[Samba] rid mapping works on member server but not DC

Jonathan Hunter jmhunter1 at gmail.com
Sun Apr 12 11:08:53 MDT 2015

On 12 April 2015 at 14:34, Rowland Penny <rowlandpenny at googlemail.com> wrote:
>> - perhaps use sssd? (which I haven't yet investigated, to be honest)
> You could try sssd, this has a backend like the winbind backend and will
> also work on the DC (well it did the last time I tried it, which was some
> time ago) .

Thanks! I'm looking at
https://fedorahosted.org/sssd/wiki/Configuring_sssd_with_ad_server at
the moment. Looks like I can either use 'net join ...' (which I
suspect won't work when I'm running it from my DC already, with its
existing DC role smb.conf), or manually grab a Kerberos ticket

One of the steps for that is ''ktpass /princ host/..." but I'm not
sure if running that will affect the functionality of my existing DC.
Do you remember what steps you used when you tried last? I can't
immediately find any info from other folks who may already be running
sssd on a Samba DC :(

>> I was reluctant to go down the 'ad' backend route simply because from
>> what I can see, there is then the risk of a Windows admin for any part
>> of the AD tree being able to 'impersonate' any UNIX user by simply
>> [...]
> All things come with risks, do you really not trust your co-workers ?? Also
> there are probably easier ways of getting access to users data.

More that somebody from one part of the organisation could interfere
with another part of the organisation via AD (which wouldn't be the
same using algorithmic RID). That's a separate question though, and
I'm happy to believe that I am over-thinking!

Thanks :)


"If we knew what it was we were doing, it would not be called
research, would it?"
      - Albert Einstein

More information about the samba mailing list