[Samba] Samba + sssd
Goetz, Patrick G
pgoetz at math.utexas.edu
Tue Jun 11 15:03:03 UTC 2019
On 6/9/19 7:00 AM, Rowland Penny wrote:
> I said that Samba does not support it because we do not produce it and that it does very little that winbind doesn't.
I'm not sure I understand how winbind and sssd are even comparable.
sssd is sort of a unified replacement for pam_ldap and nscd and can, for
example be configured to allow authentication from an AD and an
unrelated LDAP server at the same time.
In our case, our university provides a campus-wide AD authentication
service with UserName = IDs that people use for other university
business, so it is convenient to set up linux machines to use AD for
authentication. Everyone already knows their username and password, so
it's just up to us to restrict machine access to the appropriate set of
users.
sssd also respects AD security groups, so, we are able to create
security groups in AD and then limit logins on a particular group of
machines to a particular set of security groups so that, say, the
structural biology workstations are restricted to the structural biology
group.
One of the biggest selling points is that there is no need to do any
kind of id mapping. With sssd we are able to use the SID directly as
the UID, circumventing mismatched uid issues down the road. As with
LDAP, account information is not stored locally save for in ephemeral
caches. The only thing which doesn't work nicely is that everyone is
assigned to the "Domain Users" group (groups and what they can do are
one of the biggest disconnects between Windows and linux), so what I've
resorted to doing is creating local groups (/etc/group) consisting of AD
usernames and this works great, if is somewhat inelegant, as I'm
managing user information in two different locations. There's probably
a better way to do this, but I haven't seen or thought of anything yet.
Anyway, we've been using sssd in a linux-only environment using
NFS/autofs to mount file shares. Now I'm needing to add some Windows
machines to the mix and have installed the complete Samba package (sssd
already uses Samba) on a file server. Jettisoning sssd is not an
option, so hopefully there is a way to get this to work. Right now,
when attempting to mount a share:
net use I: \\krakenhost\emtifs /user:austin\pgoetz
I get a password prompt, but then the authentication fails even though I
can use my AD username to log in to the Samba host directly with no
problem. Anyway, working on this now.
> You are also correct that on a Unix domain member you need to have
winbind running, so you might as well use it
Not following this comment, either. What is a UNIX domain member? What
kind of domain? Again, we have linux machines bound to an AD domain and
are able to login to these machines with AD accounts with nothing but a
skeletal version of Samba installed and no winbind at all. Using an
LDAP server has much better integration with the linux ecosystem, but
then we get stuck with account creation and maintenance, password
changes, etc.. I've also used Samba with LDAP authentication in an NT
Domain configuration, and that worked well. I don't recall needing to
use winbind there, either, but that was a while ago.
More information about the samba
mailing list