[Samba] Samba + sssd deployment: success and failure

Goetz, Patrick G pgoetz at math.utexas.edu
Wed Jun 12 17:03:12 UTC 2019

Bug fix: I meant if you set security = user,

On 6/12/19 11:43 AM, Goetz, Patrick G via samba wrote:
> On 6/12/19 11:10 AM, Rowland penny via samba wrote:
>> Why are you using sssd on a standalone server ?
>> your users will be in /etc/passwd and the Samba database, I don't think
>> sssd can talk to the Samba database.
> I'm pretty sure what happens when you set [server role = standalone] is
> that Samba then defers to /etc/nsswitch.conf for how authorization
> should happen, and since sss is listed there and is set up to query the
> AD domain, that's how users get authenticated.
> In particular, it's not actually a standalone server but rather an AD
> domain member so that Security Group-authorized domain users can use
> their AD domain credentials for authentication on the machine.  There is
> an entire lab of linux workstations set up this way.  Users log in to a
> workstation using their AD credentials and their home directory (and
> various data/software directories) are automounted from the same
> fileserver we're trying to set Samba up on.  sssd also provides a
> caching service to assist with timely authorization.  As I mentioned
> previously, sssd bundles together the functionality of pam_ldap, nscd,
> and probably some other tools.  This was all working fine until we
> acquired the need to mount filesystems to a few Windows machines as well
> (due to some compute-intensive analysis software that runs only on Windows).
> After doing some more reading about winbind (the 2007 Carter "Using
> Samba" book -- aside: why don't we have any updated Samba
> documentation?!  Will post separately about the state of the smb.conf
> man page), I have no a priori objections to using winbind instead of
> sssd.  In particular, I wasn't aware that winbind had a PAM hook
> allowing it to provide authentication for other services.  I do care
> about clean, modular system design, though:
>       Other Services           | Autonomous     |
>         Requiring     ------>  | Authentication | <-----  Samba smbd
>       Authentication           | Service        |
>                                     |
>                                     |
>                                     v
>                        Can interface with LDAP/AD
> It looks like the thing in the middle could be sssd or winbind; however
> most of our linux boxes which are AD domain members don't provide SMB
> file sharing services.  I only want to have to debug one
> AD-authentication service (that's headache enough, believe me), so would
> it make sense to run winbind on machines that are only using Samba for
> administrative local use (i.e. no need to install full-blown Samba)?
> I looked at the winbind rid service, and am worried this will map SIDs.
> The other features I'm looking for:
>    - We don't have and can't get the POSIX subsystem in our AD deployment,
>      so I want the UID = SID; i.e not mapped in any way in order to
>      facilitate subsequent aggregation (say of storage) of what are
>      now independent labs.
>    - Must support AD Security Groups because this is how we limit access
> to particular machines.
>    - It would be nice to be able to use AD groups for authorization; then
> I wouldn't have to manage local groups in /etc/group (although ansible
> makes this less of a chore than it used to be).  Right now this doesn't
> seem to work with sssd; i.e. you can't chgrp files/folders to the AD
> groups listed using, say `id pgoetz` on the domain-bound linux machine.
>    - It would be super awesome if nested groups were supported.  Right
> now sssd can't do this.

More information about the samba mailing list