On Mon, 2016-09-12 at 18:08 +0200, Sumit Bose wrote:
> On Mon, Sep 12, 2016 at 03:45:43PM +0000, Joakim Tjernlund wrote:
> > 
> > 
> > > 
> > > > 
> > > > > 
> > > > > sssd-libwbclient does not implement all functions. That's reason why 
> > > > > it is not
> > > > > a default; and just an alternative.
> > > > 
> > > > hmm, then I wonder why my samba stopped working just from moving from 
> > > > samba 3.6.25 to 4.2.11/14
> > > > Maybe some bug in samba/my smb.conf ?
> > > 
> > > The newer versions of Samba removed some fallback code e.g. to fix the
> > > Badlock (http://badlock.org/) issue. The means newer versions of Samba
> > > require that winbind is running in more and more use cases. In some
> > > cases SSSD's version of libwbclient might be sufficient in some cases
> > > (see below) it is not.
> > > 
> > > > 
> > > > 
> > > > 
> > > > Not impl. all functions makes it hard to know when to use sssd's 
> > > > libwbclient,
> > > > how to figure out when sssd's libwbclient is good enough?
> > > 
> > > Yes and to make is worse as mentioned above there are more and more use
> > > cases where Samba requires that winbind is running. If you have to run
> > > winbind, e.g. if you needed to proxy NTLM authentication to a AD DC, you
> > > of course have to use Samba's version of libwbclient. To make sure the
> > > SID to POSIX ID mapping is consistent on the system SSSD 1.14 also
> > > provides an idmapping plugin for winbind (see man idmap_sss for
> > > details). With this plugin winbind will ask SSSD to do the mapping. 
> > > 
> > > I agree that this is currently quite confusing. But we are working with
> > > the Samba team to make this easier in the future. Since winbind has to
> > > run in more and more cases we will concentrate in making is easy and
> > > consistent to run winbind and SSSD in parallel. This is why I'm
> > > currently not actively adding new features to SSSD's version of
> > > libwbclient.
> > 
> > So I can confirm that samba >=4.2.x needs winbind to be up and running to 
> > work with native libwbclient.
> > If using sssd's libwbclient one do not need winbind.
> > 
> > Now I am torn which method to use. I would like to see sssd separate from 
> > samba.
> > A server with samba exporting some dirs should be no different from a non 
> > samba computer
> > w.r.t identity mapping. The sssd config and nsswitch.conf should be the 
> > same in both cases.
> > Will winbind let me do that ?
> 
> yes, if you use the idmap_sss idmap plugin for winbind which is
> available with sssd-1.14 (see man idmap_sss for details). With this
> plugin winbind will ask SSSD for the mapping and return this results to
> the Samba components calling winbind.

I will(once I get to 1.14 but I think we need 1.14.3 first).
However I am experimenting with:

idmap config TRAN_01: backend = nss
idmap config TRAN_01: schema_mode = rfc2307bis
idmap config TRAN_01: range = 0-65533

Seems to be working, any pitsfalls?

  Jocke
> 
> > 
> > 
> > We are using a modern Windows AD here for all users with UID/GID defined in 
> > Windows AD. 
> 
> In this case using Samba's ad idmap module (man idmap_ad) might work as
> well, because SSSD and winbind will use the same source (AD) for the
> mapping.
> 

I note that you don't suggest to use sssd's libwbclient. Should libwbclient be 
considered
obsolete now? Possibly not 100% functioning in my case?

 Jocke
_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org

Reply via email to