[Samba] sssd not a good idea

Simo Sorce idra at samba.org
Sat Jun 15 22:23:46 UTC 2019 

On Sat, 2019-06-15 at 12:38 +0100, Rowland penny via samba wrote:
> On 15/06/2019 12:22, Simo wrote:
> > On Wed, 2019-06-12 at 18:14 +0100, Rowland penny via samba wrote:
> > > On 12/06/2019 18:02, Goetz, Patrick G via samba wrote:
> > > > So, the bug reports referenced below are in regard to having Samba be a
> > > > domain member.  My question is why would I want Samba to be a domain
> > > > member?  I want the machine Samba runs on to be a domain member, because
> > > > there are other things going on on that machine as well.
> > > You cannot have one without the other, a Unix computer without Samba is
> > > just that, a Unix machine. Add Samba and you can join an AD domain, the
> > > letters 'S', 'M' and 'B' in Samba are there for a reason.
> > Sorry Rowland, but this is incorrect, you need samba (smbd) only if you
> > want to make the member server a file server.
> 
> So what do you suggest that Samba does?
> 
> Do not run smbd ?
> 
> Only run nmbd ? but network browsing is as good as dead
> 
> Only run winbindd ? but this could interfere with sssd.

Samba is a suite of software, for ages I ran winbindd only on Linux
domain members to deal with authentication, smbd wasn't even installed.

> > If you do not need to offer SMB file services there are many other
> > products that join a unix machine to an AD server, including the
> > mentioned sssd (with the realmd utility)
> 
> There well may be other products, but, as they are not produced by 
> Samba, we cannot provide support for them.

Of course, but we, traditionally interoperated with many, and did our
best to be an inclusive platform.

> There is also the little problem that Red-Hat no longer supports the use 
> of sssd with Samba

Well Samba made windbind necessary to run, that doesn't mean Red Hat
does not support running SSSD for NSS while windbindd runs for smbd
authentication purposes. In fact we allow that by using the sssd_idmap
plugin in winbindd.

> Whilst I accept that there is nothing wrong with sssd and that people 
> have made it work with Samba, this is not the mailing list to discuss 
> any possible problems

I do not agree with this, SSSD is the standard, client side user
management component used on one of the distributions samba works on.
We always allowed discussion and helped people configure their user
management stack be it NSS or AIXs own different one, or anything else.
This is no different.

If you have a personal problem with SSSD you are not required to help
people with it, you are also not required to scare them off for no
reason.

Simo.

More information about the samba mailing list