[Samba] Samba + sssd deployment: success and failure
Goetz, Patrick G
pgoetz at math.utexas.edu
Wed Jun 12 20:41:57 UTC 2019
On 6/12/19 3:06 PM, Rowland penny via samba wrote:
>> Actually, this is handled using an AD GPO, which sssd is able to read
>> and use. Doing this via GPO means we can simplify the configuration of
>> hundreds of machines.
> That is something new since I last used sssd, does it work on Linux ?
Yes, it works with sssd version 1.16.1; that was one of the main selling
points for us, as we have dozens of research group spread out across the
college and would like to create a streamlined linux configuration that
works for all of them (with legacy/tempermental software buried in LXD
or Singularity containers). Currently, however only the login GPOs are
supported by sssd.
The evolution of this software has been pretty rapid. If you used it a
couple of years ago, you haven't really used it. <;)
>> Let me clarify. It would be nice to assign AD Security Groups as
>> file/folder groups even if they can't own files on linux.
> So you want to use AD groups on Linux ?
> Something like:
> getent group Domain\ Users
> domain users:x:10000:user31
> You don't get much more of an AD group than Domain Users ;-)
Yep, I want to be able to set up security groups and then have group
ownership assigned to those security groups.
When I ls -l the files of a domain user on this system, the group shows
up as Domain Users. Many thanks to Robert Marcano for pointing out that
there is a way with sssd to set up synthetic private groups per user --
that was one of the details still bothering me considerably because
without it, the default umask needs to be 077 instead of 007, making it
harder to facilitate shared folders, a necessity in our context.
Looking at the release notes posted above, apparently they added support
for non-POSIX groups in v. 1.15, but I'm not sure it's flexible enough
to capture the security groups. Deferring that question to one of my
colleagues who is a Windows expert.
Thanks for the helpful discussion. I've got a much better handle on how
all this works.
More information about the samba