[Samba] Using SSSD + AD with Samba seems to require Winbind be running

Robert Marcano robert at marcanoonline.com
Wed Aug 12 14:12:11 UTC 2020

On 8/12/20 9:45 AM, L.P.H. van Belle wrote:
>> On 8/12/20 9:11 AM, L.P.H. van Belle via samba wrote:
>>> What i dont get/understand ..
>>> Why ? Why such setup.
>>> Can TP explain this?
>>> Just trying to understand you idea why setup like this..
>>> There must be a reason?
>> SSSD provides features that Samba probably will not, like GPO login enforcement,
> https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/enforce-user-logon-restrictions
> If its a setting like that, sure you can enforce it (for windows).
> For linux, well, there is no GPO for linux.. but what would or are you doing / need here?
> Still trying to understand this more.

SSSD can use Windows GPO rules related to authentication. You can read 
the original design document for that feature here 

Some of our installations use that (those small enough that aren't using 
FreeIPA for Linux servers and workstations)

>> and some it doesn't do yet like automatically define private groups
>> (groups with the same name of the user, I filled a bug for this one)
> Why in earth would you do that. This makes you maintainenace only more complex.
> And, in my personal opinion more prone to errors.

There is no extra maintenance, these groups are not groups to be managed 
on AD, they are only exposed as the primary group on an SSSD based 
domain member, it doesn't fill you AD tree with extra groups. SSSD just 
expose a virtual group with the same user name via the nsswitch module.

Without this feature, Having files created by any domain user to be 
assigned access to a group like "Domain Users" unless you manage for 
each user a gid on the AD user entry, or go to all workstations and 
server and change the users default umask in order to avoid exposing 
files by mistake is more error prone. All users having immediately a 
private group is simpler. And yes I need this by company policy.

Note: Even FreeIPA tried to discourage the use of private groups and use 
ipausers as the primary user group, a long time ago and they reverted 
later to have them by default.

>> There are meny others but my intention is not to advertice
>> SSSD but help
>> people that need to use it by company policy or by needed features.
> Thanks for you replies.
> It might help me understand better why people use/want to use SSSD.

Our servers run with this configuration without problems, I know it is 
not what the Samba list recommend but when you have to use SSSD 
features, you  have to.

Note: The DC servers run Samba AD on a container, no SSSD in sight.

Hope this helps clarify why some of use use SSSD
> So far,
> Greetz,
> Louis

More information about the samba mailing list