[Samba] Samba4 DC winbind or sssd
sven.schwedas at tao.at
Mon Jul 28 09:20:54 MDT 2014
You should think hard whether you *really* want it in the first place,
but if you have to allow users to forkbomb your DC, do it via sssd.
On 2014-07-28 17:15, Caleb O'Connell wrote:
> So, if I want local accounts on the DC from Active Directory, it's
> recommended at this point to use sssd?
> Sven Schwedas wrote:
>> On 2014-07-28 16:54, Caleb O'Connell wrote:
>>> I have a samba4 Domain Controller, there are no other samba4 domain
>>> member servers in the network, there is one other samba 3 member server
>>> in the network.
>>> I've setup the DC with:
>>> idmap_ldb:use rfc2307 = yes
>>> On the samba4, do we use the idmap attributes?
>>> # idmap config * : backend = tdb
>>> # idmap config * : range = 70001-999999
>>> # idmap config IAPP : backend = ad
>>> # idmap config IAPP : schema_mode = rfc2307
>>> # idmap config IAPP : range = 10000-70000
>>> # winbind nss info = rfc2307
>>> # winbind trusted domains only = no
>>> # winbind use default domain = Yes
>>> # winbind enum users = Yes
>>> # winbind enum groups = Yes
>>> # winbind refresh tickets = yes
>>> # winbind nested groups = Yes
>>> Is this only a member server thing? The samba 3 server is using this and
>>> works well. In my reading it sounds like samba4 does not support this on
>>> the DC.
>>> Is it recommended to use sssd on the DC for local accounts from AD?
>> It is generally recommended to not use either on a DC and use it just to
>> authenticate other nodes.
>> That said, winbind is broken on s4 dcs, sssd isn't. (Or rather,
>> s4-winbind is woefully incomplete in comparison to the already quite
>> limited s3-winbind, while sssd, being independently developed, works the
>> same with either).
Mit freundlichen Grüßen, / Best Regards,
TAO Beratungs- und Management GmbH | Lendplatz 45 | A - 8020 Graz
Mail/XMPP: sven.schwedas at tao.at | +43 (0)680 301 7167
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 648 bytes
Desc: OpenPGP digital signature
More information about the samba