[Samba] AD domain member with sssd: any downside not running winbindd?

Michael Adam obnox at samba.org
Tue Jan 28 02:19:20 MST 2014

On 2014-01-28 at 08:39 +0100, steve wrote:
> On Tue, 2014-01-28 at 09:37 +1300, Andrew Bartlett wrote:
> > 
> > The key point here is *on the DC*.  On the domain member server,
> > winbindd still does all these things, just like it has for quite some
> > time.  It is more of a pain to configure than I would like, but it can
> > do it.
> > 
> > Andrew Bartlett
> > 
> Thank you. Common sense comments from a developer. Summary:
> 1. On the DC it doesn't work.

On the DC you don't need it:
A Samba AD/DC has its limited built-in winbind task
which is going to be replaced by the superior
winbindd at least when we are starting to support
trusted domains.

It is also correct that you currently can't run the
separate winbindd daemon together with the AD/DC's
built-in winbind.

But if you plug anything other than winbind into nsswitch
on a Samba AD/DC, particularly, anything that does
id mapping differently, then I guess you'll end up
in trouble since the shell will have a different notion
which UID belongs to a user than samba has...

So why do you really want or need to use something else
than winbind in nsswitch on the AD/DC?

> 2. It is a pain to configure.

I suggest you increase your semantic precision:
It is _more_ of a pain than Andrew would _like_ - this is
something different. Please don't quote people for things they
did not say. (If you are a journalist or a politician of course,
and not a tech guy, a faux pas like this might be excusable.)

Winbind is not a pain to configure.
Its flexibility implies a certain potential complexity
in its configuration. But if you read the manual pages,
(and take it literally...) you'll be able to set it up.

If you have concrete questions or wishes/suggestions
for improvement (instead of simply ranting generally
about winbindds inabilities), I'll be more than happy
to comment and fix things.

Cheers - Michael
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 215 bytes
Desc: Digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20140128/69686ace/attachment.pgp>

More information about the samba mailing list