[Samba] samba4 and sssd and user mapping

Björn JACKE bj at SerNet.DE
Mon Jan 27 06:43:52 MST 2014

On 2014-01-24 at 15:20 -0200 Márcio Merlone sent off:
> Em 24-01-2014 13:51, Björn JACKE escreveu:
> >On 2014-01-23 at 08:14 -0200 Márcio Merlone sent off:
> >>Em 22-01-2014 19:04, Björn JACKE escreveu:
> >>>On 2014-01-20 at 11:25 +0100 Denis Cardon sent off:
> >>>>on a server running samba4 with sssd for nsswitch mapping, I
> >>>>realized recently that on windows workstation in the "folder
> >>>>propery/security tab", users are mapped as "Unix user\userlogin"
> >>>>instead of "DOMAINNAME\userlogin".
> >>>(...)
> >>>Because I read the sssd recommendations so often on the list recently - once
> >>>more: sssd is NOT the right thing for Samba member server setups.
> >>Scary. Why you say so? Any rationale?
> >winbind is interacting with smbd for id mapping and authentication. If you
> >configured it right, it will work nice, even if you can read rants on winbind
> >of one or two people in this list over and over again.
> Winbind does not provide extended unix attributes (homedir, shell,
> etc) as sssd does. Is this kind of rant you are referring to? If
> not, you may add this. :)

actually yes. Unfortunately I didn't see your previous posts on this list where
you false advised the use of sssd instead of winbind before. It's also not
true, that winbind does not provide the unix attributes like shell or homedir
to the nsswitch layer. Please read the smb.conf man page and also the wiki
carefully. You will find the parameter winbind nss info then.

> I understood it was the other way around: winbind needs smbd to get
> the users list so the underlaying operating system (linux for
> instance) knows about them. That's what I (and suppose most users)
> need.

this is another misunderstanding. winbind does not need smbd, the other way
round is more correct.

> >sssh also just provides a flat view on the users and groups from an
> >AD domain with no distinction between local acccounts or accounts from domain A
> >or domain B.
> Right, so on a single-domain setup this is no problem. Check?

you may be lucky but even with a single domain you my run into problems with
the flat view on the users and with name clashes with local users. And with
sssd and without winbind and idmap nss you won't really have domain users on
your system but a copy of the domain users locally on the server.

> >   sssh uses samba libraries but it does not play information back
> >to smbd like winbind does.
> Sorry to abuse you, can you elaborate what kind of information
> winbind gives back to smbd, or point to good documentation?

see above

> >As written before you would have to configure idmap
> >nss and run winbind in addition to sssd but you will still have the problems
> >with the flat view on the user and group name space. If someone on the list
> >writes that sssd in Samba member servers is supported, than this is a personal
> >opinion of that person but this is the opposite what the samba developers tell
> >you.
> Link?

if unfortunately nobody from the team corrected the false advice of using sssd
on samba member servers, then take my mails as reference if you want to
have a referrence :-)

> >The problem that Denis descibed in the beginning of this thread are a result of
> >such a sssd/smbd misconfiguration. If you see any recommendation about sssd in
> >combination with smbd member server setups in the wiki, please let me know, so
> >we can correct it.
> The picture I have in my mind: I have a samba4 AD DC with one or
> more BDC to make windows users happy.

there is no such thing like a BDC if you run active directory

> I also have a mail server,
> proxy, intranet and other services running on other servers that
> does not need to know about windows information, just user database
> and authentication.

for pure authentication you don't need winbind but you cannnot mix up all cases
together. There are use cases where sssd actualy is a good option but
in the member server cases that we are talking about in this thread it
is not.

> As I understand, those are member servers, with
> no specific role on Windows networking, or at most, some filesystem
> sharing. Does that need winbind? Seems to me that in such case sssd
> is better since it provides more extensive information.

actually winbind provides the same information and even better. sssd is
currently better in offline authentication functionality I think.


More information about the samba mailing list