[Samba] Users loose supplementary groups after a time

Rowland penny rpenny at samba.org
Fri May 15 18:40:32 UTC 2020

On 15/05/2020 19:27, Orion Poplawski wrote:
> Yes, the main issue here is around access to samba shares.  I can't really
> parse the statement that "you cannot use sssd".  Of course we are using sssd.
> That's what is resolving the the AD users into local unix users via the IPA -
> AD trust.  What exactly do you mean when you say that we cannot use sssd?

The Samba daemon 'smbd' used to be able to talk directly to AD, so you 
could use sssd with Samba, but, from Samba 4.8.0, this was changed. If 
you now use 'security = ADS' with Samba >= 4.8.0 , you must run winbind 
and you cannot run winbind with sssd, this is because sssd uses its 
versions of some of the winbind libs.

This will not affect IPA, because this is what sssd was written for, 
but, as far as I am aware (never used IPA), you do not have SMB shares 
with IPA, so it boils down to: If you just want authentication, you can 
use IPA, but if you want authentication and shares, then you can use Samba.


>> I am struggling to understand just what IPA gives you, except for
>> authentication and you can do this with Samba directly from AD.
> Lots with regard to policy and authorization:
> - Fine grained PAM access controls for each host, user, group, service.
> - Centralized sudo rules.
> - Certificate issuance and renewal.
> - Centralized automount configuration.
>> The whole idea behind AD is to get centralised authentication (which from my
>> understanding is what IPA does), so why have two authentication centres ?
> There's more to it then authentication :)

More information about the samba mailing list