[Samba] sssd not a good idea

Rowland penny rpenny at samba.org
Sun Jun 16 07:59:00 UTC 2019


On 15/06/2019 23:23, Simo Sorce wrote:
> On Sat, 2019-06-15 at 12:38 +0100, Rowland penny via samba wrote:
>> On 15/06/2019 12:22, Simo wrote:
>>> On Wed, 2019-06-12 at 18:14 +0100, Rowland penny via samba wrote:
>>>> On 12/06/2019 18:02, Goetz, Patrick G via samba wrote:
>>>>> So, the bug reports referenced below are in regard to having Samba be a
>>>>> domain member.  My question is why would I want Samba to be a domain
>>>>> member?  I want the machine Samba runs on to be a domain member, because
>>>>> there are other things going on on that machine as well.
>>>> You cannot have one without the other, a Unix computer without Samba is
>>>> just that, a Unix machine. Add Samba and you can join an AD domain, the
>>>> letters 'S', 'M' and 'B' in Samba are there for a reason.
>>> Sorry Rowland, but this is incorrect, you need samba (smbd) only if you
>>> want to make the member server a file server.
>> So what do you suggest that Samba does?
>>
>> Do not run smbd ?
>>
>> Only run nmbd ? but network browsing is as good as dead
>>
>> Only run winbindd ? but this could interfere with sssd.
> Samba is a suite of software, for ages I ran winbindd only on Linux
> domain members to deal with authentication, smbd wasn't even installed.
Yes, you can do this, but what would be the point if you are also 
running sssd ?
>
>>> If you do not need to offer SMB file services there are many other
>>> products that join a unix machine to an AD server, including the
>>> mentioned sssd (with the realmd utility)
>> There well may be other products, but, as they are not produced by
>> Samba, we cannot provide support for them.
> Of course, but we, traditionally interoperated with many, and did our
> best to be an inclusive platform.
I do not have a problem with being an inclusive problem.
>
>> There is also the little problem that Red-Hat no longer supports the use
>> of sssd with Samba
> Well Samba made windbind necessary to run, that doesn't mean Red Hat
> does not support running SSSD for NSS while windbindd runs for smbd
> authentication purposes. In fact we allow that by using the sssd_idmap
> plugin in winbindd.

I take it you have missed this:

*Important*

Red Hat only supports running Samba as a server with the |winbindd| 
service to provide domain users and groups to the local system. Due to 
certain limitations, such as missing Windows access control list (ACL) 
support and NT LAN Manager (NTLM) fallback, the System Security Services 
Daemon (SSSD) is not supported.

Red-Hat explicitly no longer supports using SSSD with Samba
>
>> Whilst I accept that there is nothing wrong with sssd and that people
>> have made it work with Samba, this is not the mailing list to discuss
>> any possible problems
> I do not agree with this, SSSD is the standard, client side user
> management component used on one of the distributions samba works on.
> We always allowed discussion and helped people configure their user
> management stack be it NSS or AIXs own different one, or anything else.
> This is no different.
Yes, it is the standard client user management component on Red-Hat, 
just not with Samba any more.
>
> If you have a personal problem with SSSD you are not required to help
> people with it, you are also not required to scare them off for no
> reason.

I do not have a personal problem with sssd, I used to use it!

My problem is that Samba does not produce it, this means that we cannot 
fix any potential bugs and we don't really know how to configure it. The 
correct place to ask questions about problems that involve sssd is the 
sssd-users mailing list. This is not scaremongering, it is reality.

Rowland




More information about the samba mailing list