samba - Jun 2019 - please confirm: sssd not a good idea :)

On 08/06/2019 21:32, Rowland penny via samba wrote:
> On 08/06/2019 16:24, Uwe Laverenz via samba wrote:
>> Hi all,
>>
>> when you join a linux server to an active directory with
"realm" it
>> uses "sssd" as default. This works well as long as you just
want to
>> be a simple domain member.
>>
>> As soon as you want a real member server, with acls for example, you 
>> need winbind instead of sssd. You can't even connect to or
configure
>> your server with "net rpc" without using winbind, right?
>>
>> As Rowland pointed out in another thread, a Samba 4.8.0+ domain 
>> member needs winbind anyway.
>>
>> Could you please confirm that I finally got it right and that the use 
>> of "sssd" should be avoided except for basic authentication
and that
>> for serious samba servers "winbind" is the only (correct and 
>> supported) way to go?
>>
>> thank you,
>> Uwe
>>
> I never said that you should avoid sssd, I said that Samba does not 
> support it because we do not produce it and that it does very little 
> that winbind doesn't.
>
> sssd is supported by the sssd-users mailing list and if you need help 
> with sssd, that is where to address any problems to.
>
> Samba supports the use of the samba, smbd, nmbd and winbindd daemons. 
> You are also correct that on a Unix domain member you need to have 
> winbind running, so you might as well use it ;-)
>
> Rowland
>
>
As an update to this, I have found out that even Red-hat doesn't support 
using sssd with Samba:

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-file_and_print_servers

Under section 16.1.1 The? Samba services , there is this:

Important
Red Hat only supports running Samba as a server with the winbindd 
service to provide domain users and groups to the local system. Due to 
certain limitations, such as missing Windows access control list (ACL) 
support and NT LAN Manager (NTLM) fallback, the System Security Services 
Daemon (SSSD) is not supported.

Rowland

There is probably some amount of redtape on this but AFAIK it works fine 
for me: My RHEL7.6 hypervisors are joined to my AD DC 4.10.4 VMs through 
use of realm '(and thus sssd):

Here's a RHEL7.6 client:
# realm list
ad.lasthome.solace.krynn
   type: kerberos
   realm-name: AD.LASTHOME.SOLACE.KRYNN
   domain-name: ad.lasthome.solace.krynn
   configured: kerberos-member
   server-software: active-directory
   client-software: sssd
   required-package: oddjob
   required-package: oddjob-mkhomedir
   required-package: sssd
   required-package: adcli
   required-package: samba-common-tools
   login-formats: %U
   login-policy: allow-realm-logins

The AD domain above is two RHEL7.6 VMs with samba 4.10.4 and the rpms from 
there: http://nova.polymtl.ca/~coyote/dist/samba/samba-4.10.4/RHEL7

