On Mon, 2016-09-12 at 18:08 +0200, Sumit Bose wrote: > On Mon, Sep 12, 2016 at 03:45:43PM +0000, Joakim Tjernlund wrote: > > > > > > > > > > > > > > > > > > > > > sssd-libwbclient does not implement all functions. That's reason why > > > > > it is not > > > > > a default; and just an alternative. > > > > > > > > hmm, then I wonder why my samba stopped working just from moving from > > > > samba 3.6.25 to 4.2.11/14 > > > > Maybe some bug in samba/my smb.conf ? > > > > > > The newer versions of Samba removed some fallback code e.g. to fix the > > > Badlock (http://badlock.org/) issue. The means newer versions of Samba > > > require that winbind is running in more and more use cases. In some > > > cases SSSD's version of libwbclient might be sufficient in some cases > > > (see below) it is not. > > > > > > > > > > > > > > > > > > > Not impl. all functions makes it hard to know when to use sssd's > > > > libwbclient, > > > > how to figure out when sssd's libwbclient is good enough? > > > > > > Yes and to make is worse as mentioned above there are more and more use > > > cases where Samba requires that winbind is running. If you have to run > > > winbind, e.g. if you needed to proxy NTLM authentication to a AD DC, you > > > of course have to use Samba's version of libwbclient. To make sure the > > > SID to POSIX ID mapping is consistent on the system SSSD 1.14 also > > > provides an idmapping plugin for winbind (see man idmap_sss for > > > details). With this plugin winbind will ask SSSD to do the mapping. > > > > > > I agree that this is currently quite confusing. But we are working with > > > the Samba team to make this easier in the future. Since winbind has to > > > run in more and more cases we will concentrate in making is easy and > > > consistent to run winbind and SSSD in parallel. This is why I'm > > > currently not actively adding new features to SSSD's version of > > > libwbclient. > > > > So I can confirm that samba >=4.2.x needs winbind to be up and running to > > work with native libwbclient. > > If using sssd's libwbclient one do not need winbind. > > > > Now I am torn which method to use. I would like to see sssd separate from > > samba. > > A server with samba exporting some dirs should be no different from a non > > samba computer > > w.r.t identity mapping. The sssd config and nsswitch.conf should be the > > same in both cases. > > Will winbind let me do that ? > > yes, if you use the idmap_sss idmap plugin for winbind which is > available with sssd-1.14 (see man idmap_sss for details). With this > plugin winbind will ask SSSD for the mapping and return this results to > the Samba components calling winbind.
I will(once I get to 1.14 but I think we need 1.14.3 first). However I am experimenting with: idmap config TRAN_01: backend = nss idmap config TRAN_01: schema_mode = rfc2307bis idmap config TRAN_01: range = 0-65533 Seems to be working, any pitsfalls? Jocke > > > > > > > We are using a modern Windows AD here for all users with UID/GID defined in > > Windows AD. > > In this case using Samba's ad idmap module (man idmap_ad) might work as > well, because SSSD and winbind will use the same source (AD) for the > mapping. > I note that you don't suggest to use sssd's libwbclient. Should libwbclient be considered obsolete now? Possibly not 100% functioning in my case? Jocke _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
