[Samba] Domain join with realm

[Rowland Penny]

On 10/02/2023 17:36, Jeremy Allison wrote:
> On Fri, Feb 10, 2023 at 08:33:10AM +0000, Rowland Penny via samba wrote:
>>
>> The problem with all this is, Samba does not write or provide realmd 
>> or sssd, so how can it fully provide support for them ?
> 
> It's not a matter of providing support, we can (and should) IMHO
> provide basic help on interop with these tools. At the very least,
> point people at the web pages where people can get deeper information.
> 
>> I know some of the Samba team work for red-hat (and have possibly 
>> worked on them), but they should be (in my opinion) supporting Samba 
>> by saying something like:
>>
>> Well, yes they will work with Samba, but Samba provides 'net ads join' 
>> and winbind and that is what is supported here, if you want support 
>> for realmd and sssd, you should contact red-hat'.
>>
>> Or, do you not have faith in the code that is written for Samba ?
> 
> Well as you know, Samba is *always* broken :-). Has been in the
> 30+ years I've worked on it, will be for the next 30+ years I
> work on it too :-) :-) :-).
> 
> Of course, that's the same for all code, open source or proprietary :-).
> 
>> I personally will never support realmd or sssd, they appear to be 
>> problematical when used with Samba.
> 
> That's fine, just don't answer realmd or sssd-related questions.
> 
> Let the Red Hat Samba Team members pick up the slack. You don't
> need to answer all questions or tell people why you're not responding
> to a question. I ignore people on the list all the time :-).
> 
> How about just ignoring realmd or sssd questions and only answer
> net  and winbind ones ?
> 
>> The other question that has to be asked is, why do people want to use 
>> them over the Samba tools ?
> 
> Sometimes it's not a question of "want". It can come down to corporate
> policy etc. etc.


I had already decided that was what I was going to do, just ignore any 
post that says realmd or sssd.

However, It interested me, just what is realmd doing on top of 'net ads 
join' ?
So I found the source and I now have a question for Andrew Bartlett.

A few years ago, I tried to add the ability to samba-tool user to store 
the next Unix ID's in AD, Andrew shot this down in flames, amongst the 
reasons was the fact that I wanted to specify the domain range to use in 
AD and hence in smb.conf

So Andrew, why do seem to be able to accept realmd, when it does exactly 
the same thing, it dictates the ranges that are set in smb.conf ?

Having seen the code, I now understand where all those strange smb.conf 
ranges are coming from and I think someone should tell red-hat that 
'idmap uid' and 'idmap gid' were deprecated at 3.6.0 , over 10 years ago.

Rowland