[Samba] Samba + sssd deployment: success and failure

Goetz, Patrick G pgoetz at math.utexas.edu
Wed Jun 12 20:41:57 UTC 2019

On 6/12/19 3:06 PM, Rowland penny via samba wrote:
>> Actually, this is handled using an AD GPO, which sssd is able to read
>> and use.  Doing this via GPO means we can simplify the configuration of
>> hundreds of machines.
> That is something new since I last used sssd, does it work on Linux ?

Yes, it works with sssd version 1.16.1; that was one of the main selling 
points for us, as we have dozens of research group spread out across the 
college and would like to create a streamlined linux configuration that 
works for all of them (with legacy/tempermental software buried in LXD 
or Singularity containers).  Currently, however only the login GPOs are 
supported by sssd.

The evolution of this software has been pretty rapid.  If you used it a 
couple of years ago, you haven't really used it.  <;)


>> Let me clarify.  It would be nice to assign AD Security Groups as
>> file/folder groups even if they can't own files on linux.
> So you want to use AD groups on Linux ?
> Something like:
> getent group Domain\ Users
> domain users:x:10000:user31
> You don't get much more of an AD group than Domain Users ;-)

Yep, I want to be able to set up security groups and then have group 
ownership assigned to those security groups.

When I ls -l the files of a domain user on this system, the group shows 
up as Domain Users.  Many thanks to Robert Marcano for pointing out that 
there is a way with sssd to set up synthetic private groups per user -- 
that was one of the details still bothering me considerably because 
without it, the default umask needs to be 077 instead of 007, making it 
harder to facilitate shared folders, a necessity in our context.

Looking at the release notes posted above, apparently they added support 
for non-POSIX groups in v. 1.15, but I'm not sure it's flexible enough 
to capture the security groups.  Deferring that question to one of my 
colleagues who is a Windows expert.

Thanks for the helpful discussion.  I've got a much better handle on how 
all this works.

> Rowland

More information about the samba mailing list