[Samba] samba4 and sssd and user mapping
Márcio Merlone
marcio.merlone at a1.ind.br
Mon Jan 27 08:31:05 MST 2014
Em 27-01-2014 11:43, Björn JACKE escreveu:
>> Winbind does not provide extended unix attributes (homedir, shell,
>> etc) as sssd does. Is this kind of rant you are referring to? If not,
>> you may add this. :)
> actually yes. Unfortunately I didn't see your previous posts on this list where
> you false advised the use of sssd instead of winbind before.
Me? Noooo. I am not in position to advice anything other than "replace
your windows server for a samba server". I am looking for advice, not
the other way around.
> It's also not
> true, that winbind does not provide the unix attributes like shell or homedir
> to the nsswitch layer. Please read the smb.conf man page and also the wiki
> carefully. You will find the parameter winbind nss info then.
Ok. So I read:
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html
and
http://www.samba.org/samba/docs/man/manpages/smb.conf.5.html
In short: winbind does not provide unix attributes like shell or homedir
to the nsswitch layer *as defined on their AD database attributes*. It
provides those as defined on a template, which may not satisfy all
admins - users don't care about it :)
I believe that the confusion on this thread and advantage of sssd over
winbind are the lack of "template homedir" and "template shell" parameters.
I'll explain: if you provision your AD DC with rfc2307 attributes for
some users, they are ignored by winbind - except uid and gid - and
templates used instead. So, if I have '/home/users/%n' as homedir for
all users, but only one must have '/home/ftp/ftpuser', winbind will see
it as '/home/user/ftpuser' and not what's defined on AD database.
I understand that AD is a Windows-centric service, not meant to manage
users on a POSIX environment, but since it does, it should do it wright.
>> As I understand, those are member servers, with
>> no specific role on Windows networking, or at most, some filesystem
>> sharing. Does that need winbind? Seems to me that in such case sssd
>> is better since it provides more extensive information.
> actually winbind provides the same information and even better. sssd is
> currently better in offline authentication functionality I think.
"Better" is way too subjective and personal. It is worse for me given
the above.
--
*Marcio Merlone*
TI - Administrador de redes
*A1 Engenharia - Unidade Corporativa*
Fone: +55 41 3616-3797
Cel: +55 41 9689-0036
http://www.a1.ind.br/ <http://www.a1.ind.br>
More information about the samba
mailing list