[Samba] Manage unix users from AD

Márcio Merlone marcio.merlone at a1.ind.br
Tue Jan 28 04:22:36 MST 2014


Starting a fresh new thread, the ones about sssd x winbind are getting 
boring, biased and personal. :) I'd like to bring this to an admin 
point-of-view to be more useful for other Samba users (aka admins).

Consider a network with about 200+ employees, most of them windows user. 
Happens that one need to provide other non-windows services like e-mail, 
proxy and many others to them, running on other linux servers. So, for 
many of those users (not all) rfc2307 windows services for unix (SFU) 
attributes are needed, to make postfix, dovecot, apache, squid and 
others aware of them too.

As far as I know there are 4 possible solutions:

* Internal samba winbind
* Winbind daemon
* sssd
* nss_ldap

Which of each would bring my rfc2307 users with all their attributes 
defined on SFU, *and only those users*, to my linux system? If I create 
a user _without_ rc2307 means I don't want linux to know about him. If I 
define a user with /bin/false as shell on SFU, bring that to linux. 
That's it. As an admin, I don't care about idmapping, I already defined 
an uidNumber (or wathever AD attribute is used to store it) to the user, 
just use it.

Also, to ease the discussion about those solutions, how about someone 
with knowledge of their internal mechanics sketch a feature matrix 
comparing those, listing advantages and drawbacks? I understand Samba 
team will always recommend winbind over others, but get the difference:

a - Samba team does not recommend other solutions.
b - Samba team recommend not using other solutions.

I believe (a) is true, which does not disregard others.

Best regards.

*Marcio Merlone*
TI - Administrador de redes

*A1 Engenharia - Unidade Corporativa*
Fone: 	+55 41 3616-3797
Cel: 	+55 41 9689-0036

http://www.a1.ind.br/ <http://www.a1.ind.br>

More information about the samba mailing list