[Samba] sssd not a good idea
Simo Sorce
idra at samba.org
Sat Jun 15 11:33:53 UTC 2019
On Wed, 2019-06-12 at 18:51 +0000, Goetz, Patrick G via samba wrote:
> On 6/12/19 12:14 PM, Rowland penny via samba wrote:
> > > From that perspective, unless you're using Samba as a PDC/BDC, the only
> > > security setting you ever want to use is
> > >
> > > security = user
> > >
> > > Am I missing something?
> >
> > Yes, using that means it can only be a standalone server and not part of
> > a domain.
> >
>
> I guess I don't understand what you mean by this. I have dozens of
> linux machines which are joined to our AD domain which don't even have
> Samba installed (well, samba-common and samba-libs are required by sssd,
> but not running smbd, nmbd, or winbind). They are definitely part of a
> domain (e.g, domain users can authenticate.
>
> Furthermore, on one of these machines I can run smbd 4.8.3 and mount
> shares from it to other domain bound machines. I am wondering if there
> are any gotchas waiting in store as a result; say permissions not being
> respected, or something, but any action taken through SMB is eventually
> going to have to pass through the VFS gatekeeper, so I'm not seeing how
> that could be a problem, at least for mode bits and POSIX ACLs. I'd
> love to use Windows ACL's, but ext4 doesn't support them and most of the
> file access occurs from other linux systems, Maybe could get away with
> NFSv4 access only, but am not sure I want to take on the headache of
> trying to mess Samba Windows ACLs with NFSv4 ACLs.
>
It is not a problem if you do not run samba, but when you do, it needs
to be a proper domain member.
More information about the samba
mailing list