[Samba] samba4 and sssd and user mapping

Björn JACKE bj at SerNet.DE
Mon Jan 27 06:29:51 MST 2014

On 2014-01-24 at 16:47 +0000 Rowland Penny sent off:
> >winbind is interacting with smbd for id mapping and authentication. If you
> >configured it right, it will work nice, even if you can read rants on winbind
> >of one or two people in this list over and over again.
> I agree if you configure winbind right it works, problem is too many
> people get it wrong, because it kept changing and is just too
> complex

it's true that the winbind parameters changed some because the initial way to
configure the idmapping was not flexible enough and also a bit confusing. I
think since Samba 3.6 the parameters have been stable and straight forward to
configure. If you read the release notes and the man pages you should have no
problem to set it up properly.

> >sssd supports user authentication for the pam stack nicely but this is not what
> >smbd needs. sssh also just provides a flat view on the users and groups from an
> >AD domain with no distinction between local acccounts or accounts from domain A
> >or domain B.  sssh uses samba libraries but it does not play information back
> >to smbd like winbind does. As written before you would have to configure idmap
> >nss and run winbind in addition to sssd but you will still have the problems
> >with the flat view on the user and group name space.
> Just what does winbind relay back to smbd? and to get sssd to work
> does not require winbind.

smbd checks if winbind is running and winbind acts as a authentication proxy
for smbd in that case. Winbind is also able to handle local groups correctly.
Without winbind smbd just sees a flat hierarchie of unix users and
those will also not be represented to connecting clients with the
correct domain sid, unless you run winbind additionally with idmap nss,
as I've written before.

> >  If someone on the list
> >writes that sssd in Samba member servers is supported, than this is a personal
> >opinion of that person but this is the opposite what the samba developers tell
> >you.
> Just what do you mean by member servers?

any file/print server running smbd.

> >The problem that Denis descibed in the beginning of this thread are a result of
> >such a sssd/smbd misconfiguration. If you see any recommendation about sssd in
> >combination with smbd member server setups in the wiki, please let me know, so
> >we can correct it.
> I personally think the problem was a lack of attributes in AD rather
> anything to do with either sssd or smbd, problem is Denis hasn't
> reported back yet.

it's most likely the lack of winbind, see above.


More information about the samba mailing list