[Samba] samba4 and sssd and user mapping

Rowland Penny rowlandpenny at googlemail.com
Mon Jan 27 08:33:58 MST 2014

On 27/01/14 15:20, Volker Lendecke wrote:
> On Mon, Jan 27, 2014 at 02:37:04PM +0000, Rowland Penny wrote:
>> I am sorry Volker, but just saying don't use sssd for a file server
>> is not good enough, you must give good reasons why. From my
>> experience, telling somebody 'do not do this', without explaining
>> why, is a recipe for disaster.
>> Just what does winbind do that sssd doesn't?
> While I can not fully speak for sssd, I know that winbind
> does many things which are entirely not obvious to a AD
> client. For example DC lookup is pretty complex, winbind is
> site aware and prefers local DCs. winbind is pretty up to
> date with the latest Microsoft RPC security negotiation
> things and is being updated as they come in. winbind is very
> flexible with idmapping and goes a long way to properly
> cache idmappings with smbd via gencache for good
> performance. winbind is at this moment being improved
> significantly to much better deal with machine password
> changes and potentially slow AD replication of those
> changes.
> None of this is rocket science and sssd can implement all of
> this itself for sure. In particular as one of the initial
> authors of sssd is Simo Sorce, Samba Team Member, it is
> entirely possible that Simo translates all winbind
> achievements into sssd features. Maybe the current sssd
> authors can better comment on the few points I made above.
> It is just a lot of work that the Samba Team members put
> into the RPC client infrastructure that winbind uses, and I
> would be very surprised if sssd uses that 1:1.
> I just want to say that AD membership can be pretty complex,
> and winbind is rather up to date with all the subtleties.
> With best regards,
> Volker Lendecke
Thanks Volker (and Michael) this makes it a bit clearer, I understand 
that it probably is better to use winbind instead of sssd, it is just 
that winbind is such a pain to set up correctly. Don't get me wrong,but 
don't all the posts about setting winbind up tell you anything, you 
might think it is easy, but anything is easy when you know how.

I personally think that what is required is the winbind backend with the 
sssd front end stuck on it ;-)

I thought that sssd were working on making their ad backend work like 
winbind, so I think that I will go and ask them what they think.


More information about the samba mailing list