Am 23.09.21 um 10:44 schrieb Rowland Penny via samba:> What you are saying is very possible, but, from my understanding, by > using idmap-sss you only get authentication,no. You get idmappings from sssd. This has nothing to do with authentication.> something you can get by running winbind with idmap-rid.no.> You can also get authentication by just using sssd without Samba, so > what is the actual point of idmap-sss ?idmapping.> 'idmap-sss' is not in the Samba tree and shouldn't be in the Samba > tree.It should and I guess it will at some point if I find the time to drive this integration.> It is where it belongs, in the sssd tree, because it is a part > of sssd. Also dragging libc and the kernel into this is, in my > opinion, an act of desperation, you know that there is no real need > for idmap-sss.There is a real need. -slow -- Ralph Boehme, Samba Team https://samba.org/ SerNet Samba Team Lead https://sernet.de/en/team-samba -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature Type: application/pgp-signature Size: 840 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20210923/1386c8bf/OpenPGP_signature.sig>
On Thu, 2021-09-23 at 10:53 +0200, Ralph Boehme via samba wrote:> > There is a real need. > > -slowThere is also a real need for us to move past this 'we don't even try to work with sssd' thing. That is both in terms of working in the code to make this 'just work' as much as can be done, with clear limitations specified, and in the practice on the list when queries come up. sssd has become established in terms of being the AD connector for Linux workstations and servers that don't run Samba. We should congratulate their team for their achievements. We were in the race, but didn't win this time. Shockingly we find that Samba isn't always the centre of the universe, and sometimes we will need to fit in with the organisational arrangements where 'best for Samba' isn't the primary criteria. (Just as we exist to help linux systems fit into otherwise windows networks). I would also really love Samba AD to be an even better server to sssd, and while also a code question, moving past this mode of interaction is an important step also. Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba Samba Development and Support, Catalyst IT - Expert Open Source Solutions