[Samba] samba4 and sssd and user mapping

Rowland Penny rowlandpenny at googlemail.com
Mon Jan 27 13:24:05 MST 2014 

On 27/01/14 19:50, Volker Lendecke wrote:
> On Mon, Jan 27, 2014 at 06:56:51PM +0100, steve wrote:
>> On Mon, 2014-01-27 at 15:39 +0100, Volker Lendecke wrote:
>>> On Mon, Jan 27, 2014 at 02:26:17PM +0000, Rowland Penny wrote:
>>>>> you are talking about completely different setups here. A smbd
>>>>> file/print server does not use pam at all.
>>>> So how does smbd get its authentication then in an AD domain?
>>> Look at "wbinfo -a". This exactly simulates what smbd is
>>> doing. Forward the authentication credentials to AD.
>>> Alternatively, if kerberos is used, smbd and winbind
>>> communicate via the netsamlogon_cache.tdb. smbd puts the
>>> windows authorization information into that file, winbind
>>> then retrieves it from there when nss information is being
>>> asked for. I'm not sure sssd does that the same way.
>>>
>>> Volker
>>>
>> Well, thanks. But no thanks. That's not enough to convince us to even
>> think about winbind as a substitute for sssd on our 600 user 80 machine
>> domain, especially since winbind on the DC simply does not work.
>> Thanks again. Please could you give real hands on reasons that those of
>> us who are not developers would understand?
>>
>> What you are saying is very worrying for us. In 8 months of production
>> with Samba4 and sssd throughout the domain we have never had the
>> slightest problem with the latter. Are we ever likely to see what you
>> are mentioning as an error which would bring us to a standstill or slow
>> us down? That sssd does not do something in the same way? If not, could
>> you please tell us how we could force the error? We would then consider
>> switching to winbind.
> This very much depends on your environment and user/group
> structure. If your environment is such that sssd can do what
> you want, feel free to use it.
>
> Volker
>
Thank you very much for giving me your permission to use sssd, I didn't 
actually know I needed it, or is this your way of saying 'for most 
people sssd will do what is required, without the complexity of winbind'

Rowland

More information about the samba mailing list