It should work just fine, I think you should have idmap config XXX: backend = sss not idmap config XXX: backend = sssd though
________________________________________ From: Cam Mac <[email protected]> Sent: 06 August 2021 17:10 To: [email protected] Subject: [SSSD-users] samba version as a fileserver with SSSD and AD - possible? Hi, Is it possible to have Samba (version 4.8.3) with sssd? I've seen some posts that suggest that this might be possible, although officially it isn't supported (though https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Faccess.redhat.com%2Farticles%2F4355391&data=04%7C01%7Cjoakim.tjernlund%40infinera.com%7C4e493f7fdcbd4d9c3aca08d958ec4d7b%7C285643de5f5b4b03a1530ae2dc8aaf77%7C1%7C0%7C637638594207581805%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=N35qKBzD0LGeSu3I2%2Bnl1QEAtFU6sOXlenLoamXzCwQ%3D&reserved=0 suggest that it might be). We've tuned sssd heavily for our environment and so switching to winbind would be a bit of an unknown, so I would like to see if I could get sssd working so that we don't need to remove sssd from nsswitch and pam (is it possible to have both sssd and winbind in pam and nss and not break things?) # Global parameters [global] kerberos method = system keytab load printers = No log file = /var/log/samba/log.%m ntlm auth = ntlmv1-permitted realm = AD.DOMAIN.COM security = ADS server string = Samba Server Version %v template shell = /bin/bash workgroup = DOMAIN idmap config domain : schema_mode = rfc2307 idmap config domain : backend = sssd idmap config domain : range = 2000-100000 idmap config * : range = 200000-999999 idmap config * : backend = tdb force create mode = 0777 force directory mode = 0777 [user_data] comment = user_data path = /user_data read only = No I've joined my test samba server to the domain using 'realm join --membership-software=samba --client-software=winbind', but then disabled winbind and restored sssd to pam and nsswitch. It connects ok, but there's some kind of auth issue with Windows 10 clients whereby file writes to the share are very slow due to continual calls to kerberos libs (4 minutes to copy 20MB/1900 files). This doesn't affect Win 7 clients or Linux clients to the same server, which can do the same copy in 14 seconds. Single file copies that are fine (3.2GB file from the Win 10 client takes 40 secs). There are thousands of 'Get_Pwnam_internals didn't find user', 'NT_STATUS_ACCESS_DENIED', 'NT_STATUS_MORE_PROCESSING_REQUIRED' and 'Starting GENSEC submechanism gse_krb5' errors reported when I trun debug logging on, which is not reported when using Linux or Win 7 as the client. It does finish the copy however, with the correct permissions, it just takes a very long time. I suspect it is the config that is the p roblem here. Thanks for any help. Cam _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.fedoraproject.org%2Fen-US%2Fproject%2Fcode-of-conduct%2F&data=04%7C01%7Cjoakim.tjernlund%40infinera.com%7C4e493f7fdcbd4d9c3aca08d958ec4d7b%7C285643de5f5b4b03a1530ae2dc8aaf77%7C1%7C0%7C637638594207581805%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=hckdxpXljVnc1VX8k3RWaM2HZNOoz9EoEH%2BEUyBWdTM%3D&reserved=0 List Guidelines: https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedoraproject.org%2Fwiki%2FMailing_list_guidelines&data=04%7C01%7Cjoakim.tjernlund%40infinera.com%7C4e493f7fdcbd4d9c3aca08d958ec4d7b%7C285643de5f5b4b03a1530ae2dc8aaf77%7C1%7C0%7C637638594207581805%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=UbwqCLVHdtE9ic%2BF8THDqnuDtyUo1JyxtOWaU9M1%2Bpg%3D&reserved=0 List Archives: https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.fedorahosted.org%2Farchives%2Flist%2Fsssd-users%40lists.fedorahosted.org&data=04%7C01%7Cjoakim.tjernlund%40infinera.com%7C4e493f7fdcbd4d9c3aca08d958ec4d7b%7C285643de5f5b4b03a1530ae2dc8aaf77%7C1%7C0%7C637638594207581805%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=vCh%2FZTGM6Lk4vSjGH8LgfiLHUyojVQiwgrzwBW%2BL6Ts%3D&reserved=0 Do not reply to spam on the list, report it: https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpagure.io%2Ffedora-infrastructure&data=04%7C01%7Cjoakim.tjernlund%40infinera.com%7C4e493f7fdcbd4d9c3aca08d958ec4d7b%7C285643de5f5b4b03a1530ae2dc8aaf77%7C1%7C0%7C637638594207751064%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=RZ%2F8RA7TpBhtFJKg6zUwdZWHe97T38zozn1XM%2Bgat6I%3D&reserved=0 _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
