[Samba] samba4 and sssd and user mapping
Rowland Penny
rowlandpenny at googlemail.com
Mon Jan 27 08:33:58 MST 2014
On 27/01/14 15:20, Volker Lendecke wrote:
> On Mon, Jan 27, 2014 at 02:37:04PM +0000, Rowland Penny wrote:
>> I am sorry Volker, but just saying don't use sssd for a file server
>> is not good enough, you must give good reasons why. From my
>> experience, telling somebody 'do not do this', without explaining
>> why, is a recipe for disaster.
>>
>> Just what does winbind do that sssd doesn't?
> While I can not fully speak for sssd, I know that winbind
> does many things which are entirely not obvious to a AD
> client. For example DC lookup is pretty complex, winbind is
> site aware and prefers local DCs. winbind is pretty up to
> date with the latest Microsoft RPC security negotiation
> things and is being updated as they come in. winbind is very
> flexible with idmapping and goes a long way to properly
> cache idmappings with smbd via gencache for good
> performance. winbind is at this moment being improved
> significantly to much better deal with machine password
> changes and potentially slow AD replication of those
> changes.
>
> None of this is rocket science and sssd can implement all of
> this itself for sure. In particular as one of the initial
> authors of sssd is Simo Sorce, Samba Team Member, it is
> entirely possible that Simo translates all winbind
> achievements into sssd features. Maybe the current sssd
> authors can better comment on the few points I made above.
> It is just a lot of work that the Samba Team members put
> into the RPC client infrastructure that winbind uses, and I
> would be very surprised if sssd uses that 1:1.
>
> I just want to say that AD membership can be pretty complex,
> and winbind is rather up to date with all the subtleties.
>
> With best regards,
>
> Volker Lendecke
>
Thanks Volker (and Michael) this makes it a bit clearer, I understand
that it probably is better to use winbind instead of sssd, it is just
that winbind is such a pain to set up correctly. Don't get me wrong,but
don't all the posts about setting winbind up tell you anything, you
might think it is easy, but anything is easy when you know how.
I personally think that what is required is the winbind backend with the
sssd front end stuck on it ;-)
I thought that sssd were working on making their ad backend work like
winbind, so I think that I will go and ask them what they think.
Rowland
More information about the samba
mailing list