[Samba] Samba4 DC winbind or sssd
Caleb O'Connell
caleb at privacyassociation.org
Mon Jul 28 09:15:51 MDT 2014
So, if I want local accounts on the DC from Active Directory, it's
recommended at this point to use sssd?
Sven Schwedas wrote:
> On 2014-07-28 16:54, Caleb O'Connell wrote:
>> I have a samba4 Domain Controller, there are no other samba4 domain
>> member servers in the network, there is one other samba 3 member server
>> in the network.
>> I've setup the DC with:
>> idmap_ldb:use rfc2307 = yes
>>
>> On the samba4, do we use the idmap attributes?
>>
>> # idmap config * : backend = tdb
>> # idmap config * : range = 70001-999999
>> # idmap config IAPP : backend = ad
>> # idmap config IAPP : schema_mode = rfc2307
>> # idmap config IAPP : range = 10000-70000
>> # winbind nss info = rfc2307
>> # winbind trusted domains only = no
>> # winbind use default domain = Yes
>> # winbind enum users = Yes
>> # winbind enum groups = Yes
>> # winbind refresh tickets = yes
>> # winbind nested groups = Yes
>>
>>
>> Is this only a member server thing? The samba 3 server is using this and
>> it
>> works well. In my reading it sounds like samba4 does not support this on
>> the DC.
>>
>> Is it recommended to use sssd on the DC for local accounts from AD?
>
> It is generally recommended to not use either on a DC and use it just to
> authenticate other nodes.
>
> That said, winbind is broken on s4 dcs, sssd isn't. (Or rather,
> s4-winbind is woefully incomplete in comparison to the already quite
> limited s3-winbind, while sssd, being independently developed, works the
> same with either).
>
--
Caleb O'Connell CIPP/US, CIPP/IT | Systems Administrator
IAPP | International Association of Privacy Professionals
Pease International Tradeport
75 Rochester Ave., Suite 4 | Portsmouth, NH 03801 USA
+1.603.427.9200 | Fax: +1.603.427.9249
caleb at privacyassociation.org | www.privacyassociation.org
More information about the samba
mailing list