[Samba] samba4 and sssd and user mapping
steve at steve-ss.com
Tue Jan 28 00:33:00 MST 2014
On Mon, 2014-01-27 at 20:24 +0000, Rowland Penny wrote:
> On 27/01/14 19:50, Volker Lendecke wrote:
> > On Mon, Jan 27, 2014 at 06:56:51PM +0100, steve wrote:
> >> On Mon, 2014-01-27 at 15:39 +0100, Volker Lendecke wrote:
> >>> On Mon, Jan 27, 2014 at 02:26:17PM +0000, Rowland Penny wrote:
> >>>>> you are talking about completely different setups here. A smbd
> >>>>> file/print server does not use pam at all.
> >>>> So how does smbd get its authentication then in an AD domain?
> >>> Look at "wbinfo -a". This exactly simulates what smbd is
> >>> doing. Forward the authentication credentials to AD.
> >>> Alternatively, if kerberos is used, smbd and winbind
> >>> communicate via the netsamlogon_cache.tdb. smbd puts the
> >>> windows authorization information into that file, winbind
> >>> then retrieves it from there when nss information is being
> >>> asked for. I'm not sure sssd does that the same way.
> >>> Volker
> >> Well, thanks. But no thanks. That's not enough to convince us to even
> >> think about winbind as a substitute for sssd on our 600 user 80 machine
> >> domain, especially since winbind on the DC simply does not work.
> >> Thanks again. Please could you give real hands on reasons that those of
> >> us who are not developers would understand?
> >> What you are saying is very worrying for us. In 8 months of production
> >> with Samba4 and sssd throughout the domain we have never had the
> >> slightest problem with the latter. Are we ever likely to see what you
> >> are mentioning as an error which would bring us to a standstill or slow
> >> us down? That sssd does not do something in the same way? If not, could
> >> you please tell us how we could force the error? We would then consider
> >> switching to winbind.
> > This very much depends on your environment and user/group
> > structure. If your environment is such that sssd can do what
> > you want, feel free to use it.
> > Volker
> Thank you very much for giving me your permission to use sssd, I didn't
> actually know I needed it, or is this your way of saying 'for most
> people sssd will do what is required, without the complexity of winbind'
On behalf of many satisfied domain users over here in third world Spain,
may I also extend my gratitude in having permission to use sssd. I too
did not know that I needed it.
More information about the samba