[Samba] samba4 and sssd and user mapping

Rowland Penny rowlandpenny at googlemail.com
Mon Jan 27 13:24:05 MST 2014

On 27/01/14 19:50, Volker Lendecke wrote:
> On Mon, Jan 27, 2014 at 06:56:51PM +0100, steve wrote:
>> On Mon, 2014-01-27 at 15:39 +0100, Volker Lendecke wrote:
>>> On Mon, Jan 27, 2014 at 02:26:17PM +0000, Rowland Penny wrote:
>>>>> you are talking about completely different setups here. A smbd
>>>>> file/print server does not use pam at all.
>>>> So how does smbd get its authentication then in an AD domain?
>>> Look at "wbinfo -a". This exactly simulates what smbd is
>>> doing. Forward the authentication credentials to AD.
>>> Alternatively, if kerberos is used, smbd and winbind
>>> communicate via the netsamlogon_cache.tdb. smbd puts the
>>> windows authorization information into that file, winbind
>>> then retrieves it from there when nss information is being
>>> asked for. I'm not sure sssd does that the same way.
>>> Volker
>> Well, thanks. But no thanks. That's not enough to convince us to even
>> think about winbind as a substitute for sssd on our 600 user 80 machine
>> domain, especially since winbind on the DC simply does not work.
>> Thanks again. Please could you give real hands on reasons that those of
>> us who are not developers would understand?
>> What you are saying is very worrying for us. In 8 months of production
>> with Samba4 and sssd throughout the domain we have never had the
>> slightest problem with the latter. Are we ever likely to see what you
>> are mentioning as an error which would bring us to a standstill or slow
>> us down? That sssd does not do something in the same way? If not, could
>> you please tell us how we could force the error? We would then consider
>> switching to winbind.
> This very much depends on your environment and user/group
> structure. If your environment is such that sssd can do what
> you want, feel free to use it.
> Volker
Thank you very much for giving me your permission to use sssd, I didn't 
actually know I needed it, or is this your way of saying 'for most 
people sssd will do what is required, without the complexity of winbind'


More information about the samba mailing list