Regards,

Vincent

On Mon, 10 Jun 2019, Rowland penny via samba wrote:
> On 08/06/2019 21:32, Rowland penny via samba wrote:
>>  On 08/06/2019 16:24, Uwe Laverenz via samba wrote:
>>>  Hi all,
>>>
>>>  when you join a linux server to an active directory with
"realm" it uses
>>>  "sssd" as default. This works well as long as you just
want to be a
>>>  simple domain member.
>>>
>>>  As soon as you want a real member server, with acls for example,
you need
>>>  winbind instead of sssd. You can't even connect to or
configure your
>>>  server with "net rpc" without using winbind, right?
>>>
>>>  As Rowland pointed out in another thread, a Samba 4.8.0+ domain
member
>>>  needs winbind anyway.
>>>
>>>  Could you please confirm that I finally got it right and that the
use of
>>>  "sssd" should be avoided except for basic authentication
and that for
>>>  serious samba servers "winbind" is the only (correct and
supported) way
>>>  to go?
>>>
>>>  thank you,
>>>  Uwe
>>>
>>  I never said that you should avoid sssd, I said that Samba does not
>>  support it because we do not produce it and that it does very little
that
>>  winbind doesn't.
>>
>>  sssd is supported by the sssd-users mailing list and if you need help
with
>>  sssd, that is where to address any problems to.
>>
>>  Samba supports the use of the samba, smbd, nmbd and winbindd daemons.
You
>>  are also correct that on a Unix domain member you need to have winbind
>>  running, so you might as well use it ;-)
>>
>>  Rowland
>> 
>> 
> As an update to this, I have found out that even Red-hat doesn't
support
> using sssd with Samba:
>
>
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-file_and_print_servers
>
> Under section 16.1.1 The? Samba services , there is this:
>
> Important
> Red Hat only supports running Samba as a server with the winbindd service
to
> provide domain users and groups to the local system. Due to certain 
> limitations, such as missing Windows access control list (ACL) support and
NT
> LAN Manager (NTLM) fallback, the System Security Services Daemon (SSSD) is 
> not supported.
>
> Rowland
>
>
>
>
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On 10/06/2019 16:04, vincent at cojot.name wrote:
>
> There is probably some amount of redtape on this but AFAIK it works 
> fine for me: My RHEL7.6 hypervisors are joined to my AD DC 4.10.4 VMs 
> through use of realm '(and thus sssd):
>
> Here's a RHEL7.6 client:
> # realm list
> ad.lasthome.solace.krynn
> ? type: kerberos
> ? realm-name: AD.LASTHOME.SOLACE.KRYNN
> ? domain-name: ad.lasthome.solace.krynn
> ? configured: kerberos-member
> ? server-software: active-directory
> ? client-software: sssd
> ? required-package: oddjob
> ? required-package: oddjob-mkhomedir
> ? required-package: sssd
> ? required-package: adcli
> ? required-package: samba-common-tools
> ? login-formats: %U
> ? login-policy: allow-realm-logins
>
> The AD domain above is two RHEL7.6 VMs with samba 4.10.4 and the rpms 
> from there: http://nova.polymtl.ca/~coyote/dist/samba/samba-4.10.4/RHEL7

Hi Vincent, I have never said that you cannot use sssd with Samba, I 
just said that Samba doesn't support sssd.

I have now found (whilst searching for something else) the red-hat 
webpage I posted the link to earlier, this unequivocally says that 
red-hat does not support the use of sssd with Samba.

This (to myself) means that Samba cannot support the use of sssd, 
because we do not produce it and red-hat (who do produce it) do not 
support its use with Samba, so it looks like you are on your own if 
something goes wrong.

Moral of the story, stick to using winbindd instead ;-)

Rowland

On Monday, 10 June 2019 08:07:31 PDT Vincent S. Cojot via samba
wrote:
> 
> There is probably some amount of redtape on this but AFAIK it works fine 
> for me: My RHEL7.6 hypervisors are joined to my AD DC 4.10.4 VMs through 
> use of realm '(and thus sssd):
> 
Slight off-topic, but realmd doesn't necessarily imply use of SSSD, as it
can be used to join domain using Winbind. When used with Winbind it simplifies
things for a (somewhat limited) set of supported use-cases, but falls flat on
its face if you try to, e.g., join a resource domain using service account (with
appropriate delegations) from users domain - realmd in this case will insist on
a service account from the resource domain.
> Here's a RHEL7.6 client:
> # realm list
> ad.lasthome.solace.krynn
>    type: kerberos
>    realm-name: AD.LASTHOME.SOLACE.KRYNN
>    domain-name: ad.lasthome.solace.krynn
>    configured: kerberos-member
>    server-software: active-directory
>    client-software: sssd
>    required-package: oddjob
>    required-package: oddjob-mkhomedir
>    required-package: sssd
>    required-package: adcli
>    required-package: samba-common-tools
>    login-formats: %U
>    login-policy: allow-realm-logins
> 
> The AD domain above is two RHEL7.6 VMs with samba 4.10.4 and the rpms from 
> there: http://nova.polymtl.ca/~coyote/dist/samba/samba-4.10.4/RHEL7
> 
> Regards,
> 
> Vincent
> 
> On Mon, 10 Jun 2019, Rowland penny via samba wrote:
> 
> > On 08/06/2019 21:32, Rowland penny via samba wrote:
> >>  On 08/06/2019 16:24, Uwe Laverenz via samba wrote:
> >>>  Hi all,
> >>>
> >>>  when you join a linux server to an active directory with
"realm" it uses
> >>>  "sssd" as default. This works well as long as you
just want to be a
> >>>  simple domain member.
> >>>
> >>>  As soon as you want a real member server, with acls for
example, you need
> >>>  winbind instead of sssd. You can't even connect to or
configure your
> >>>  server with "net rpc" without using winbind, right?
> >>>
> >>>  As Rowland pointed out in another thread, a Samba 4.8.0+
domain member
> >>>  needs winbind anyway.
> >>>
> >>>  Could you please confirm that I finally got it right and that
the use of
> >>>  "sssd" should be avoided except for basic
authentication and that for
> >>>  serious samba servers "winbind" is the only
(correct and supported) way
> >>>  to go?
> >>>
> >>>  thank you,
> >>>  Uwe
> >>>
> >>  I never said that you should avoid sssd, I said that Samba does
not
> >>  support it because we do not produce it and that it does very
little that
> >>  winbind doesn't.
> >>
> >>  sssd is supported by the sssd-users mailing list and if you need
help with
> >>  sssd, that is where to address any problems to.
> >>
> >>  Samba supports the use of the samba, smbd, nmbd and winbindd
daemons. You
> >>  are also correct that on a Unix domain member you need to have
winbind
> >>  running, so you might as well use it ;-)
> >>
> >>  Rowland
> >> 
> >> 
> > As an update to this, I have found out that even Red-hat doesn't
support
> > using sssd with Samba:
> >
> >
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-file_and_print_servers
> >
> > Under section 16.1.1 The  Samba services , there is this:
> >
> > Important
> > Red Hat only supports running Samba as a server with the winbindd
service to
> > provide domain users and groups to the local system. Due to certain 
> > limitations, such as missing Windows access control list (ACL) support
and NT
> > LAN Manager (NTLM) fallback, the System Security Services Daemon
(SSSD) is
> > not supported.
> >
> > Rowland
> >
> >
> >
> >
> >
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL:
<http://lists.samba.org/pipermail/samba/attachments/20190610/43350275/signature.sig>

