[Samba] please confirm: sssd not a good idea :)

Robert Marcano robert at marcanoonline.com
Tue Jun 11 12:33:12 UTC 2019

On 6/10/19 11:04 AM, Vincent S. Cojot via samba wrote:
> There is probably some amount of redtape on this but AFAIK it works fine 
> for me: My RHEL7.6 hypervisors are joined to my AD DC 4.10.4 VMs through 
> use of realm '(and thus sssd):
> Here's a RHEL7.6 client:
> # realm list
> ad.lasthome.solace.krynn
>    type: kerberos
>    domain-name: ad.lasthome.solace.krynn
>    configured: kerberos-member
>    server-software: active-directory
>    client-software: sssd
>    required-package: oddjob
>    required-package: oddjob-mkhomedir
>    required-package: sssd
>    required-package: adcli
>    required-package: samba-common-tools
>    login-formats: %U
>    login-policy: allow-realm-logins
> The AD domain above is two RHEL7.6 VMs with samba 4.10.4 and the rpms 
> from there: http://nova.polymtl.ca/~coyote/dist/samba/samba-4.10.4/RHEL7

Yes it works, because it is a joined client. See 

"Prior to Red Hat Enterprise Linux 7.1, only Winbind provided this 
functionality. In Red Hat Enterprise Linux 7.1 and later, you no longer 
need to run Winbind and SSSD in parallel to access SMB shares. For 
example, accessing the Access Control Lists (ACLs) no longer requires 
Winbind on SSSD clients."

Latest Samba releases requires a running winbind anyway. That doesn't 
means you can't use SSSD for NSS users ang groups discovery. You can 
take advantage of SSSD features, but you still need winbind running on 

> Regards,
> Vincent
> On Mon, 10 Jun 2019, Rowland penny via samba wrote:
>> On 08/06/2019 21:32, Rowland penny via samba wrote:
>>>  On 08/06/2019 16:24, Uwe Laverenz via samba wrote:
>>>>  Hi all,
>>>>  when you join a linux server to an active directory with "realm" it 
>>>> uses
>>>>  "sssd" as default. This works well as long as you just want to be a
>>>>  simple domain member.
>>>>  As soon as you want a real member server, with acls for example, 
>>>> you need
>>>>  winbind instead of sssd. You can't even connect to or configure your
>>>>  server with "net rpc" without using winbind, right?
>>>>  As Rowland pointed out in another thread, a Samba 4.8.0+ domain member
>>>>  needs winbind anyway.
>>>>  Could you please confirm that I finally got it right and that the 
>>>> use of
>>>>  "sssd" should be avoided except for basic authentication and that for
>>>>  serious samba servers "winbind" is the only (correct and supported) 
>>>> way
>>>>  to go?
>>>>  thank you,
>>>>  Uwe
>>>  I never said that you should avoid sssd, I said that Samba does not
>>>  support it because we do not produce it and that it does very little 
>>> that
>>>  winbind doesn't.
>>>  sssd is supported by the sssd-users mailing list and if you need 
>>> help with
>>>  sssd, that is where to address any problems to.
>>>  Samba supports the use of the samba, smbd, nmbd and winbindd 
>>> daemons. You
>>>  are also correct that on a Unix domain member you need to have winbind
>>>  running, so you might as well use it ;-)
>>>  Rowland
>> As an update to this, I have found out that even Red-hat doesn't 
>> support using sssd with Samba:
>> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-file_and_print_servers 
>> Under section 16.1.1 The  Samba services , there is this:
>> Important
>> Red Hat only supports running Samba as a server with the winbindd 
>> service to provide domain users and groups to the local system. Due to 
>> certain limitations, such as missing Windows access control list (ACL) 
>> support and NT LAN Manager (NTLM) fallback, the System Security 
>> Services Daemon (SSSD) is not supported.
>> Rowland
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list