[Samba] design question for small environment

Gaiseric Vandal gaiseric.vandal at gmail.com
Wed Sep 12 18:38:33 UTC 2018


Presumably the unix servers are sharing network shares via samba but not 
NFS.      If you aren't using NFS and if regular users don't need to ssh 
or sftp into the server then winbind is probably sufficient.    My 
environment has a mix of unix and windows clients and servers so getting 
uidNumbers and gidNumbers consistent across machines and OS's is 
critical so winbind alone was not sufficient.



If you look at /etc/nsswitch.conf on linux systems you will see entries 
like


passwd:         compat sss
group:          compat sss




sss (sssd ) is the preferred solution for most network authentication.  
sssd can be configured to work with ad, ldap, kerberos, and (i think) 
winbind.

I think the major advantage of sssd is that if you are looking thru 
linux documentation and help forums the examples will assume 
sssd.conf.     sssd allows for password caching which is really more 
useful on a workstation than a server.  And you have a lot of 
flexibility with configuring AD parameters (search paths, proxy accounts.)


I don't think samba uses pam so nsswitch.conf will need to point to 
winbind (either directly or via sssd.)    SSH server has several 
authentication mechanisms -  it checks for kerberos credentials, then it 
checks pam, and then pam would check unix authentication (ie. 
nsswitch.conf.)




On 09/12/18 14:01, Rowland Penny via samba wrote:
> On Wed, 12 Sep 2018 13:33:15 -0400
> Gaiseric Vandal via samba <samba at lists.samba.org> wrote:
>
>> As the unix servers  running linux (I know some people wouldn't call
>> that real unix) or a "real" unix like Solaris ?
>>
>> Linux has sssd which can make things simpler.
> Just how does sssd make thing simpler ?
> Properly set up, winbind can do the same authentication that sssd can.
> Or are you thinking of sudo ?, well sudo itself can talk to AD, or what
> about autofs ? again this can talk to AD. No, you do not need the
> red-hat tools at all.
>
>> In either case you probably need a proxy account for the unix system
>> to retrieve user and group info (not passwords) via LDAP.
> No, you just need to set up pam correctly, which is easy on debian,
> just install libpam_krb5
>
> Rowland
>   
>
>




More information about the samba mailing list