in this list over and over again.

Winbind and sssd do exactly the same job. Choose whichever one you feel
happy with.
> 
> sssd supports user authentication for the pam stack nicely but this is not what
> smbd needs. 

winbind also needs to be included in your pam configuration. smbd works
perfectly on a member server with both nss and pam controlled by sssd.

> sssh also just provides a flat view on the users and groups from an
> AD domain with no distinction between local acccounts or accounts from domain A
> or domain B.  sssh uses samba libraries but it does not play information back
> to smbd like winbind does. As written before you would have to configure idmap
> nss and run winbind in addition to sssd but you will still have the problems
> with the flat view on the user and group name space.

sssd does not need winbind running. You must NOT run winbindd together
with sssd. sssd is a substitute for winbindd. Use one or the other.

>  If someone on the list
> writes that sssd in Samba member servers is supported, than this is a personal
> opinion of that person but this is the opposite what the samba developers tell
> you.
> 

I've no idea what the personal opinions of the Samba developers are but
many of us here support sssd with Samba and certainly the sssd
developers support it fully. Of course, we mere samba list members
support it and shall continue to do so. We also help out with winbind
configurations too, especially on member servers.

> The problem that Denis descibed in the beginning of this thread are a result of
> such a sssd/smbd misconfiguration. If you see any recommendation about sssd in
> combination with smbd member server setups in the wiki, please let me know, so
> we can correct it.
> 
I believe the OP had problems because he had not included rfc2307
attributes in the DN of his users and groups.

Cheers,
Steve

> Cheers
> Björn




More information about the samba mailing list