[Samba] Using SSSD + AD with Samba seems to require Winbind be running

[Robert Marcano]

On 8/12/20 10:06 AM, Rowland penny via samba wrote:
> On 12/08/2020 14:45, L.P.H. van Belle via samba wrote:
>> Thanks for you replies.
>> It might help me understand better why people use/want to use SSSD.
> 
> That is one I do not understand either, apart from the GPO option (which 
> must be limited, GPO's generally do not work on Linux), everything that 
> sssd does can be done by other means. I for instance use sudo rules from 
> AD.

True. GPO rules enforced by SSSD are related to login only.

Your are lucky if you didn't work on a project where the customer have 
rules, like having their login enforcement be done by Active Directory 
policies.

Anecdote: I worked a few decades ago developing a big Smalltalk 
application for a bank, successfully deployed to OS/2. Many years later 
when they required to migrate from OS/2 they migrated it to Windows and 
started a project to evaluate a migration to Linux in order to choose 
their next platform. We did the entire migration to Linux, the project 
was canned after showing a fully working application (with some small UI 
issues to be fixed if migration was chosen) because their company policy 
said they needed a <insert brand> antivirus on Linux and it wasn't ready 
available. The moral of the history, there are many ways to do the same 
thing on a server, but company policies out of your control can tell you 
not do it that way.

> 
> If you use sssd with Samba, then you need to setup two conf files (with 
> a lot of duplicate info) and only use a version of Samba < 4.8.0. 
> Whereas, with Samba, you only have one conf file and can use any version 
> of Samba.

Not true about the samba version;

# wbinfo -t
checking the trust secret for domain MYDOMAIN via RPC calls succeeded
# rpm -qa samba
samba-4.10.4-101.el8_1.x86_64

Running SSSD with AD integration. Again, DISCLAIMER, not the recommended 
samba list configuration, but it works.