[Samba] samba4 and sssd and user mapping

Márcio Merlone marcio.merlone at a1.ind.br
Mon Jan 27 08:31:05 MST 2014


Em 27-01-2014 11:43, Björn JACKE escreveu:
>> Winbind does not provide extended unix attributes (homedir, shell, 
>> etc) as sssd does. Is this kind of rant you are referring to? If not, 
>> you may add this. :) 
> actually yes. Unfortunately I didn't see your previous posts on this list where
> you false advised the use of sssd instead of winbind before.
Me? Noooo. I am not in position to advice anything other than "replace 
your windows server for a samba server". I am looking for advice, not 
the other way around.

> It's also not
> true, that winbind does not provide the unix attributes like shell or homedir
> to the nsswitch layer. Please read the smb.conf man page and also the wiki
> carefully. You will find the parameter winbind nss info then.
Ok. So I read:
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html
and
http://www.samba.org/samba/docs/man/manpages/smb.conf.5.html

In short: winbind does not provide unix attributes like shell or homedir 
to the nsswitch layer *as defined on their AD database attributes*. It 
provides those as defined on a template, which may not satisfy all 
admins - users don't care about it :)

I believe that the confusion on this thread and advantage of sssd over 
winbind are the lack of "template homedir" and "template shell" parameters.
I'll explain: if you provision your AD DC with rfc2307 attributes for 
some users, they are ignored by winbind - except uid and gid - and 
templates used instead. So, if I have '/home/users/%n' as homedir for 
all users, but only one must have '/home/ftp/ftpuser', winbind will see 
it as '/home/user/ftpuser' and not what's defined on AD database.

I understand that AD is a Windows-centric service, not meant to manage 
users on a POSIX environment, but since it does, it should do it wright.


>> As I understand, those are member servers, with
>> no specific role on Windows networking, or at most, some filesystem
>> sharing. Does that need winbind? Seems to me that in such case sssd
>> is better since it provides more extensive information.
> actually winbind provides the same information and even better. sssd is
> currently better in offline authentication functionality I think.
"Better" is way too subjective and personal. It is worse for me given 
the above.


-- 
*Marcio Merlone*
TI - Administrador de redes

*A1 Engenharia - Unidade Corporativa*
Fone: 	+55 41 3616-3797
Cel: 	+55 41 9689-0036

http://www.a1.ind.br/ <http://www.a1.ind.br>


More information about the samba mailing list