[Samba] AD domain member with sssd: any downside not running winbindd?
obnox at samba.org
Mon Jan 27 15:02:52 MST 2014
On 2014-01-27 at 21:11 +0000, Rowland Penny wrote:
> On 27/01/14 20:37, Andrew Bartlett wrote:
> >The key point here is *on the DC*. On the domain member server,
> >winbindd still does all these things, just like it has for quite some
> >time. It is more of a pain to configure than I would like, but it can
> >do it.
> At last a dev that admits that winbind is a pain to configure, yes I
> know winbind can do what it is supposed to do but I personally ( I
> will say that again) I personally think that it needs to be made
> easier, does the administrator really need to think about the
> BUILTIN users for instance, could the ranges not be allocated
> automatically, in fact couldn't anything be done to make the set up
Ok, now this is getting constructive:
I am of course happy to consider any wishes/proposals
to simplify winbindd's configuration.
I assume that the major source of grief is the id-mapping
part of winbind.
A little bit of background:
- Winbindd is very flexible and supports a big range
of different setups regarding id-mapping.
This does of course imply a certain complexity.
(I agree that it is desirable to keep a default
config very simple.)
- Some of the things are historically grown, and some
of the complexity is currently necessary to still support
older setups. We can't simply ditch old installations,
even though it would be nice to, for the sake of simplicity
(Note that there are file servers with a lot of data on
disk, including unix ids from old samba/winbind setups.
We can't invalidate all those terabytes of data when
- One important detail is that the idmap-config
is not only used for the id-mappings but also
for the group mappings: The group mapping database
is the group equivalent of the passdb.tdb, i.e. group
objects on the server. In particular this stores what
windows knows as "local groups", and more specifically
the builtin groups. For such local groups or aliases,
samba/winbindd also needs to provide the unix part,
in particular a unix id. This unix ID is retrieved
from winbindd's idmap default range.
(This may be confusing, and at some point, I would like
to get rid of this dependency, but it is not an easy task.)
- So it is usually not merely a matter of slimming the config,
but there is a lot of stuff depending on it.
So now concretely:
What is the point with builtin?
There is no special configuration for BUILTIN I am aware of.
But we need an allocating backend configured with a default
idmap range ("idmap config * : ..."). This is not only
needed for builtin but for all not explicitly mapped domains.
There is no automatic range for this.
(Maybe this can be changed in the future, but probably not
completely but rather as one possible (maybe default) mode.)
So what you need to support builtins is something like this:
idmap config * : range = 100000-199999
idmap config * : backend = tdb
not more (backend of choice, range of choice).
Please elaborate what you would prefer instead!
Cheers - Michael
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 215 bytes
Desc: Digital signature
More information about the samba