[Samba] please confirm: sssd not a good idea :)
Alexey A Nikitin
nikitin at amazon.com
Mon Jun 10 16:31:22 UTC 2019
On Monday, 10 June 2019 08:07:31 PDT Vincent S. Cojot via samba wrote:
> There is probably some amount of redtape on this but AFAIK it works fine
> for me: My RHEL7.6 hypervisors are joined to my AD DC 4.10.4 VMs through
> use of realm '(and thus sssd):
Slight off-topic, but realmd doesn't necessarily imply use of SSSD, as it can be used to join domain using Winbind. When used with Winbind it simplifies things for a (somewhat limited) set of supported use-cases, but falls flat on its face if you try to, e.g., join a resource domain using service account (with appropriate delegations) from users domain - realmd in this case will insist on a service account from the resource domain.
> Here's a RHEL7.6 client:
> # realm list
> type: kerberos
> realm-name: AD.LASTHOME.SOLACE.KRYNN
> domain-name: ad.lasthome.solace.krynn
> configured: kerberos-member
> server-software: active-directory
> client-software: sssd
> required-package: oddjob
> required-package: oddjob-mkhomedir
> required-package: sssd
> required-package: adcli
> required-package: samba-common-tools
> login-formats: %U
> login-policy: allow-realm-logins
> The AD domain above is two RHEL7.6 VMs with samba 4.10.4 and the rpms from
> there: http://nova.polymtl.ca/~coyote/dist/samba/samba-4.10.4/RHEL7
> On Mon, 10 Jun 2019, Rowland penny via samba wrote:
> > On 08/06/2019 21:32, Rowland penny via samba wrote:
> >> On 08/06/2019 16:24, Uwe Laverenz via samba wrote:
> >>> Hi all,
> >>> when you join a linux server to an active directory with "realm" it uses
> >>> "sssd" as default. This works well as long as you just want to be a
> >>> simple domain member.
> >>> As soon as you want a real member server, with acls for example, you need
> >>> winbind instead of sssd. You can't even connect to or configure your
> >>> server with "net rpc" without using winbind, right?
> >>> As Rowland pointed out in another thread, a Samba 4.8.0+ domain member
> >>> needs winbind anyway.
> >>> Could you please confirm that I finally got it right and that the use of
> >>> "sssd" should be avoided except for basic authentication and that for
> >>> serious samba servers "winbind" is the only (correct and supported) way
> >>> to go?
> >>> thank you,
> >>> Uwe
> >> I never said that you should avoid sssd, I said that Samba does not
> >> support it because we do not produce it and that it does very little that
> >> winbind doesn't.
> >> sssd is supported by the sssd-users mailing list and if you need help with
> >> sssd, that is where to address any problems to.
> >> Samba supports the use of the samba, smbd, nmbd and winbindd daemons. You
> >> are also correct that on a Unix domain member you need to have winbind
> >> running, so you might as well use it ;-)
> >> Rowland
> > As an update to this, I have found out that even Red-hat doesn't support
> > using sssd with Samba:
> > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-file_and_print_servers
> > Under section 16.1.1 The Samba services , there is this:
> > Important
> > Red Hat only supports running Samba as a server with the winbindd service to
> > provide domain users and groups to the local system. Due to certain
> > limitations, such as missing Windows access control list (ACL) support and NT
> > LAN Manager (NTLM) fallback, the System Security Services Daemon (SSSD) is
> > not supported.
> > Rowland
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: This is a digitally signed message part.
More information about the samba