[Samba] Using SSSD + AD with Samba seems to require Winbind be running
rpenny at samba.org
Wed Aug 12 13:49:11 UTC 2020
On 12/08/2020 14:26, Robert Marcano via samba wrote:
> Wrong: see
> if Kerberos keytab is used, machine password is never updated
Wrong, but to be honest it depends on which keytab you are referring to,
if, as you said, it is 'kerberos method = secrets and keytab', then the
keytab is one in memory and the default setting of 'machine password
timeout = 604800' will cause winbind to change the machine password
every 7 days.
> No one is talking about brokenness, SSSD is able to update the
> password, if one change the password (SSSD), the other one need to
> know (Samba). It is a new feature of SSSD to notify Samba about the
It is broken if you end up with two different machine passwords ;-)
> Note: people love to say that Red Hat discourage the usage of Samba of
> that they don't care (or things like that) but adding these features
> to SSSD shows otherwise, they care, they don't support Samba as an AD
> server but they do as a member server.
Never said they don't care, just that it seems like they do not want you
to use Samba. Here is an example, you are running Centos 7 with Samba as
a PDC with LDAP and smbldap-tools (something that I advise upgrading
from, but hey, I understand that not everyone can in the short term and
Samba still supports them), you cannot upgrade to Centos 8, why ?
because Openldap and smbldap-tools are no longer provided.
>> I do not understand why the red-hat tools are used on a Samba server,
>> what is wrong with the Samba tools ? rds.
You never really explained what is wrong with the Samba tools.
More information about the samba