[Samba] SID mapping: Samba and SSSD

Rowland penny rpenny at samba.org
Fri Sep 4 08:18:37 UTC 2020 

On 04/09/2020 00:22, Andrew Walker wrote:
> On Thu, Sep 3, 2020 at 5:08 PM Jeremy Allison <jra at samba.org 
> <mailto:jra at samba.org>> wrote:
>
>     On Thu, Sep 03, 2020 at 05:05:46PM -0400, Andrew Walker via samba
>     wrote:
>     > On Thu, Sep 3, 2020 at 4:45 PM Rowland penny via samba <
>     > samba at lists.samba.org <mailto:samba at lists.samba.org>> wrote:
>     >
>     > > On 03/09/2020 21:38, Robert Marcano wrote:
>     > > > On 9/3/20 4:35 PM, Rowland penny via samba wrote:
>     > > >> On 03/09/2020 21:15, Robert Marcano via samba wrote:
>     > > >>>
>     > > >>> There is an sssd provided idmapper (on RHEL/CentOS/Fedora)
>     it is
>     > > >>> packaged as sssd-winbind-idmap. IIRC it doesn't
>     reimplement the
>     > > >>> algorithm, just delegate to SSSD the mapping
>     > > >>>
>     > > >> idmap-sss used to be in the Samba tree, but when it is was
>     going to
>     > > >> be removed, red-hat took it into their sssd tree.
>     > > >>
>     > > >> If you are using sssd with Samba >= 4.8.0 it is unsupported by
>     > > >> red-hat and Samba.
>     > > >>
>     > > >> Rowland
>     > > >>
>     > > >>
>     > > >>
>     > > > Continue saying you can't run latest Samba release all you
>     wish, it
>     > > > doesn't make it truth. I will continue helping the original
>     post.
>     > >
>     > > I refer you to my other post
>     > >
>     > > Rowland Penny
>     > >
>     > > Samba team member
>     > >
>     >
>     > This does make me wonder whether it would be worth adding an
>     optional
>     > non-default parameter to idmap_autorid to have it use the sssd
>     slicing
>     > algorithm to determine ranges. Sort of like SSSD has an autorid
>     > compatibility parameter.
>
>     Happy to review if you write it :-). Anything that
>     will remove friction moving to/from winbindd/sssd
>     would be good for users !
>
>
> We can sometimes get into this pickle ourselves integrating into 
> existing environments. Maybe next time I have insomnia I'll throw 
> together something along these lines (unless someone beats me to the 
> punch).

I cannot stop you doing this, but it would be, in my opinion, wasted 
effort. You can do much the same thing by setting a new Unix domain 
member using winbind and then transferring the data from the sssd 
machine to the winbind machine. The data would use the sssd numeric ID's 
on the sssd machine and the winbind numeric ID's on the other.

Rowland

More information about the samba mailing list