On Tue, Sep 13, 2016 at 01:43:06PM +0000, Joakim Tjernlund wrote: > On Tue, 2016-09-13 at 11:39 +0200, Sumit Bose wrote: > > On Mon, Sep 12, 2016 at 04:30:02PM +0000, Joakim Tjernlund wrote: > > > > > > On Mon, 2016-09-12 at 18:08 +0200, Sumit Bose wrote: > > > > > > > > On Mon, Sep 12, 2016 at 03:45:43PM +0000, Joakim Tjernlund wrote: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > sssd-libwbclient does not implement all functions. That's > > > > > > > > reason why it is not > > > > > > > > a default; and just an alternative. > > > > > > > > > > > > > > hmm, then I wonder why my samba stopped working just from moving > > > > > > > from samba 3.6.25 to 4.2.11/14 > > > > > > > Maybe some bug in samba/my smb.conf ? > > > > > > > > > > > > The newer versions of Samba removed some fallback code e.g. to fix > > > > > > the > > > > > > Badlock (http://badlock.org/) issue. The means newer versions of > > > > > > Samba > > > > > > require that winbind is running in more and more use cases. In some > > > > > > cases SSSD's version of libwbclient might be sufficient in some > > > > > > cases > > > > > > (see below) it is not. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Not impl. all functions makes it hard to know when to use sssd's > > > > > > > libwbclient, > > > > > > > how to figure out when sssd's libwbclient is good enough? > > > > > > > > > > > > Yes and to make is worse as mentioned above there are more and more > > > > > > use > > > > > > cases where Samba requires that winbind is running. If you have to > > > > > > run > > > > > > winbind, e.g. if you needed to proxy NTLM authentication to a AD > > > > > > DC, you > > > > > > of course have to use Samba's version of libwbclient. To make sure > > > > > > the > > > > > > SID to POSIX ID mapping is consistent on the system SSSD 1.14 also > > > > > > provides an idmapping plugin for winbind (see man idmap_sss for > > > > > > details). With this plugin winbind will ask SSSD to do the mapping. > > > > > > > > > > > > I agree that this is currently quite confusing. But we are working > > > > > > with > > > > > > the Samba team to make this easier in the future. Since winbind has > > > > > > to > > > > > > run in more and more cases we will concentrate in making is easy and > > > > > > consistent to run winbind and SSSD in parallel. This is why I'm > > > > > > currently not actively adding new features to SSSD's version of > > > > > > libwbclient. > > > > > > > > > > So I can confirm that samba >=4.2.x needs winbind to be up and > > > > > running to work with > > > > > native libwbclient. > > > > > If using sssd's libwbclient one do not need winbind. > > > > > > > > > > Now I am torn which method to use. I would like to see sssd separate > > > > > from samba. > > > > > A server with samba exporting some dirs should be no different from a > > > > > non samba computer > > > > > w.r.t identity mapping. The sssd config and nsswitch.conf should be > > > > > the same in both cases. > > > > > Will winbind let me do that ? > > > > > > > > yes, if you use the idmap_sss idmap plugin for winbind which is > > > > available with sssd-1.14 (see man idmap_sss for details). With this > > > > plugin winbind will ask SSSD for the mapping and return this results to > > > > the Samba components calling winbind. > > > > > > I will(once I get to 1.14 but I think we need 1.14.3 first). > > > However I am experimenting with: > > > > > > idmap config TRAN_01: backend = nss > > > idmap config TRAN_01: schema_mode = rfc2307bis > > > idmap config TRAN_01: range = 0-65533 > > > > > > Seems to be working, any pitsfalls? > > > > In general this is a good work-around. Internally the SIDs are not > > directly translated into POSIX ID and back but the username is used to > > connect the two. In the case where Samba/Winbind and SSSD have different > > understandings of the user name, e.g. one side replaces ' ' by _ and the > > other not, it might fail. > > OK, but see below. > > > > > > > > > > > > Jocke > > > > > > > > > > > > > > > > > > > > > > > > > > > > We are using a modern Windows AD here for all users with UID/GID > > > > > defined in Windows AD. > > > > > > > > In this case using Samba's ad idmap module (man idmap_ad) might work as > > > > well, because SSSD and winbind will use the same source (AD) for the > > > > mapping. > > > > > > > > > > I note that you don't suggest to use sssd's libwbclient. Should > > > libwbclient be considered > > > obsolete now? Possibly not 100% functioning in my case? > > > > If SSSD's libwbclient work for you you can use it and save some > > resources by not running winbind. But as mentioned before there are more > > and more use-case where Samba requires that winbind is running and in > > those cases SSSD's libwbclient is obsolete. > > > > I swapped the computer to our new domain and now windbind could not find is > SID: > "Could not fetch our SID - did we join?" > no matter what I did.
How did you join the domain? adcli (currently) does not add some needed data to Samba's internal databases, you have to use 'net ads join' or tell realmd to use Samba as membership-software. HTH bye, Sumit > But changing to sssd's wbclient did the trick so now I am there ATM. > > Jocke > _______________________________________________ > sssd-users mailing list > sssd-users@lists.fedorahosted.org > https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
