[Samba] sssd-ad cannot be installed with sernet samba

Thu Apr 2 07:35:50 MDT 2015

On 02/04/15 14:56, Rowland Penny wrote:
> On 02/04/15 13:38, buhorojo wrote:
>> On 02/04/15 14:09, Rowland Penny wrote:
>>> On 02/04/15 12:41, buhorojo wrote:
>>>> On 02/04/15 12:48, Rowland Penny wrote:
>>>>> On 02/04/15 11:37, buhorojo wrote:
>>>>>> On 02/04/15 12:19, Rowland Penny wrote:
>>>>>>> On 02/04/15 11:05, buhorojo wrote:
>>>>>>>> On 02/04/15 11:27, Rowland Penny wrote:
>>>>>>>>> On 02/04/15 10:20, buhorojo wrote:
>>>>>>>>>> On 02/04/15 08:36, L.P.H. van Belle wrote:
>>>>>>>>>>> nss/winbind does work, yes, there is 1 missing file, just 
>>>>>>>>>>> created it.
>>>>>>>>>>> ( and this is not needed on a DC ! )
>>>>>>>>>> So you are telling us that something that returns:
>>>>>>>>>> /bin/false
>>>>>>>>>>  when:
>>>>>>>>>> /bin/bash
>>>>>>
>>>>>>
>>>>>
>>>>> WHERE is the output from getent wrong ?
>>>>
>>>> Please read the thread. One example is given above.
>>>> Thanks. It really doesn't matter;)
>>>>
>>>
>>> OK, I have re-read the thread, I cannot find one example of the 
>>> errors you get when using samba with the winbind backend, loads of 
>>> errors when trying to install sssd with sernet packages, but no 
>>> actual winbind errors.
>> Once again:
>> winbind gives /bin/false
>> sssd gives /bin/bash
>> The user has:
>> loginShell: /bin/bash
>>
>> If it doesn't matter for you, don't worry!
>>
>>
>
> That is *NOT* an error, that is the way the winbind built into the 
> samba daemon works, it does not pull anything else from AD other than 
> the users uidNumber and the gidNumber of their primary group.
> There is a work round involving the 'template' directories that can be 
> set in smb.conf, these affect everybody that connects to the machine 
> it is set on, per user settings cannot be set.
>
> It is one of the reasons against using the DC as a file server, but 
> there are others. People have complained about the hard drive filling 
> up until the DC is restarted, there have also been problems with 
> excessive use of memory.
>
> I will put it this way, which part of the following statement do you 
> not understand ?
>
> *We _do not recommend_ using the Domain Controller as a file Server*.
>

We run scripts which require accurate nss information. So, no worries. 
On our machines, sssd works fine. winbind doesn't.

Rowland, wasn't it you who asked the developers how much work it would 
cost them to (to use your term) 'pull' unixHomeDirectory and loginShell 
from AD using winbind? You seemed misled that it was to be made 
available in the next version. It seems that the developers themselves 
regretted that it wouldn't be.