[Samba] design question for small environment
Gaiseric Vandal
gaiseric.vandal at gmail.com
Wed Sep 12 18:38:33 UTC 2018
Presumably the unix servers are sharing network shares via samba but not
NFS. If you aren't using NFS and if regular users don't need to ssh
or sftp into the server then winbind is probably sufficient. My
environment has a mix of unix and windows clients and servers so getting
uidNumbers and gidNumbers consistent across machines and OS's is
critical so winbind alone was not sufficient.
If you look at /etc/nsswitch.conf on linux systems you will see entries
like
passwd: compat sss
group: compat sss
sss (sssd ) is the preferred solution for most network authentication.
sssd can be configured to work with ad, ldap, kerberos, and (i think)
winbind.
I think the major advantage of sssd is that if you are looking thru
linux documentation and help forums the examples will assume
sssd.conf. sssd allows for password caching which is really more
useful on a workstation than a server. And you have a lot of
flexibility with configuring AD parameters (search paths, proxy accounts.)
I don't think samba uses pam so nsswitch.conf will need to point to
winbind (either directly or via sssd.) SSH server has several
authentication mechanisms - it checks for kerberos credentials, then it
checks pam, and then pam would check unix authentication (ie.
nsswitch.conf.)
On 09/12/18 14:01, Rowland Penny via samba wrote:
> On Wed, 12 Sep 2018 13:33:15 -0400
> Gaiseric Vandal via samba <samba at lists.samba.org> wrote:
>
>> As the unix servers running linux (I know some people wouldn't call
>> that real unix) or a "real" unix like Solaris ?
>>
>> Linux has sssd which can make things simpler.
> Just how does sssd make thing simpler ?
> Properly set up, winbind can do the same authentication that sssd can.
> Or are you thinking of sudo ?, well sudo itself can talk to AD, or what
> about autofs ? again this can talk to AD. No, you do not need the
> red-hat tools at all.
>
>> In either case you probably need a proxy account for the unix system
>> to retrieve user and group info (not passwords) via LDAP.
> No, you just need to set up pam correctly, which is easy on debian,
> just install libpam_krb5
>
> Rowland
>
>
>
More information about the samba
mailing list