[Samba] design question for small environment

Rowland Penny rpenny at samba.org
Wed Sep 12 19:14:18 UTC 2018 

On Wed, 12 Sep 2018 14:38:33 -0400
Gaiseric Vandal via samba <samba at lists.samba.org> wrote:

> Presumably the unix servers are sharing network shares via samba but
> not NFS.      If you aren't using NFS and if regular users don't need
> to ssh or sftp into the server then winbind is probably
> sufficient.  

It is more than sufficient, it just works, even with ssh & sftp

>  My environment has a mix of unix and windows clients
> and servers so getting uidNumbers and gidNumbers consistent across
> machines and OS's is critical so winbind alone was not sufficient.

You evidently didn't have the smb.conf set up correctly.

> 
> 
> 
> If you look at /etc/nsswitch.conf on linux systems you will see
> entries like
> 
> 
> passwd:         compat sss
> group:          compat sss

You can also find:

passwd:	compat winbind
group:	compat winbind
> 
> 
> 
> 
> sss (sssd ) is the preferred solution for most network
> authentication. sssd can be configured to work with ad, ldap,
> kerberos, and (i think) winbind.

It is the preferred solution for you, but it isn't actually needed,
winbind can work with AD, ldap and kerberos. It might interest you to
know that sssd can work with winbind, this is mostly because it uses a
version of a winbind lib.

> 
> I think the major advantage of sssd is that if you are looking thru 
> linux documentation and help forums the examples will assume 
> sssd.conf. 

Not round here you wont.

>    sssd allows for password caching which is really more 
> useful on a workstation than a server. 

Funnily enough and guess what, winbind can do this.

> And you have a lot of 
> flexibility with configuring AD parameters (search paths, proxy
> accounts.)

That has nothing to do with sssd and a lot to do with AD.

> 
> I don't think samba uses pam so nsswitch.conf will need to point to 
> winbind (either directly or via sssd.)

Oh damn, I will have to remove all traces of pam and winbind, and then
install sssd. No wait, why bother, Samba does use PAM.

>    SSH server has several 
> authentication mechanisms -  it checks for kerberos credentials, then
> it checks pam, and then pam would check unix authentication (ie. 
> nsswitch.conf.)

This, again, will work with winbind.

Bottom line is, you can really only make a case for sssd on a DC and
even there, I would use nslcd instead, a lightweight solution that
doesn't duplicate what is already there.

Rowland

More information about the samba mailing list