samba - Jan 2022 - Samba on CentOS 8 with sssd and AD users/groups and local users/groups

On Thu, 2022-01-13 at 13:05 -0500, Luc Lalonde via samba
wrote:
> No I read that!
> 
> To me it says:
> 
>  1. We know that there are issues with using SSSD and we're working
> on it
They seem to have been working on it for the last two years (at least)
>  2. We'll continue to support you if you choose this configuration
As long as you have a support contract and it is an existing setup.
>  3. We're not ready to offer a working supported alternative yet,
> again,
>     we're working on it
See my first reply ;-)
> 
> In my experience, RHEL7 works well with standalone Winbind.
> 
> Unfortunately, I can't get it to work properly on RHEL8 without SSSD.
This 'may' have something to do with the removing of libpam-krb5
> 
> Perhaps I'm missing something, but the latest Redhat documentation 
> continues to push SSSD + Winbind ad the way to go:
> 
>
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_authentication_and_authorization_in_rhel/configuring-a-rhel-host-to-use-ad-as-an-authentication-provider_configuring-authentication-and-authorization-in-rhel
It says:

Important

Implement this procedure only in the rare cases where this approach is
preferred. 

That hardly inspires confidence.
> 
> I would love to dump SSSD on my RedHat/CentOS/Fedora systems... but 
> we're not quite there yet!
You could always dump the red-hat machines and come over to the Debian
side, where it has always worked.

The following is totally my opinion:

sssd, realmd etc were written to be used with FreeIPA and as such,
should only be used with FreeIPA.

If you are using Samba, then you should use Samba's tools, winbind,
net, wbinfo etc.

Others may have a different view (and probably will). I cannot and will
not try to make anyone follow my view, anyone reading this should make
their own decision on which path to follow. I just know what has worked
for myself since 2012, part of which time I used sssd, this was until I
found that winbind was actually easier to use (once I got my head
around the 'idmap config' lines).

Rowland

I've tried, but came to the conclusion that Debian is evil... and I 
won't go to the dark side ;-)

Seriously, I prefer the way Redhat and derivatives (Fedora, Centos, etc) 
are organized.?? Really, I could never get used to 'apt-whatever'.?? I 
also really like 'Kickstart' for auto-documenting setups.

Hardware manufacturers will also offload support if you're not using an 
enterprise distro like RHEL or SUse.?? I've had too man bad experiences 
with this.

On 1/13/22 13:42, Rowland Penny via samba wrote:
> You could always dump the red-hat machines and come over to the Debian
> side, where it has always worked.
-- 
Luc Lalonde, analyste
-----------------------------
D?partement de g?nie informatique et g?nie logiciel:
?cole polytechnique de MTL
(514) 340-4711 x5049
Luc.Lalonde at polymtl.ca