[Samba] AD domain member with sssd: any downside not running winbindd?

Michael Adam obnox at samba.org
Mon Jan 27 15:02:52 MST 2014 

Hi Rowland,

On 2014-01-27 at 21:11 +0000, Rowland Penny wrote:
> On 27/01/14 20:37, Andrew Bartlett wrote:
> >The key point here is *on the DC*.  On the domain member server,
> >winbindd still does all these things, just like it has for quite some
> >time.  It is more of a pain to configure than I would like, but it can
> >do it.
> >
> At last a dev that admits that winbind is a pain to configure, yes I
> know winbind can do what it is supposed to do but I personally ( I
> will say that again) I personally think that it needs to be made
> easier, does the administrator really need to think about the
> BUILTIN users for instance, could the ranges not be allocated
> automatically, in fact couldn't anything be done to make the set up
> easier.

Ok, now this is getting constructive:
I am of course happy to consider any wishes/proposals
to simplify winbindd's configuration.

I assume that the major source of grief is the id-mapping
part of winbind.

A little bit of background:
- Winbindd is very flexible and supports a big range
  of different setups regarding id-mapping.
  This does of course imply a certain complexity.
  (I agree that it is desirable to keep a default
  config very simple.)
- Some of the things are historically grown, and some
  of the complexity is currently necessary to still support
  older setups. We can't simply ditch old installations,
  even though it would be nice to, for the sake of simplicity
  of configuration.
  (Note that there are file servers with a lot of data on
   disk, including unix ids from old samba/winbind setups.
   We can't invalidate all those terabytes of data when
   updating Samba...)
- One important detail is that the idmap-config
  is not only used for the id-mappings but also
  for the group mappings: The group mapping database
  is the group equivalent of the passdb.tdb, i.e. group
  objects on the server. In particular this stores what
  windows knows as "local groups", and more specifically
  the builtin groups. For such local groups or aliases,
  samba/winbindd also needs to provide the unix part,
  in particular a unix id. This unix ID is retrieved
  from winbindd's idmap default range.
  (This may be confusing, and at some point, I would like
   to get rid of this dependency, but it is not an easy task.)
- So it is usually not merely a matter of slimming the config,
  but there is a lot of stuff depending on it.

So now concretely:

What is the point with builtin?
There is no special configuration for BUILTIN I am aware of.
But we need an allocating backend configured with a default
idmap range ("idmap config * : ..."). This is not only
needed for builtin but for all not explicitly mapped domains.
There is no automatic range for this.
(Maybe this can be changed in the future, but probably not
 completely but rather as one possible (maybe default) mode.)

So what you need to support builtins is something like this:

[global]
 ...
 idmap config * : range = 100000-199999
 idmap config * : backend = tdb

not more (backend of choice, range of choice).

Please elaborate what you would prefer instead!

Cheers - Michael

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 215 bytes
Desc: Digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20140127/df2af9d3/attachment.pgp>

More information about the samba mailing list