On 08/06/2019 21:32, Rowland penny via samba wrote:> On 08/06/2019 16:24, Uwe Laverenz via samba wrote:
>> Hi all,
>>
>> when you join a linux server to an active directory with
"realm" it
>> uses "sssd" as default. This works well as long as you just
want to
>> be a simple domain member.
>>
>> As soon as you want a real member server, with acls for example, you
>> need winbind instead of sssd. You can't even connect to or
configure
>> your server with "net rpc" without using winbind, right?
>>
>> As Rowland pointed out in another thread, a Samba 4.8.0+ domain
>> member needs winbind anyway.
>>
>> Could you please confirm that I finally got it right and that the use
>> of "sssd" should be avoided except for basic authentication
and that
>> for serious samba servers "winbind" is the only (correct and
>> supported) way to go?
>>
>> thank you,
>> Uwe
>>
> I never said that you should avoid sssd, I said that Samba does not
> support it because we do not produce it and that it does very little
> that winbind doesn't.
>
> sssd is supported by the sssd-users mailing list and if you need help
> with sssd, that is where to address any problems to.
>
> Samba supports the use of the samba, smbd, nmbd and winbindd daemons.
> You are also correct that on a Unix domain member you need to have
> winbind running, so you might as well use it ;-)
>
> Rowland
>
>
As an update to this, I have found out that even Red-hat doesn't support
using sssd with Samba:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-file_and_print_servers
Under section 16.1.1 The? Samba services , there is this:
Important
Red Hat only supports running Samba as a server with the winbindd
service to provide domain users and groups to the local system. Due to
certain limitations, such as missing Windows access control list (ACL)
support and NT LAN Manager (NTLM) fallback, the System Security Services
Daemon (SSSD) is not supported.
Rowland