[Samba] please confirm: sssd not a good idea :)
vincent at cojot.name
vincent at cojot.name
Mon Jun 10 15:04:59 UTC 2019
There is probably some amount of redtape on this but AFAIK it works fine
for me: My RHEL7.6 hypervisors are joined to my AD DC 4.10.4 VMs through
use of realm '(and thus sssd):
Here's a RHEL7.6 client:
# realm list
The AD domain above is two RHEL7.6 VMs with samba 4.10.4 and the rpms from
On Mon, 10 Jun 2019, Rowland penny via samba wrote:
> On 08/06/2019 21:32, Rowland penny via samba wrote:
>> On 08/06/2019 16:24, Uwe Laverenz via samba wrote:
>>> Hi all,
>>> when you join a linux server to an active directory with "realm" it uses
>>> "sssd" as default. This works well as long as you just want to be a
>>> simple domain member.
>>> As soon as you want a real member server, with acls for example, you need
>>> winbind instead of sssd. You can't even connect to or configure your
>>> server with "net rpc" without using winbind, right?
>>> As Rowland pointed out in another thread, a Samba 4.8.0+ domain member
>>> needs winbind anyway.
>>> Could you please confirm that I finally got it right and that the use of
>>> "sssd" should be avoided except for basic authentication and that for
>>> serious samba servers "winbind" is the only (correct and supported) way
>>> to go?
>>> thank you,
>> I never said that you should avoid sssd, I said that Samba does not
>> support it because we do not produce it and that it does very little that
>> winbind doesn't.
>> sssd is supported by the sssd-users mailing list and if you need help with
>> sssd, that is where to address any problems to.
>> Samba supports the use of the samba, smbd, nmbd and winbindd daemons. You
>> are also correct that on a Unix domain member you need to have winbind
>> running, so you might as well use it ;-)
> As an update to this, I have found out that even Red-hat doesn't support
> using sssd with Samba:
> Under section 16.1.1 The Samba services , there is this:
> Red Hat only supports running Samba as a server with the winbindd service to
> provide domain users and groups to the local system. Due to certain
> limitations, such as missing Windows access control list (ACL) support and NT
> LAN Manager (NTLM) fallback, the System Security Services Daemon (SSSD) is
> not supported.
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba