[Samba] Fwd: Re: Fwd: Re: Kerberos and NTLMv2 authentication
Goetz, Patrick G
pgoetz at math.utexas.edu
Mon Jun 17 19:05:46 UTC 2019
On 6/17/19 12:37 PM, Edouard Guigné via samba wrote:
> On my linux box (centos 7), I set Samba + Winbind against AD.
> But I also set SSSD against AD for an other purpose (sftp access).
>
> I am wondering if there is no risk to disable sftpd/sssd if I add
> winbind in /etc/nsswitch.conf
>
> Can Winbind and SSSD be installed on the same system if they are not
> used for the same purpose ?
I'm wondering this myself. Regarding nsswitch.conf, the options are
searched in order. So
passwd: compat systemd sss winbind
shadow: compat sss windbind
would presumably look in the local /etc/passwd|shadow files first for
authentication, then check sssd, and finally winbind. The question is
will a Samba mount fail trying to use sssd? You could try putting
winbind before sssd, or in theory winbind should be able to handle ssh
authentication? Can someone confirm this?
I'm still confused by the RHEL documentation on this. Rowland is
correct, the RHEL 8 documentation states this:
"Red Hat only supports running Samba as a server with the winbindd
service to provide domain users and groups to the local system. Due to
certain limitations, such as missing Windows access control list (ACL)
support and NT LAN Manager (NTLM) fallback, SSSD is not supported."
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/deploying_different_types_of_servers/assembly_using-samba-as-a-server_deploying-different-types-of-servers
What's confusing is that the RHEL 7 documentation says:
"Prior to Red Hat Enterprise Linux 7.1, only Winbind provided this
functionality. In Red Hat Enterprise Linux 7.1 and later, you no longer
need to run Winbind and SSSD in parallel to access SMB shares. For
example, accessing the Access Control Lists (ACLs) no longer requires
Winbind on SSSD clients."
and
"4.2.2. Determining Whether to Use SSSD or Winbind for SMB Shares
For most SSSD clients, using SSSD is recommended:"
and most worrisome, in my use case:
"In environments with direct Active Directory integration where the
clients use SSSD for general Active Directory user mappings, using
Winbind for the SMB ID mapping instead of SSSD can result in
inconsistent mapping."
What changed between versions 7 and 8 of RHEL/Cent OS? Is it just the
upgrade from Samba 4.7.x to 4.8.x? What's especially weird is that RHEL
does not support the use of Samba as an AD domain controller:
"Red Hat does not support running Samba as an AD domain controller (DC)."
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/deploying_different_types_of_servers/assembly_using-samba-as-a-server_deploying-different-types-of-servers
They want you to use idM, which is closely associated with sssd, which
begs the question "are they assuming no one is going to want to serve
files from a linux box to Windows systems? At least in my environment,
that's a very poor assumption indeed.
Question: How feasible would it be to have a version of smbd that just
works with sssd. I understand a big feature of Samba 4 is providing a
standalone AD domain controller, but for environments that already have
AD, kind of all you really need is file services, and it would be very
convenient to be able to install a version of smbd that just works with
sssd out of the box.
More information about the samba
mailing list