[Samba] Using SSSD + AD with Samba seems to require Winbind be running
Robert Marcano
robert at marcanoonline.com
Wed Aug 12 14:12:11 UTC 2020
On 8/12/20 9:45 AM, L.P.H. van Belle wrote:
>>
>> On 8/12/20 9:11 AM, L.P.H. van Belle via samba wrote:
>>> What i dont get/understand ..
>>>
>>> Why ? Why such setup.
>>> Can TP explain this?
>>>
>>> Just trying to understand you idea why setup like this..
>>> There must be a reason?
>>>
>>
>> SSSD provides features that Samba probably will not, like GPO login enforcement,
> https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/enforce-user-logon-restrictions
> If its a setting like that, sure you can enforce it (for windows).
>
> For linux, well, there is no GPO for linux.. but what would or are you doing / need here?
> Still trying to understand this more.
SSSD can use Windows GPO rules related to authentication. You can read
the original design document for that feature here
https://sssd.io/docs/design_pages/active_directory_gpo_integration.html
Some of our installations use that (those small enough that aren't using
FreeIPA for Linux servers and workstations)
>
>> and some it doesn't do yet like automatically define private groups
>> (groups with the same name of the user, I filled a bug for this one)
>
> Why in earth would you do that. This makes you maintainenace only more complex.
> And, in my personal opinion more prone to errors.
There is no extra maintenance, these groups are not groups to be managed
on AD, they are only exposed as the primary group on an SSSD based
domain member, it doesn't fill you AD tree with extra groups. SSSD just
expose a virtual group with the same user name via the nsswitch module.
Without this feature, Having files created by any domain user to be
assigned access to a group like "Domain Users" unless you manage for
each user a gid on the AD user entry, or go to all workstations and
server and change the users default umask in order to avoid exposing
files by mistake is more error prone. All users having immediately a
private group is simpler. And yes I need this by company policy.
Note: Even FreeIPA tried to discourage the use of private groups and use
ipausers as the primary user group, a long time ago and they reverted
later to have them by default.
>
>>
>> There are meny others but my intention is not to advertice
>> SSSD but help
>> people that need to use it by company policy or by needed features.
>
> Thanks for you replies.
> It might help me understand better why people use/want to use SSSD.
Our servers run with this configuration without problems, I know it is
not what the Samba list recommend but when you have to use SSSD
features, you have to.
Note: The DC servers run Samba AD on a container, no SSSD in sight.
Hope this helps clarify why some of use use SSSD
>
>
> So far,
>
> Greetz,
>
> Louis
>
More information about the samba
mailing list