[Samba] Users loose supplementary groups after a time
Rowland penny
rpenny at samba.org
Fri May 15 18:40:32 UTC 2020
On 15/05/2020 19:27, Orion Poplawski wrote:
> Yes, the main issue here is around access to samba shares. I can't really
> parse the statement that "you cannot use sssd". Of course we are using sssd.
> That's what is resolving the the AD users into local unix users via the IPA -
> AD trust. What exactly do you mean when you say that we cannot use sssd?
The Samba daemon 'smbd' used to be able to talk directly to AD, so you
could use sssd with Samba, but, from Samba 4.8.0, this was changed. If
you now use 'security = ADS' with Samba >= 4.8.0 , you must run winbind
and you cannot run winbind with sssd, this is because sssd uses its
versions of some of the winbind libs.
This will not affect IPA, because this is what sssd was written for,
but, as far as I am aware (never used IPA), you do not have SMB shares
with IPA, so it boils down to: If you just want authentication, you can
use IPA, but if you want authentication and shares, then you can use Samba.
Rowland
>
>> I am struggling to understand just what IPA gives you, except for
>> authentication and you can do this with Samba directly from AD.
> Lots with regard to policy and authorization:
>
> - Fine grained PAM access controls for each host, user, group, service.
> - Centralized sudo rules.
> - Certificate issuance and renewal.
> - Centralized automount configuration.
>
>> The whole idea behind AD is to get centralised authentication (which from my
>> understanding is what IPA does), so why have two authentication centres ?
> There's more to it then authentication :)
>
More information about the samba
mailing list