[Samba] samba4 and sssd and user mapping

Rowland Penny rowlandpenny at googlemail.com
Mon Jan 27 09:13:24 MST 2014

On 27/01/14 15:31, Márcio Merlone wrote:
> Em 27-01-2014 11:43, Björn JACKE escreveu:
>>> Winbind does not provide extended unix attributes (homedir, shell, 
>>> etc) as sssd does. Is this kind of rant you are referring to? If 
>>> not, you may add this. :) 
>> actually yes. Unfortunately I didn't see your previous posts on this 
>> list where
>> you false advised the use of sssd instead of winbind before.
> Me? Noooo. I am not in position to advice anything other than "replace 
> your windows server for a samba server". I am looking for advice, not 
> the other way around.
>> It's also not
>> true, that winbind does not provide the unix attributes like shell or 
>> homedir
>> to the nsswitch layer. Please read the smb.conf man page and also the 
>> wiki
>> carefully. You will find the parameter winbind nss info then.
> Ok. So I read:
> http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html
> and
> http://www.samba.org/samba/docs/man/manpages/smb.conf.5.html
Please don't bother with the first page you quoted, it is mostly out of 
date and relates to version 3.5, the second page is also slightly out of 
date (for instance, at one point it mentions SWAT, this has now been 

> In short: winbind does not provide unix attributes like shell or 
> homedir to the nsswitch layer *as defined on their AD database 
> attributes*. It provides those as defined on a template, which may not 
> satisfy all admins - users don't care about it :)

I believe that here you are referring to winbind on the samba 4 AD 
server, this is built into the samba daemon and does not work like the 
separate winbind daemon. The main problem is the one that you have 
mentioned but it is actually worse than you think, you cannot use place 
holders in the templates i.e. if you try to use /home/%u in the 
homedirectory template, all your users will get the literal home 
directory of /home/%u.

> I believe that the confusion on this thread and advantage of sssd over 
> winbind are the lack of "template homedir" and "template shell" 
> parameters.
> I'll explain: if you provision your AD DC with rfc2307 attributes for 
> some users, they are ignored by winbind - except uid and gid - and 
> templates used instead. So, if I have '/home/users/%n' as homedir for 
> all users, but only one must have '/home/ftp/ftpuser', winbind will 
> see it as '/home/user/ftpuser' and not what's defined on AD database.
> I understand that AD is a Windows-centric service, not meant to manage 
> users on a POSIX environment, but since it does, it should do it wright.
Yes AD is windows-centric, well it would be, after all it came from 
windows ;-)
But, windows came up with SFU (this seems to have been re-named several 
times) and I personally think that is the way to go, put all the linux 
info into the RFC2307 attributes and use something to pull these. The 
easiest way (note I do not say the best way) at the moment seems to be 
to use sssd.


>>> As I understand, those are member servers, with
>>> no specific role on Windows networking, or at most, some filesystem
>>> sharing. Does that need winbind? Seems to me that in such case sssd
>>> is better since it provides more extensive information.
>> actually winbind provides the same information and even better. sssd is
>> currently better in offline authentication functionality I think.
> "Better" is way too subjective and personal. It is worse for me given 
> the above.

More information about the samba mailing list