On Wed, Jun 19, 2019 at 01:57:59PM -0300, Edouard Guigné wrote:
> Dear sssd users,
>
> I would like to get informations about the use of sssd with samba (centos 7,
> samba 4.8.3).
>
> I need it because I configured a samba share, accessible with sssd.
> The authentication is against a windows AD.
>
> My /etc/nsswitch.cnf is configured only with sssd :
> /passwd: files sss//
> //shadow: files sss//
> //group: files sss/
>
> For an other purpose, I set an sftpd access also configured with sssd
> against the AD.
>
> I followed some discussions on the samba user list about samba + sssd.
> I would like to understand if there are some issues with sssd and samba
> 4.8.3 on centos 7 ?
> Or is it with next RHEL 8 ?
>
> /The RHEL 8 documentation states this: //
> ////
> //"Red Hat only supports running Samba as a server with the winbindd //
> //service to provide domain users and groups to the local system. Due to //
> //certain limitations, such as missing Windows access control list (ACL) //
> //support and NT LAN Manager (NTLM) fallback, SSSD is not supported." //
> ////
> //https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/deploying_different_types_of_servers/assembly_using-samba-as-a-server_deploying-different-types-of-servers////
> ////
> //What's confusing is that the RHEL 7 documentation says: //
> ////
> //"Prior to Red Hat Enterprise Linux 7.1, only Winbind provided this //
> //functionality. In Red Hat Enterprise Linux 7.1 and later, you no longer //
> //need to run Winbind and SSSD in parallel to access SMB shares. For //
> //example, accessing the Access Control Lists (ACLs) no longer requires //
> //Winbind on SSSD clients." //
> ////
> //and //
> ////
> //"4.2.2. Determining Whether to Use SSSD or Winbind for SMB Shares //
> //For most SSSD clients, using SSSD is recommended:" //
> ////
> //and most worrisome, in my use case: //
> ////
> //"In environments with direct Active Directory integration where the //
> //clients use SSSD for general Active Directory user mappings, using //
> //Winbind for the SMB ID mapping instead of SSSD can result in //
> //inconsistent mapping."
> /
>
> In my case, running samba 4.8.3 with SSSD on centos 7 do I need to :
I'm not an expert in this are, but look at some threads in the list
archive e.g. this one:
https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/thread/U66MEJBMXVJWJVCBORS2KBP7BIAGZ57H/
even has a full example.
> - enable and start winbind service , in conjunction to sssd ?
Yes, that's my understanding with recent Samba releases
> - or only sssd is enough with samba ?
> - Do I have to fear issues in next release of sssd for the support of samba
> ? especially for acls support ?/
> /
>
> A nsswitch.conf like :
> passwd: files sss winbind
> shadow: files sss winbind
> group: files sss winbind
..but I don't think you need the NSS maps enabled, IIRC just the service
must be running..
>
> or
>
> passwd: files winbind sss
> shadow: files winbind sss
> group: files winbind sss
>
> Does not seem to work... I test and this is not stable.
>
> Best Regards,
> Edouard
>
> _______________________________________________
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
