[Samba] Samba + sssd deployment: success and failure
Goetz, Patrick G
pgoetz at math.utexas.edu
Fri Jun 14 21:21:19 UTC 2019
On 6/13/19 11:41 AM, Rowland penny via samba wrote:
>>
>> 1562224688 is my domain RID, 1007000513 is the RID for the Domain Users
>> group:
>
> I doubt very much that your Windows RID is '1562224688', well not unless
> you have an extremely large domain, it is more likely to be '4688'
>
You're absolutely right; my bad. I set this up over a year ago and
forgot exactly how it works. sssd hashes the actual SID. Since it can
support multiple domains from the same forest, this presumably prevents
UID clashes while maintaining UID consistency across hosts.
There are a number of things we can't get working, most importantly
limiting access to shares (using +security_group didn't work), and I
can't have any one of the 100,000 domain users mounting shares.
This means deploying winbind. My worry there is most of what users do
has nothing to do with Samba, and I really need consistent UIDs across
all hosts. Will look at the suggested
idmap config DOMAIN : backend = rid
solution.
It's going to be a huge loss not to be able to use AD security groups to
limit access to clusters of hosts, but I'm not quite sure what to do,
since I need UID consistency so can't run sssd and winbind
simultaneously, as far as I can tell so far. Ugh.
More information about the samba
mailing list