[Samba] idmap & migration to rfc2307

Rowland Penny rowlandpenny241155 at gmail.com
Sun Nov 8 11:19:57 UTC 2015

On 08/11/15 10:59, Michael Adam wrote:
> On 2015-11-08 at 11:47 +0100, buhorojo wrote:
>> On 08/11/15 00:32, Michael Adam wrote:
>>> On 2015-11-07 at 23:51 +0100, buhorojo wrote:
>>>> On 07/11/15 23:20, Rowland Penny wrote:
>>>>> you would need the RFC2307 attributes, something that doesn't happen on
>>>>> the DC at present.
>>>> rfc2307 attributes are a reality on DCs and have been ever since their
>>>> introduction. You just don't use winbind to access them.
>>> You don't have a choice inside the samba server.
>>> Winbind is used there.
>>> You can use sssd in nsswitch if you want to
>>> create a potentially inconsistent setup.
>>> It is your call...
>>> :-)
>>> Michael
>> Hi
>> If you're having trouble with inconsistent ids on DCs running sssd, you must
>> have found a bug. We're not sure whether it's different elsewhere but there
>> are guidelines for reporting sssd bugs here:
>> https://fedorahosted.org/sssd/wiki/Reporting_sssd_bugs
>> Thank you
> I don't have trouble with sssd. (I don't use it. :-)
> I also don't say that sssd produces inconsistent ids itself.
> But there is a conceptual problem in your setup
> (I can only try to make my above statements more clear):
> Samba internally uses winbind for id mapping.
> So putting sssd into nsswitch you create a
> system that is a priory potentially inconsistent
> because sssd and winbindd do not necessarily
> do ID-mapping the same way.
> (It would be inconsistent in that nsswitch (shell access)
> might produce different IDs for a user than samba would use
> for the same user.)
> Does that make it more clear for you?
> Also, at this time, this whole mailing list is about
> Samba, including winbindd. It is not about sssd.
> At some point in the future, a supported setup
> might be to have moved sssd and winbind closer
> toghether. In the scenario I have in mind,
> sssd would sit in nsswitch (and pam) but talk to
> winbindd for id mapping and talking to the AD domain
> (instead of sssd talking to AD and doing id-mapping
> itself). Winbindd itself would be more simple since
> it does not have to bother about nsswitch calls any more.
> That would be a consistent setup. But we are not there
> yet. As of today, winbind and sssd are completely separate,
> and we are talking winbind here... :-)
> Cheers - Michael

It might also help if you read the *entire* thread, it is not Michael 
that is having the problem.


More information about the samba mailing list