[Samba] please confirm: sssd not a good idea :)
vincent at cojot.name
vincent at cojot.name
Mon Jun 10 15:04:59 UTC 2019
There is probably some amount of redtape on this but AFAIK it works fine
for me: My RHEL7.6 hypervisors are joined to my AD DC 4.10.4 VMs through
use of realm '(and thus sssd):
Here's a RHEL7.6 client:
# realm list
ad.lasthome.solace.krynn
type: kerberos
realm-name: AD.LASTHOME.SOLACE.KRYNN
domain-name: ad.lasthome.solace.krynn
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common-tools
login-formats: %U
login-policy: allow-realm-logins
The AD domain above is two RHEL7.6 VMs with samba 4.10.4 and the rpms from
there: http://nova.polymtl.ca/~coyote/dist/samba/samba-4.10.4/RHEL7
Regards,
Vincent
On Mon, 10 Jun 2019, Rowland penny via samba wrote:
> On 08/06/2019 21:32, Rowland penny via samba wrote:
>> On 08/06/2019 16:24, Uwe Laverenz via samba wrote:
>>> Hi all,
>>>
>>> when you join a linux server to an active directory with "realm" it uses
>>> "sssd" as default. This works well as long as you just want to be a
>>> simple domain member.
>>>
>>> As soon as you want a real member server, with acls for example, you need
>>> winbind instead of sssd. You can't even connect to or configure your
>>> server with "net rpc" without using winbind, right?
>>>
>>> As Rowland pointed out in another thread, a Samba 4.8.0+ domain member
>>> needs winbind anyway.
>>>
>>> Could you please confirm that I finally got it right and that the use of
>>> "sssd" should be avoided except for basic authentication and that for
>>> serious samba servers "winbind" is the only (correct and supported) way
>>> to go?
>>>
>>> thank you,
>>> Uwe
>>>
>> I never said that you should avoid sssd, I said that Samba does not
>> support it because we do not produce it and that it does very little that
>> winbind doesn't.
>>
>> sssd is supported by the sssd-users mailing list and if you need help with
>> sssd, that is where to address any problems to.
>>
>> Samba supports the use of the samba, smbd, nmbd and winbindd daemons. You
>> are also correct that on a Unix domain member you need to have winbind
>> running, so you might as well use it ;-)
>>
>> Rowland
>>
>>
> As an update to this, I have found out that even Red-hat doesn't support
> using sssd with Samba:
>
> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-file_and_print_servers
>
> Under section 16.1.1 The Samba services , there is this:
>
> Important
> Red Hat only supports running Samba as a server with the winbindd service to
> provide domain users and groups to the local system. Due to certain
> limitations, such as missing Windows access control list (ACL) support and NT
> LAN Manager (NTLM) fallback, the System Security Services Daemon (SSSD) is
> not supported.
>
> Rowland
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list