[Samba] Using SSSD + AD with Samba seems to require Winbind be running

Rowland penny rpenny at samba.org
Wed Aug 12 13:49:11 UTC 2020

On 12/08/2020 14:26, Robert Marcano via samba wrote:
> Wrong: see 
> https://github.com/samba-team/samba/blob/master/source3/winbindd/winbindd_dual.c#L1821 
> if Kerberos keytab is used, machine password is never updated 
> periodically
Wrong, but to be honest it depends on which keytab you are referring to, 
if, as you said, it is 'kerberos method = secrets and keytab', then the 
keytab is one in memory and the default setting of 'machine password 
timeout = 604800' will cause winbind to change the machine password 
every 7 days.
> No one is talking about brokenness, SSSD is able to update the 
> password, if one change the password (SSSD), the other one need to 
> know (Samba). It is a new feature of SSSD to notify Samba about the 
> change.
It is broken if you end up with two different machine passwords ;-)
> Note: people love to say that Red Hat discourage the usage of Samba of 
> that they don't care (or things like that) but adding these features 
> to SSSD shows otherwise, they care, they don't support Samba as an AD 
> server but they do as a member server.
Never said they don't care, just that it seems like they do not want you 
to use Samba. Here is an example, you are running Centos 7 with Samba as 
a PDC with LDAP and smbldap-tools (something that I advise upgrading 
from, but hey, I understand that not everyone can in the short term and 
Samba still supports them), you cannot upgrade to Centos 8, why ? 
because Openldap and smbldap-tools are no longer provided.
>> I do not understand why the red-hat tools are used on a Samba server, 
>> what is wrong with the Samba tools ? rds.
You never really explained what is wrong with the Samba tools.


More information about the samba mailing list