[Samba] winbind require_membership_of not being checked with forwardable kerberos ticket

Andrew Bartlett abartlet at samba.org
Thu Feb 11 03:04:31 UTC 2021

On Wed, 2021-02-10 at 21:56 -0500, Jason Keltz wrote:
> I'm sure that SSSD would  likely work, and that's where I started off
> my 
> experiments months ago until I was told not to expect compatibility 
> between SSSD on client and Samba on server since SSSD is apparently 
> tested against real Windows AD controlers, and not Samba.  

If SSSD as a client, for a unix client (eg a desktop or server not
otherwise involving Samba) fails against Samba AD, then it is a Samba
bug and I/we would like to know it.

I also don't see why it would fail - it doesn't do anything real fancy
from my understanding. 

A lot of tosh is talked about regarding sssd here, but I see it as a
client no different to any other.  We don't build windows but support
it perfectly fine too.

The previous mode where it mixed replacing some Samba libraries.  Sure,
that wasn't ever sustainable, but that isn't what you are doing.

Andrew Bartlett

Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source

More information about the samba mailing list