[Samba] samba4 and sssd and user mapping

Rowland Penny rowlandpenny at googlemail.com
Mon Jan 27 07:04:26 MST 2014

On 27/01/14 13:29, Björn JACKE wrote:
> On 2014-01-24 at 16:47 +0000 Rowland Penny sent off:
>>> winbind is interacting with smbd for id mapping and authentication. If you
>>> configured it right, it will work nice, even if you can read rants on winbind
>>> of one or two people in this list over and over again.
>> I agree if you configure winbind right it works, problem is too many
>> people get it wrong, because it kept changing and is just too
>> complex
> it's true that the winbind parameters changed some because the initial way to
> configure the idmapping was not flexible enough and also a bit confusing. I
> think since Samba 3.6 the parameters have been stable and straight forward to
> configure. If you read the release notes and the man pages you should have no
> problem to set it up properly.

In which case why do so many people get it wrong?

>>> sssd supports user authentication for the pam stack nicely but this is not what
>>> smbd needs. sssh also just provides a flat view on the users and groups from an
>>> AD domain with no distinction between local acccounts or accounts from domain A
>>> or domain B.  sssh uses samba libraries but it does not play information back
>>> to smbd like winbind does. As written before you would have to configure idmap
>>> nss and run winbind in addition to sssd but you will still have the problems
>>> with the flat view on the user and group name space.
>> Just what does winbind relay back to smbd? and to get sssd to work
>> does not require winbind.
> smbd checks if winbind is running and winbind acts as a authentication proxy
> for smbd in that case. Winbind is also able to handle local groups correctly.
> Without winbind smbd just sees a flat hierarchie of unix users and
> those will also not be represented to connecting clients with the
> correct domain sid, unless you run winbind additionally with idmap nss,
> as I've written before.
>>>   If someone on the list
>>> writes that sssd in Samba member servers is supported, than this is a personal
>>> opinion of that person but this is the opposite what the samba developers tell
>>> you.
>> Just what do you mean by member servers?
> any file/print server running smbd.
>>> The problem that Denis descibed in the beginning of this thread are a result of
>>> such a sssd/smbd misconfiguration. If you see any recommendation about sssd in
>>> combination with smbd member server setups in the wiki, please let me know, so
>>> we can correct it.
>> I personally think the problem was a lack of attributes in AD rather
>> anything to do with either sssd or smbd, problem is Denis hasn't
>> reported back yet.
> it's most likely the lack of winbind, see above.

Well you must be wrong there, It works for me and I do not use winbind 
at all.

> Björn

More information about the samba mailing list