On Wed, Jun 19, 2019 at 01:57:59PM -0300, Edouard Guigné wrote: > Dear sssd users, > > I would like to get informations about the use of sssd with samba (centos 7, > samba 4.8.3). > > I need it because I configured a samba share, accessible with sssd. > The authentication is against a windows AD. > > My /etc/nsswitch.cnf is configured only with sssd : > /passwd: files sss// > //shadow: files sss// > //group: files sss/ > > For an other purpose, I set an sftpd access also configured with sssd > against the AD. > > I followed some discussions on the samba user list about samba + sssd. > I would like to understand if there are some issues with sssd and samba > 4.8.3 on centos 7 ? > Or is it with next RHEL 8 ? > > /The RHEL 8 documentation states this: // > //// > //"Red Hat only supports running Samba as a server with the winbindd // > //service to provide domain users and groups to the local system. Due to // > //certain limitations, such as missing Windows access control list (ACL) // > //support and NT LAN Manager (NTLM) fallback, SSSD is not supported." // > //// > //https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/deploying_different_types_of_servers/assembly_using-samba-as-a-server_deploying-different-types-of-servers//// > //// > //What's confusing is that the RHEL 7 documentation says: // > //// > //"Prior to Red Hat Enterprise Linux 7.1, only Winbind provided this // > //functionality. In Red Hat Enterprise Linux 7.1 and later, you no longer // > //need to run Winbind and SSSD in parallel to access SMB shares. For // > //example, accessing the Access Control Lists (ACLs) no longer requires // > //Winbind on SSSD clients." // > //// > //and // > //// > //"4.2.2. Determining Whether to Use SSSD or Winbind for SMB Shares // > //For most SSSD clients, using SSSD is recommended:" // > //// > //and most worrisome, in my use case: // > //// > //"In environments with direct Active Directory integration where the // > //clients use SSSD for general Active Directory user mappings, using // > //Winbind for the SMB ID mapping instead of SSSD can result in // > //inconsistent mapping." > / > > In my case, running samba 4.8.3 with SSSD on centos 7 do I need to :
I'm not an expert in this are, but look at some threads in the list archive e.g. this one: https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/thread/U66MEJBMXVJWJVCBORS2KBP7BIAGZ57H/ even has a full example. > - enable and start winbind service , in conjunction to sssd ? Yes, that's my understanding with recent Samba releases > - or only sssd is enough with samba ? > - Do I have to fear issues in next release of sssd for the support of samba > ? especially for acls support ?/ > / > > A nsswitch.conf like : > passwd: files sss winbind > shadow: files sss winbind > group: files sss winbind ..but I don't think you need the NSS maps enabled, IIRC just the service must be running.. > > or > > passwd: files winbind sss > shadow: files winbind sss > group: files winbind sss > > Does not seem to work... I test and this is not stable. > > Best Regards, > Edouard > > _______________________________________________ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org