[Samba] Windows 2016 RSAT not connect with samba4 DC

Rowland penny rpenny at samba.org
Mon Nov 30 18:36:18 UTC 2020 

On 30/11/2020 17:59, cn--- via samba wrote:
>
>> I think you will need to run 'dnf remove sssd', this will remove 
>> sssd. You need to decide if you want to do this. You also need to 
>> understand that you cannot use sssd with winbind because sssd uses 
>> its own versions of some of the winbind libs. It is either winbind or 
>> sssd, not both.
>>
>> Red-Hat, on RHEL8, seemingly wants you to use FreeIPA instead of 
>> Samba, they have replaced libpam-krb5 with a version built into sssd, 
>> Openldap has been removed along with smbldap-tools (not that the 
>> latter will really be missed)
>>
>> So, it boils down to, what do you use Samba for ? you are using it as 
>> an AD DC, so my advice is to stop using sssd. Whether you do this by 
>> removing sssd or using a different OS, is up to you.
>
> Hi Rowland,
>
> you can use winbind with CEntos8 see these (with and without sssd). 
> YOu need to log in but the account is free. However I included the 
> Headers to show the Redhad supports winbind.
>
>
> How to configure a Samba server with SSSD in RHEL with Winbind 
> handling AD Join
> https://access.redhat.com/solutions/3802321
>
>
> How to join Red Hat Enterprise Linux 8 to Active Directory using Winbind
> https://access.redhat.com/solutions/4290501
>
> I'll send you the pdfs off-list.
If you would, because I cannot access them online.
>
> This is working for us and we also can use ADUC.

You might think it works, but it probably doesn't fully. It is 
undoubtedly using idmap-sss, this was removed from Samba a few years ago.

There is absolutely no point in using sssd with Samba, mainly because of 
two things. Samba does more than sssd and no one, not even Red-Hat, 
supports using sssd: 
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/deploying_different_types_of_servers/assembly_using-samba-as-a-server_deploying-different-types-of-servers

Where it states quite clearly:

'''

Important

Red Hat only supports running Samba as a server with the winbindd 
service to provide domain users and groups to the local system.
Due to certain limitations, such as missing Windows access control list 
(ACL) support and NT LAN Manager (NTLM) fallback, SSSD is not supported.

'''

Samba does not produce sssd, so cannot provide support for it. I cannot 
recommend using anything with Samba that is outside the Samba tree, 
there was Openchange, Samba made an internal change and it stopped 
working, a similar thing could happen with idmap-sss (not saying it 
will, but it could) and then where are you ?

So, please stop using sssd with Samba, use winbind instead. If you do 
continue using sssd with Samba, then you are on your own, for, as I 
said, samba does not produce sssd, so Samba cannot provide support for it.

All of the above is my opinion, your may vary.

Rowland

More information about the samba mailing list