[Samba] Samba + sssd deployment: success and failure

Goetz, Patrick G pgoetz at math.utexas.edu
Fri Jun 14 21:21:19 UTC 2019

On 6/13/19 11:41 AM, Rowland penny via samba wrote:
>> 1562224688 is my domain RID, 1007000513 is the RID for the Domain Users
>> group:
> I doubt very much that your Windows RID is '1562224688', well not unless 
> you have an extremely large domain, it is more likely to be '4688'

You're absolutely right; my bad.  I set this up over a year ago and 
forgot exactly how it works.  sssd hashes the actual SID.  Since it can 
support multiple domains from the same forest, this presumably prevents 
UID clashes while maintaining UID consistency across hosts.

There are a number of things we can't get working, most importantly 
limiting access to shares  (using +security_group didn't work), and I 
can't have any one of the 100,000 domain users mounting shares.

This means deploying winbind.  My worry there is most of what users do 
has nothing to do with Samba, and I really need consistent UIDs across 
all hosts.  Will look at the suggested

    idmap config DOMAIN : backend = rid


It's going to be a huge loss not to be able to use AD security groups to 
limit access to clusters of hosts, but I'm not quite sure what to do, 
since I need UID consistency so can't run sssd and winbind 
simultaneously, as far as I can tell so far.  Ugh.

More information about the samba mailing list