On Thu, 2021-09-23 at 09:32 +0200, L. van Belle via samba wrote:> Hai Ralph, > > I've been reading the thread now and.. Correct me where im wrong. > > Samba only needs a build parameter to enable idmap_sss or do i need > more > here? > And when this is enabled, SSSD need to be rebuild with paramater > --with-samba? > > Because, if thats the case, im starting today on the final 4.15.0 > builds > and maybe i can add it and put these in a separeted repo. > If its not to much works, i'll think about this.Louis, please don't even think of doing this. Using sssd isn't supported by Samba because Samba doesn't produce it and, as I have shown previously, not even red hat supports its use with Samba. NOTE: The following is just my opinion! There appears to be two camps in red hat, one accepts that you shouldn't use sssd with Samba >=4.8.0 , the other will not accept this. Also if you do use sssd with Samba, there are numerous problems, one of which is that RHEL 8 no longer has libpam-krb5 Rowland
Am 23.09.21 um 09:57 schrieb Rowland Penny via samba:> > There appears to be two camps in red hat, one accepts that you > shouldn't use sssd with Samba >=4.8.0 , the other will not accept this. > Also if you do use sssd with Samba, there are numerous problems, one of > which is that RHEL 8 no longer has libpam-krb5I have to chime in here. I have said this before you can use sssd with Samba and Winbind. The Howtos are behind a paywall (well you don't have to pay just register) at RedHat. With idmap_sss https://access.redhat.com/solutions/3802321 And here without idmap_sss https://access.redhat.com/solutions/4290501 In the later case Auth is done by windbind. How this works without pam_krb I do not know but it works for us. Regards Christian -- Dr. Christian Naumer Vice President Unit Head Bioprocess Development BRAIN Biotech AG Darmstaedter Str. 34-36, D-64673 Zwingenberg e-mail cn at brain-biotech.com, homepage www.brain-biotech.com phone +49-6251-9331-30 / fax +49-6251-9331-11 Sitz der Gesellschaft: Zwingenberg/Bergstrasse Registergericht AG Darmstadt, HRB 24758 Vorstand: Adriaan Moelker (Vorstandsvorsitzender), Lukas Linnig Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen
Am 23.09.21 um 09:57 schrieb Rowland Penny via samba:> Using sssd isn't supported by Samba because Samba doesn't produce it > and, as I have shown previously, not even red hat supports its use > with Samba.Samba also doesn't produce libc or the kernel, still we consume those system components and generally get some sane behaviour out of the combined system. For some scenarious supporting sss in nsswitch.conf is certainly possible with a few caveats by using idmap_nss or preferrable idmap_sss. -slow -- Ralph Boehme, Samba Team https://samba.org/ SerNet Samba Team Lead https://sernet.de/en/team-samba -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature Type: application/pgp-signature Size: 840 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20210923/4fb59168/OpenPGP_signature.sig>