[Samba] please confirm: sssd not a good idea :)

Mon Jun 10 16:31:22 UTC 2019

On Monday, 10 June 2019 08:07:31 PDT Vincent S. Cojot via samba wrote:
> 
> There is probably some amount of redtape on this but AFAIK it works fine 
> for me: My RHEL7.6 hypervisors are joined to my AD DC 4.10.4 VMs through 
> use of realm '(and thus sssd):
> 
Slight off-topic, but realmd doesn't necessarily imply use of SSSD, as it can be used to join domain using Winbind. When used with Winbind it simplifies things for a (somewhat limited) set of supported use-cases, but falls flat on its face if you try to, e.g., join a resource domain using service account (with appropriate delegations) from users domain - realmd in this case will insist on a service account from the resource domain.

> Here's a RHEL7.6 client:
> # realm list
> ad.lasthome.solace.krynn
>    type: kerberos
>    realm-name: AD.LASTHOME.SOLACE.KRYNN
>    domain-name: ad.lasthome.solace.krynn
>    configured: kerberos-member
>    server-software: active-directory
>    client-software: sssd
>    required-package: oddjob
>    required-package: oddjob-mkhomedir
>    required-package: sssd
>    required-package: adcli
>    required-package: samba-common-tools
>    login-formats: %U
>    login-policy: allow-realm-logins
> 
> The AD domain above is two RHEL7.6 VMs with samba 4.10.4 and the rpms from 
> there: http://nova.polymtl.ca/~coyote/dist/samba/samba-4.10.4/RHEL7
> 
> Regards,
> 
> Vincent
> 
> On Mon, 10 Jun 2019, Rowland penny via samba wrote:
> 
> > On 08/06/2019 21:32, Rowland penny via samba wrote:
> >>  On 08/06/2019 16:24, Uwe Laverenz via samba wrote:
> >>>  Hi all,
> >>>
> >>>  when you join a linux server to an active directory with "realm" it uses
> >>>  "sssd" as default. This works well as long as you just want to be a
> >>>  simple domain member.
> >>>
> >>>  As soon as you want a real member server, with acls for example, you need
> >>>  winbind instead of sssd. You can't even connect to or configure your
> >>>  server with "net rpc" without using winbind, right?
> >>>
> >>>  As Rowland pointed out in another thread, a Samba 4.8.0+ domain member
> >>>  needs winbind anyway.
> >>>
> >>>  Could you please confirm that I finally got it right and that the use of
> >>>  "sssd" should be avoided except for basic authentication and that for
> >>>  serious samba servers "winbind" is the only (correct and supported) way
> >>>  to go?
> >>>
> >>>  thank you,
> >>>  Uwe
> >>>
> >>  I never said that you should avoid sssd, I said that Samba does not
> >>  support it because we do not produce it and that it does very little that
> >>  winbind doesn't.
> >>
> >>  sssd is supported by the sssd-users mailing list and if you need help with
> >>  sssd, that is where to address any problems to.
> >>
> >>  Samba supports the use of the samba, smbd, nmbd and winbindd daemons. You
> >>  are also correct that on a Unix domain member you need to have winbind
> >>  running, so you might as well use it ;-)
> >>
> >>  Rowland
> >> 
> >> 
> > As an update to this, I have found out that even Red-hat doesn't support 
> > using sssd with Samba:
> >
> > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-file_and_print_servers
> >
> > Under section 16.1.1 The  Samba services , there is this:
> >
> > Important
> > Red Hat only supports running Samba as a server with the winbindd service to 
> > provide domain users and groups to the local system. Due to certain 
> > limitations, such as missing Windows access control list (ACL) support and NT 
> > LAN Manager (NTLM) fallback, the System Security Services Daemon (SSSD) is 
> > not supported.
> >
> > Rowland
> >
> >
> >
> >
> >
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.samba.org/pipermail/samba/attachments/20190610/43350275/signature.sig>