On 08/02/2023 21:28, Vaughan, Robert J via samba wrote:> > >> The LDAP client is also Fedora 37, Samba client version also 4.17.5; >> this host is joined to the Samba AD domain using "realm join ...". > >>> This is, in my opinion, the wrong way of joining, you should have used >>> 'net ads join'. > >>> Rowland > > Hi Rowland, > > I have noticed several times you have warned against using 'realm join' when that is the method Red Hat wants to use - can you elaborate on why this is an issue for Samba? We only have domain members (no Samba DC) > > Thanks, > > Robert Vaughan > >Realmd, sssd etc were written by red-hat for use against FreeIPA and hence that is what red-hat supports. If you are using Samba, then you should use the method that Samba provides and supports to join computers to a domain. I do not use realm etc, so I cannot provide support, but I have seen reports of joins not working correctly with realm and that sssd can be flaky. Rowland
On 2/9/23 09:02, Rowland Penny via samba wrote:> Realmd, sssd etc were written by red-hat for use against FreeIPA and > hence that is what red-hat supports.fwiw, I don't think this is the full picture. Iirc sssd and the tooling are designed to join Linux systems to a several directory services, FreeIPA being one of them, AD and pure LDAP are others. In fact, iirc, the realm join command, depending on arguments, actually uses net ads join to join to AD. Ideally we would have something on the wiki that explains this. @Andreas: would you be able to start a wiki page with a quick overview this stuff? -slow -- Ralph Boehme, Samba Team https://samba.org/ SerNet Samba Team Lead https://sernet.de/en/team-samba -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature Type: application/pgp-signature Size: 840 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20230209/1a35db4a/OpenPGP_signature.sig>