[Samba] Samba4 DC winbind or sssd

Sven Schwedas sven.schwedas at tao.at
Mon Jul 28 09:20:54 MDT 2014


You should think hard whether you *really* want it in the first place,
but if you have to allow users to forkbomb your DC, do it via sssd.

On 2014-07-28 17:15, Caleb O'Connell wrote:
> So, if I want local accounts on the DC from Active Directory, it's 
> recommended at this point to use sssd?  
> 
> 
> Sven Schwedas wrote:
> 
>> On 2014-07-28 16:54, Caleb O'Connell wrote:
>>> I have a samba4 Domain Controller, there are no other samba4 domain
>>> member servers in the network, there is one other samba 3 member server
>>> in the network.
>>> I've setup the DC with:
>>> idmap_ldb:use rfc2307 = yes
>>>
>>> On the samba4, do we use the idmap attributes?
>>>
>>> #       idmap config * : backend = tdb
>>> #       idmap config * : range = 70001-999999
>>> #       idmap config IAPP : backend = ad
>>> #       idmap config IAPP : schema_mode = rfc2307
>>> #       idmap config IAPP : range = 10000-70000
>>> #       winbind nss info = rfc2307
>>> #       winbind trusted domains only = no
>>> #       winbind use default domain = Yes
>>> #       winbind enum users = Yes
>>> #       winbind enum groups = Yes
>>> #       winbind refresh tickets = yes
>>> #       winbind nested groups = Yes
>>>
>>>
>>> Is this only a member server thing?  The samba 3 server is using this and
>>> it
>>> works well.  In my reading it sounds like samba4 does not support this on
>>> the DC.
>>>
>>> Is it recommended to use sssd on the DC for local accounts from AD?
>>
>> It is generally recommended to not use either on a DC and use it just to
>> authenticate other nodes.
>>
>> That said, winbind is broken on s4 dcs, sssd isn't. (Or rather,
>> s4-winbind is woefully incomplete in comparison to the already quite
>> limited s3-winbind, while sssd, being independently developed, works the
>> same with either).
>>

-- 
Mit freundlichen Grüßen, / Best Regards,
Sven Schwedas
Systemadministrator
TAO Beratungs- und Management GmbH | Lendplatz 45 | A - 8020 Graz
Mail/XMPP: sven.schwedas at tao.at | +43 (0)680 301 7167
http://software.tao.at

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20140728/36fec033/attachment.pgp>


More information about the samba mailing list