[Samba] samba4 and sssd and user mapping

Rowland Penny rowlandpenny at googlemail.com
Mon Jan 27 07:16:55 MST 2014

On 27/01/14 13:43, Björn JACKE wrote:
> On 2014-01-24 at 15:20 -0200 Márcio Merlone sent off:
>> Em 24-01-2014 13:51, Björn JACKE escreveu:
>>> On 2014-01-23 at 08:14 -0200 Márcio Merlone sent off:
>>>> Em 22-01-2014 19:04, Björn JACKE escreveu:
>>>>> On 2014-01-20 at 11:25 +0100 Denis Cardon sent off:
>>>>>> on a server running samba4 with sssd for nsswitch mapping, I
>>>>>> realized recently that on windows workstation in the "folder
>>>>>> propery/security tab", users are mapped as "Unix user\userlogin"
>>>>>> instead of "DOMAINNAME\userlogin".
>>>>> (...)
>>>>> Because I read the sssd recommendations so often on the list recently - once
>>>>> more: sssd is NOT the right thing for Samba member server setups.
>>>> Scary. Why you say so? Any rationale?
>>> winbind is interacting with smbd for id mapping and authentication. If you
>>> configured it right, it will work nice, even if you can read rants on winbind
>>> of one or two people in this list over and over again.
>> Winbind does not provide extended unix attributes (homedir, shell,
>> etc) as sssd does. Is this kind of rant you are referring to? If
>> not, you may add this. :)
> actually yes. Unfortunately I didn't see your previous posts on this list where
> you false advised the use of sssd instead of winbind before. It's also not
> true, that winbind does not provide the unix attributes like shell or homedir
> to the nsswitch layer. Please read the smb.conf man page and also the wiki
> carefully. You will find the parameter winbind nss info then.
>> I understood it was the other way around: winbind needs smbd to get
>> the users list so the underlaying operating system (linux for
>> instance) knows about them. That's what I (and suppose most users)
>> need.
> this is another misunderstanding. winbind does not need smbd, the other way
> round is more correct.

Just where do you get your info from???

You can run smbd without winbind even being installed, but just what are 
you going to with winbind if smbd is not installed.

>>> sssh also just provides a flat view on the users and groups from an
>>> AD domain with no distinction between local acccounts or accounts from domain A
>>> or domain B.
>> Right, so on a single-domain setup this is no problem. Check?
> you may be lucky but even with a single domain you my run into problems with
> the flat view on the users and with name clashes with local users. And with
> sssd and without winbind and idmap nss you won't really have domain users on
> your system but a copy of the domain users locally on the server.

Yes you are right, you cannot have the same username locally and in AD, 
but this would still be the case if you use sssd or winbind.
Could you please explain just what you mean by 'flat view' and how 
pulling RFC attributes with winbind differs from pulling them with sssd?

>>>    sssh uses samba libraries but it does not play information back
>>> to smbd like winbind does.
>> Sorry to abuse you, can you elaborate what kind of information
>> winbind gives back to smbd, or point to good documentation?
> see above

No, you didn't answer the question, will you please answer it.

>>> As written before you would have to configure idmap
>>> nss and run winbind in addition to sssd but you will still have the problems
>>> with the flat view on the user and group name space. If someone on the list
>>> writes that sssd in Samba member servers is supported, than this is a personal
>>> opinion of that person but this is the opposite what the samba developers tell
>>> you.
>> Link?


> if unfortunately nobody from the team corrected the false advice of using sssd
> on samba member servers, then take my mails as reference if you want to
> have a referrence :-)

Why? you just seem to spouting 'do not use sssd' without giving good 
reasons why not.

>>> The problem that Denis descibed in the beginning of this thread are a result of
>>> such a sssd/smbd misconfiguration. If you see any recommendation about sssd in
>>> combination with smbd member server setups in the wiki, please let me know, so
>>> we can correct it.
>> The picture I have in my mind: I have a samba4 AD DC with one or
>> more BDC to make windows users happy.
> there is no such thing like a BDC if you run active directory

Yes there is every DC is also a BDC.

>> I also have a mail server,
>> proxy, intranet and other services running on other servers that
>> does not need to know about windows information, just user database
>> and authentication.
> for pure authentication you don't need winbind but you cannnot mix up all cases
> together. There are use cases where sssd actualy is a good option but
> in the member server cases that we are talking about in this thread it
> is not.

Why not, please give reasons why not.

>> As I understand, those are member servers, with
>> no specific role on Windows networking, or at most, some filesystem
>> sharing. Does that need winbind? Seems to me that in such case sssd
>> is better since it provides more extensive information.
> actually winbind provides the same information and even better. sssd is
> currently better in offline authentication functionality I think.

This is probably the only thing that you have got right, you do not have 
to touch the PAM stack to get it working.

> Björn

More information about the samba mailing list