Hi Vincent,


Am 10.06.19 um 17:04 schrieb Vincent S. Cojot via samba:
> 
> There is probably some amount of redtape on this but AFAIK it works fine 
> for me: My RHEL7.6 hypervisors are joined to my AD DC 4.10.4 VMs through 
> use of realm '(and thus sssd):
Yes, this worked for me too...as long as I used simple shares with Posix 
acls. :)
> 
> Here's a RHEL7.6 client:
> # realm list
> ad.lasthome.solace.krynn
>  ? type: kerberos
>  ? realm-name: AD.LASTHOME.SOLACE.KRYNN
>  ? domain-name: ad.lasthome.solace.krynn
>  ? configured: kerberos-member
>  ? server-software: active-directory
>  ? client-software: sssd
>  ? required-package: oddjob
>  ? required-package: oddjob-mkhomedir
>  ? required-package: sssd
>  ? required-package: adcli
>  ? required-package: samba-common-tools
>  ? login-formats: %U
>  ? login-policy: allow-realm-logins
> 
> The AD domain above is two RHEL7.6 VMs with samba 4.10.4 and the rpms 
> from there: http://nova.polymtl.ca/~coyote/dist/samba/samba-4.10.4/RHEL7

Please try this to see what I mean:
> # net rpc rights list privileges SeDiskOperatorPrivilege -U
"YOURDOMAIN\Administrator"
You won't probably be able to connect to your server. I was following 
this page:
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
It didn't work until I switched to winbind.

But as Rowland found in RHELs Admin Guide, we have to use winbind anyway.

cu,
Uwe

Hi Rowland,

Am 10.06.19 um 16:51 schrieb Rowland penny via samba:
> As an update to this, I have found out that even Red-hat doesn't
support
> using sssd with Samba:
> 
>
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-file_and_print_servers
> 
> 
> Under section 16.1.1 The? Samba services , there is this:
> 
> Important
> Red Hat only supports running Samba as a server with the winbindd 
> service to provide domain users and groups to the local system. Due to 
> certain limitations, such as missing Windows access control list (ACL) 
> support and NT LAN Manager (NTLM) fallback, the System Security Services 
> Daemon (SSSD) is not supported.
Thank you very much for your effort, this is as clear as it can get. :)

Maybe this should be include in the samba wiki.

