[Samba] Samba on CentOS 8 with sssd and AD users/groups and local users/groups

Rowland Penny rpenny at samba.org
Thu Jan 13 18:42:22 UTC 2022

On Thu, 2022-01-13 at 13:05 -0500, Luc Lalonde via samba wrote:
> No I read that!
> To me it says:
>  1. We know that there are issues with using SSSD and we're working
> on it

They seem to have been working on it for the last two years (at least)

>  2. We'll continue to support you if you choose this configuration

As long as you have a support contract and it is an existing setup.

>  3. We're not ready to offer a working supported alternative yet,
> again,
>     we're working on it

See my first reply ;-)

> In my experience, RHEL7 works well with standalone Winbind.
> Unfortunately, I can't get it to work properly on RHEL8 without SSSD.

This 'may' have something to do with the removing of libpam-krb5

> Perhaps I'm missing something, but the latest Redhat documentation 
> continues to push SSSD + Winbind ad the way to go:
> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_authentication_and_authorization_in_rhel/configuring-a-rhel-host-to-use-ad-as-an-authentication-provider_configuring-authentication-and-authorization-in-rhel

It says:


Implement this procedure only in the rare cases where this approach is

That hardly inspires confidence.

> I would love to dump SSSD on my RedHat/CentOS/Fedora systems... but 
> we're not quite there yet!

You could always dump the red-hat machines and come over to the Debian
side, where it has always worked.

The following is totally my opinion:

sssd, realmd etc were written to be used with FreeIPA and as such,
should only be used with FreeIPA.

If you are using Samba, then you should use Samba's tools, winbind,
net, wbinfo etc.

Others may have a different view (and probably will). I cannot and will
not try to make anyone follow my view, anyone reading this should make
their own decision on which path to follow. I just know what has worked
for myself since 2012, part of which time I used sssd, this was until I
found that winbind was actually easier to use (once I got my head
around the 'idmap config' lines).


More information about the samba mailing list