[Samba] samba4 and sssd and user mapping

Michael Adam obnox at samba.org
Mon Jan 27 08:14:17 MST 2014

Hi Rowland,

On 2014-01-27 at 14:37 +0000, Rowland Penny wrote:
> On 27/01/14 14:30, Volker Lendecke wrote:
> >On Mon, Jan 27, 2014 at 02:43:52PM +0100, Björn JACKE wrote:
> >>if unfortunately nobody from the team corrected the false advice of using sssd
> >>on samba member servers, then take my mails as reference if you want to
> >>have a referrence :-)
> >Just a confirmation from my side here. You might go with
> >sssd for the end-user workstation case for some reason, but
> >please use winbind for the file server case. winbind does
> >the workstation case well also, so the main reason for sssd
> >is the IPA/LDAP backend flexibility in the workstation case.
> >
> >With best regards,
> >
> >Volker Lendecke
> >
> I am sorry Volker, but just saying don't use sssd for a file server
> is not good enough, you must give good reasons why. From my
> experience, telling somebody 'do not do this', without explaining
> why, is a recipe for disaster.
> Just what does winbind do that sssd doesn't?

Let's put it differently:

  What is winbindd that sssd is not?

  Winbindd is the part of the samba software suite
  that is developed with samba, and has the responsibilty
  of doing authentication (e.g. against AD) and id-mapping
  for smbd. As such it is the component recommended by the
  samba developers to use (e.g.) in adomain-member-setup
  along with smbd.

  sssd, on the other hand, is not developed by the samba team.
  It is a 3rd party software that can take on similar roles
  as winbindd in some scenarios. As such it is of course not
  recommended by the samba developers, even though you might
  get it to work.

Does this make it more clear?
This is actually the main point the samba developers are
trying to make.

Getting more technical again now:

Winbindd does the authentication against AD and retreival of the
user and group infos from a AD domain the windows way, and
tries to map the infos as closely and windows-like as possible,
in particular with information about nested groups, etc.

sssd on the other hand side, I don't know well enough. But
as far as I am aware, sssd coming from the FreeIPA/LDAP world
uses ldap and direct kerberos auth where possible intead of
windows native methods which leads to certain tradeoffs. Some
info is simply not accessible that way, or presented incorrectly.

Cheers - Michael

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 215 bytes
Desc: Digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20140127/9d005eef/attachment.pgp>

More information about the samba mailing list