[Samba] samba4 and sssd and user mapping

Volker Lendecke Volker.Lendecke at SerNet.DE
Mon Jan 27 08:20:40 MST 2014

On Mon, Jan 27, 2014 at 02:37:04PM +0000, Rowland Penny wrote:
> I am sorry Volker, but just saying don't use sssd for a file server
> is not good enough, you must give good reasons why. From my
> experience, telling somebody 'do not do this', without explaining
> why, is a recipe for disaster.
> Just what does winbind do that sssd doesn't?

While I can not fully speak for sssd, I know that winbind
does many things which are entirely not obvious to a AD
client. For example DC lookup is pretty complex, winbind is
site aware and prefers local DCs. winbind is pretty up to
date with the latest Microsoft RPC security negotiation
things and is being updated as they come in. winbind is very
flexible with idmapping and goes a long way to properly
cache idmappings with smbd via gencache for good
performance. winbind is at this moment being improved
significantly to much better deal with machine password
changes and potentially slow AD replication of those

None of this is rocket science and sssd can implement all of
this itself for sure. In particular as one of the initial
authors of sssd is Simo Sorce, Samba Team Member, it is
entirely possible that Simo translates all winbind
achievements into sssd features. Maybe the current sssd
authors can better comment on the few points I made above.
It is just a lot of work that the Samba Team members put
into the RPC client infrastructure that winbind uses, and I
would be very surprised if sssd uses that 1:1.

I just want to say that AD membership can be pretty complex,
and winbind is rather up to date with all the subtleties.

With best regards,

Volker Lendecke

SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kontakt at sernet.de

More information about the samba mailing list