[Samba] sssd not a good idea

Robert Marcano robert at marcanoonline.com
Wed Jun 12 17:07:42 UTC 2019

On 6/12/19 12:23 PM, Vincent S. Cojot via samba wrote:
> Oh woaaaahhh (Sorry, I lack the words). I am sure that one must be 
> re-visited for 7.6+, though since 7.6+ had a good overhaul of sssd to 
> make it work better with AD (I heard that from the developper). Perhaps 
> I'm going slightly insane here...

I wish they (Red Hat) clarified their position. There are many confusing 
signals. Let me explain the change's timeline and how I interpret them:

1. Older Samba releases allowed you to run a domain member server 
without using winbind. Samba had an alternate code path that when 
winbind wasn't running it did some things in the same process. 4.8 
release changed that, or was 4.7?, I don't remember the details.

2. On those older releases you could even run a domain member server 
without ever configuring NSS (/etc/nsswitch.conf) to use winbind. you 
could have a not common setup like creating domain users locally on the 
server and Samba didn't care from where those users and groups entries 
came from. I used this many years ago, before Samba AD, to manage users 
using the first FreeIPA releases that had zero AD integration support. 
Think about it as LDAP provider of users and groups. You could even 
write a custom NSS module that provided the users like the domain needed 
and a Samba server could work without winbind running.

3. Now that Samba requires winbind to be running, using winbind without 
NSS is still possible.  I have many domains running winbind for 
everything that it is used for, without using it for NSS, SSSD is used 
for that. I have only one reason for this and is the this request for 
enhancement "Implement synthetic private groups" [1]

I think all this comes from this, RH updated Samba on RHEL 7 to Samba 
4.8. So they must tell their customers winbind is needed to be running 
on Samba server, because it is.

I hope future Samba releases don't break the current behavior of don't 
caring from where the Unix user and group mapping come from, if NSS 
reports it exists, it use it. If the Samba developers ever add a direct 
way to winbind without using NSS, My current setup will break, unless 
they implement my RFE and I move to winbind ;-). Losing other features 
like managing of login policies to the server via Windows GPOs :-(

[1] https://bugzilla.samba.org/show_bug.cgi?id=13946

> Vincent
> On Wed, 12 Jun 2019, Rowland penny via samba wrote:
>> On 12/06/2019 16:56, Vincent S. Cojot via samba wrote:
>>>  https://bugzilla.redhat.com/show_bug.cgi?id=1719824
>> I counter that with:
>> https://bugzilla.redhat.com/show_bug.cgi?id=1663323
>> Rowland
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list