[Samba] please confirm: sssd not a good idea :)

Rowland penny rpenny at samba.org
Mon Jun 10 14:51:07 UTC 2019

On 08/06/2019 21:32, Rowland penny via samba wrote:
> On 08/06/2019 16:24, Uwe Laverenz via samba wrote:
>> Hi all,
>> when you join a linux server to an active directory with "realm" it 
>> uses "sssd" as default. This works well as long as you just want to 
>> be a simple domain member.
>> As soon as you want a real member server, with acls for example, you 
>> need winbind instead of sssd. You can't even connect to or configure 
>> your server with "net rpc" without using winbind, right?
>> As Rowland pointed out in another thread, a Samba 4.8.0+ domain 
>> member needs winbind anyway.
>> Could you please confirm that I finally got it right and that the use 
>> of "sssd" should be avoided except for basic authentication and that 
>> for serious samba servers "winbind" is the only (correct and 
>> supported) way to go?
>> thank you,
>> Uwe
> I never said that you should avoid sssd, I said that Samba does not 
> support it because we do not produce it and that it does very little 
> that winbind doesn't.
> sssd is supported by the sssd-users mailing list and if you need help 
> with sssd, that is where to address any problems to.
> Samba supports the use of the samba, smbd, nmbd and winbindd daemons. 
> You are also correct that on a Unix domain member you need to have 
> winbind running, so you might as well use it ;-)
> Rowland
As an update to this, I have found out that even Red-hat doesn't support 
using sssd with Samba:


Under section 16.1.1 The  Samba services , there is this:

Red Hat only supports running Samba as a server with the winbindd 
service to provide domain users and groups to the local system. Due to 
certain limitations, such as missing Windows access control list (ACL) 
support and NT LAN Manager (NTLM) fallback, the System Security Services 
Daemon (SSSD) is not supported.


More information about the samba mailing list