thanks,
Uwe

On 6/10/19 11:04 AM, Vincent S. Cojot via samba wrote:
> 
> There is probably some amount of redtape on this but AFAIK it works fine 
> for me: My RHEL7.6 hypervisors are joined to my AD DC 4.10.4 VMs through 
> use of realm '(and thus sssd):
> 
> Here's a RHEL7.6 client:
> # realm list
> ad.lasthome.solace.krynn
>  ? type: kerberos
>  ? realm-name: AD.LASTHOME.SOLACE.KRYNN
>  ? domain-name: ad.lasthome.solace.krynn
>  ? configured: kerberos-member
>  ? server-software: active-directory
>  ? client-software: sssd
>  ? required-package: oddjob
>  ? required-package: oddjob-mkhomedir
>  ? required-package: sssd
>  ? required-package: adcli
>  ? required-package: samba-common-tools
>  ? login-formats: %U
>  ? login-policy: allow-realm-logins
> 
> The AD domain above is two RHEL7.6 VMs with samba 4.10.4 and the rpms 
> from there: http://nova.polymtl.ca/~coyote/dist/samba/samba-4.10.4/RHEL7
Yes it works, because it is a joined client. See 
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/windows_integration_guide/index

"Prior to Red Hat Enterprise Linux 7.1, only Winbind provided this 
functionality. In Red Hat Enterprise Linux 7.1 and later, you no longer 
need to run Winbind and SSSD in parallel to access SMB shares. For 
example, accessing the Access Control Lists (ACLs) no longer requires 
Winbind on SSSD clients."

Latest Samba releases requires a running winbind anyway. That doesn't 
means you can't use SSSD for NSS users ang groups discovery. You can 
take advantage of SSSD features, but you still need winbind running on 
servers.
> 
> Regards,
> 
> Vincent
> 
> On Mon, 10 Jun 2019, Rowland penny via samba wrote:
> 
>> On 08/06/2019 21:32, Rowland penny via samba wrote:
>>> ?On 08/06/2019 16:24, Uwe Laverenz via samba wrote:
>>>> ?Hi all,
>>>>
>>>> ?when you join a linux server to an active directory with
"realm" it
>>>> uses
>>>> ?"sssd" as default. This works well as long as you
just want to be a
>>>> ?simple domain member.
>>>>
>>>> ?As soon as you want a real member server, with acls for
example,
>>>> you need
>>>> ?winbind instead of sssd. You can't even connect to or
configure your
>>>> ?server with "net rpc" without using winbind, right?
>>>>
>>>> ?As Rowland pointed out in another thread, a Samba 4.8.0+
domain member
>>>> ?needs winbind anyway.
>>>>
>>>> ?Could you please confirm that I finally got it right and that
the
>>>> use of
>>>> ?"sssd" should be avoided except for basic
authentication and that for
>>>> ?serious samba servers "winbind" is the only (correct
and supported)
>>>> way
>>>> ?to go?
>>>>
>>>> ?thank you,
>>>> ?Uwe
>>>>
>>> ?I never said that you should avoid sssd, I said that Samba does
not
>>> ?support it because we do not produce it and that it does very
little
>>> that
>>> ?winbind doesn't.
>>>
>>> ?sssd is supported by the sssd-users mailing list and if you need 
>>> help with
>>> ?sssd, that is where to address any problems to.
>>>
>>> ?Samba supports the use of the samba, smbd, nmbd and winbindd 
>>> daemons. You
>>> ?are also correct that on a Unix domain member you need to have
winbind
>>> ?running, so you might as well use it ;-)
>>>
>>> ?Rowland
>>>
>>>
>> As an update to this, I have found out that even Red-hat doesn't 
>> support using sssd with Samba:
>>
>>
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-file_and_print_servers
>>
>>
>> Under section 16.1.1 The? Samba services , there is this:
>>
>> Important
>> Red Hat only supports running Samba as a server with the winbindd 
>> service to provide domain users and groups to the local system. Due to 
>> certain limitations, such as missing Windows access control list (ACL) 
>> support and NT LAN Manager (NTLM) fallback, the System Security 
>> Services Daemon (SSSD) is not supported.
>>
>> Rowland
>>
>>
>>
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:? https://lists.samba.org/mailman/options/samba
>>