[Samba] sssd not a good idea

[Simo Sorce]

On Wed, 2019-06-12 at 18:51 +0000, Goetz, Patrick G via samba wrote:
> On 6/12/19 12:14 PM, Rowland penny via samba wrote:
> > >   From that perspective, unless you're using Samba as a PDC/BDC, the only
> > > security setting you ever want to use is
> > > 
> > >       security = user
> > > 
> > > Am I missing something?
> > 
> > Yes, using that means it can only be a standalone server and not part of 
> > a domain.
> > 
> 
> I guess I don't understand what you mean by this.  I have dozens of 
> linux machines which are joined to our AD domain which don't even have 
> Samba installed (well, samba-common and samba-libs are required by sssd, 
> but not running smbd, nmbd, or winbind).  They are definitely part of a 
> domain (e.g, domain users can authenticate.
> 
> Furthermore, on one of these machines I can run smbd 4.8.3  and mount 
> shares from it to other domain bound machines.  I am wondering if there 
> are any gotchas waiting in store as a result; say permissions not being 
> respected, or something, but any action taken through SMB is eventually 
> going to have to pass through the VFS gatekeeper, so I'm not seeing how 
> that could be a problem, at least for mode bits and POSIX ACLs.  I'd 
> love to use Windows ACL's, but ext4 doesn't support them and most of the 
> file access occurs from other linux systems,  Maybe could get away with 
> NFSv4 access only, but am not sure I want to take on the headache of 
> trying to mess Samba Windows ACLs with NFSv4 ACLs.
> 
It is not a problem if you do not run samba, but when you do, it needs
to be a proper domain member.