[Samba] Samba + sssd deployment: success and failure

Rowland penny rpenny at samba.org
Wed Jun 12 20:06:22 UTC 2019

On 12/06/2019 20:40, Goetz, Patrick G via samba wrote:
> I agree with putting the sssd discussion to bed, but am still interested
> in clearing up some confusion, as I'm concerned I might be missing
> something.
> Yes, but that's part of the point.  I don't *want* a local Samba
> database.  I want all authentication to occur through one of the AD
> domain controllers, assisted by ephemeral cache files.
Winbind doesn't authenticate locally (unless it is consulting its cache) 
it does the same as sssd, it authenticates from an AD DC.
>>> In particular, it's not actually a standalone server but rather an AD
>>> domain member
>> No, it is schizophrenic server, it is in two minds ;-)
> How so?  I have exactly one daemon in charge of authentication, I don't
> want or need nmbd, and I want smbd to just use NSS for authentication.
> This seems like a streamlined deployment, and of course the
> authorization agent could be sssd or winbind.
But you aren't using NSS with winbind, smbd used to be able to fall back 
to the DC, but, from Samba 4.8.0, you now have to run winbind as well.
>> I think you mean 'RID' instead of 'SID'
> Yes, you're right.  The Windows people seem to use the terms synonymously.
I cannot help that, the SID identifies the domain and the RID is 
appended to the end of the SID and identifies the object (user, 
group,computer etc)
>>>    i.e not mapped in any way in order to
>>>       facilitate subsequent aggregation (say of storage) of what are
>>>       now independent labs.
>>>     - Must support AD Security Groups because this is how we limit access
>>> to particular machines.
>> Definitely doable with winbind, you just need to set the permissions
>> from Windows.
> Actually, this is handled using an AD GPO, which sssd is able to read
> and use.  Doing this via GPO means we can simplify the configuration of
> hundreds of machines.
That is something new since I last used sssd, does it work on Linux ?
> Let me clarify.  It would be nice to assign AD Security Groups as
> file/folder groups even if they can't own files on linux.
So you want to use AD groups on Linux ?

Something like:

getent group Domain\ Users
domain users:x:10000:user31

You don't get much more of an AD group than Domain Users ;-)


More information about the samba mailing list