On Fri, 2011-12-02 at 10:06 -0500, Stephen Gallagher wrote:
> On Fri, 2011-12-02 at 15:59 +0100, Ondrej Valousek wrote:
> > Small update so I am not only throwing dirt on winbind:
> > 
> > Winbind has still its use if you can not use / do not have RFC2307
> > attributes in AD. 
> > So simply, if you want to use RFC2307 attributes, sssd is here for
> > you. If not, go for winbind. But yet I would not bother about winbind
> > plugin for sssd as it does not make too much sense - that's why we
> > have Glibc and its /etc/nsswitch.conf!
> Well, just to make one point, there are a few advantages to the winbind
> backend over pure winbind:
> 1) SSSD caching instead of nscd

Winbindd has its own caching and nscd use is not recommend with Winbindd

> 2) Support for multiple AD domains without trust

But complete lack of support of multiple trusted domains which is
extremely common on Windows networks.

> 3) One-to-one mapping of identity domain to authentication domain (so
> you're not exposing your password to multiple authentication domains
> until you find the right one, as with traditional PAM).

Well this is interesting only if you have multiple unrelated identity
domains to care about, I wouldn't count this as something better/worse
than what Winbindd provides, Winbindd is clearly built for a single Ad
domain which is the norm and the point is already captured in 2.

4) Winbindd can use MS-RPC to handle legacy NT/Samba3 domains and NTLM
authentication. SSSD has no support for any of that nor Site discovery
ala Windows way etc ...

I do not want to say one is better than the other, they are different.

When I architected SSSD I was full aware of both Winbind limitations and
good features. The point is that AD domain support was not a goal for
SSSD and so it was not built to support multiple trusted domain through
one provider or Windows like domains.

This is changing to some degree so SSSD may grow that ability.

I am neutral to whether we should integrate winbindd through a plugin or
re-implement its functionality, I can see positive and negative aspects
in both approaches and I really do not have a strong preference at this


Simo Sorce * Red Hat, Inc * New York

Freeipa-users mailing list

Reply via email to