[Samba] Samba + sssd

Goetz, Patrick G pgoetz at math.utexas.edu
Tue Jun 11 15:03:03 UTC 2019

On 6/9/19 7:00 AM, Rowland Penny wrote:

> I said that Samba does not support it because we do not produce it and that it does very little that winbind doesn't. 

I'm not sure I understand how winbind and sssd are even comparable. 
sssd is sort of a unified replacement for pam_ldap and nscd and can, for 
example be configured to allow authentication from an AD and an 
unrelated LDAP server at the same time.

In our case, our university provides a campus-wide AD authentication 
service with UserName = IDs that people use for other university 
business, so it is convenient to set up linux machines to use AD for 
authentication.  Everyone already knows their username and password, so 
it's just up to us to restrict machine access to the appropriate set of 

sssd also respects AD security groups, so, we are able to create 
security groups in AD and then limit logins on a particular group of 
machines to a particular set of security groups so that, say, the 
structural biology workstations are restricted to the structural biology 

One of the biggest selling points is that there is no need to do any 
kind of id mapping.  With sssd we are able to use the SID directly as 
the UID, circumventing mismatched uid issues down the road. As with 
LDAP, account information is not stored locally save for in ephemeral 
caches. The only thing which doesn't work nicely is that everyone is 
assigned to the "Domain Users" group (groups and what they can do are 
one of the biggest disconnects between Windows and linux), so what I've 
resorted to doing is creating local groups (/etc/group) consisting of AD 
usernames and this works great, if is somewhat inelegant, as I'm 
managing user information in two different locations.  There's probably 
a better way to do this, but I haven't seen or thought of anything yet.

Anyway, we've been using sssd in a linux-only environment using 
NFS/autofs to mount file shares.  Now I'm needing to add some Windows 
machines to the mix and have installed the complete Samba package (sssd 
already uses Samba) on a file server.  Jettisoning sssd is not an 
option, so hopefully there is a way to get this to work.  Right now, 
when attempting to mount a share:

    net use I: \\krakenhost\emtifs  /user:austin\pgoetz

I get a password prompt, but then the authentication fails even though I 
can use my AD username to log in to the Samba host directly with no 
problem.  Anyway, working on this now.

 > You are also correct that on a Unix domain member you need to have 
winbind running, so you might as well use it

Not following this comment, either.  What is a UNIX domain member?  What 
kind of domain?  Again, we have linux machines bound to an AD domain and 
are able to login to these machines with AD accounts with nothing but a 
skeletal version of Samba installed and no winbind at all.  Using an 
LDAP server has much better integration with the linux ecosystem, but 
then we get stuck with account creation and maintenance, password 
changes, etc..  I've also used Samba with LDAP authentication in an NT 
Domain configuration, and that worked well.  I don't recall needing to 
use winbind there, either, but that was a while ago.

More information about the samba mailing list