[Samba] please confirm: sssd not a good idea :)

vincent at cojot.name vincent at cojot.name
Mon Jun 10 15:04:59 UTC 2019

There is probably some amount of redtape on this but AFAIK it works fine 
for me: My RHEL7.6 hypervisors are joined to my AD DC 4.10.4 VMs through 
use of realm '(and thus sssd):

Here's a RHEL7.6 client:
# realm list
   type: kerberos
   domain-name: ad.lasthome.solace.krynn
   configured: kerberos-member
   server-software: active-directory
   client-software: sssd
   required-package: oddjob
   required-package: oddjob-mkhomedir
   required-package: sssd
   required-package: adcli
   required-package: samba-common-tools
   login-formats: %U
   login-policy: allow-realm-logins

The AD domain above is two RHEL7.6 VMs with samba 4.10.4 and the rpms from 
there: http://nova.polymtl.ca/~coyote/dist/samba/samba-4.10.4/RHEL7



On Mon, 10 Jun 2019, Rowland penny via samba wrote:

> On 08/06/2019 21:32, Rowland penny via samba wrote:
>>  On 08/06/2019 16:24, Uwe Laverenz via samba wrote:
>>>  Hi all,
>>>  when you join a linux server to an active directory with "realm" it uses
>>>  "sssd" as default. This works well as long as you just want to be a
>>>  simple domain member.
>>>  As soon as you want a real member server, with acls for example, you need
>>>  winbind instead of sssd. You can't even connect to or configure your
>>>  server with "net rpc" without using winbind, right?
>>>  As Rowland pointed out in another thread, a Samba 4.8.0+ domain member
>>>  needs winbind anyway.
>>>  Could you please confirm that I finally got it right and that the use of
>>>  "sssd" should be avoided except for basic authentication and that for
>>>  serious samba servers "winbind" is the only (correct and supported) way
>>>  to go?
>>>  thank you,
>>>  Uwe
>>  I never said that you should avoid sssd, I said that Samba does not
>>  support it because we do not produce it and that it does very little that
>>  winbind doesn't.
>>  sssd is supported by the sssd-users mailing list and if you need help with
>>  sssd, that is where to address any problems to.
>>  Samba supports the use of the samba, smbd, nmbd and winbindd daemons. You
>>  are also correct that on a Unix domain member you need to have winbind
>>  running, so you might as well use it ;-)
>>  Rowland
> As an update to this, I have found out that even Red-hat doesn't support 
> using sssd with Samba:
> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-file_and_print_servers
> Under section 16.1.1 The  Samba services , there is this:
> Important
> Red Hat only supports running Samba as a server with the winbindd service to 
> provide domain users and groups to the local system. Due to certain 
> limitations, such as missing Windows access control list (ACL) support and NT 
> LAN Manager (NTLM) fallback, the System Security Services Daemon (SSSD) is 
> not supported.
> Rowland
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list