[Samba] idmap & migration to rfc2307

Michael Adam obnox at samba.org
Sun Nov 8 10:59:46 UTC 2015

On 2015-11-08 at 11:47 +0100, buhorojo wrote:
> On 08/11/15 00:32, Michael Adam wrote:
> >On 2015-11-07 at 23:51 +0100, buhorojo wrote:
> >>On 07/11/15 23:20, Rowland Penny wrote:
> >>>you would need the RFC2307 attributes, something that doesn't happen on
> >>>the DC at present.
> >>rfc2307 attributes are a reality on DCs and have been ever since their
> >>introduction. You just don't use winbind to access them.
> >You don't have a choice inside the samba server.
> >Winbind is used there.
> >
> >You can use sssd in nsswitch if you want to
> >create a potentially inconsistent setup.
> >It is your call...
> >
> >:-)
> >
> >Michael
> Hi
> If you're having trouble with inconsistent ids on DCs running sssd, you must
> have found a bug. We're not sure whether it's different elsewhere but there
> are guidelines for reporting sssd bugs here:
> https://fedorahosted.org/sssd/wiki/Reporting_sssd_bugs
> Thank you

I don't have trouble with sssd. (I don't use it. :-)
I also don't say that sssd produces inconsistent ids itself.
But there is a conceptual problem in your setup
(I can only try to make my above statements more clear):

Samba internally uses winbind for id mapping.
So putting sssd into nsswitch you create a
system that is a priory potentially inconsistent
because sssd and winbindd do not necessarily
do ID-mapping the same way.

(It would be inconsistent in that nsswitch (shell access)
might produce different IDs for a user than samba would use
for the same user.)

Does that make it more clear for you?

Also, at this time, this whole mailing list is about
Samba, including winbindd. It is not about sssd.

At some point in the future, a supported setup
might be to have moved sssd and winbind closer
toghether. In the scenario I have in mind,
sssd would sit in nsswitch (and pam) but talk to
winbindd for id mapping and talking to the AD domain
(instead of sssd talking to AD and doing id-mapping
itself). Winbindd itself would be more simple since
it does not have to bother about nsswitch calls any more.
That would be a consistent setup. But we are not there
yet. As of today, winbind and sssd are completely separate,
and we are talking winbind here... :-)

Cheers - Michael
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba/attachments/20151108/b9c581c1/signature.sig>

More information about the samba mailing list