Hi, Starting a fresh new thread, the ones about sssd x winbind are getting boring, biased and personal. :) I'd like to bring this to an admin point-of-view to be more useful for other Samba users (aka admins). Consider a network with about 200+ employees, most of them windows user. Happens that one need to provide other non-windows services like e-mail, proxy and many others to them, running on other linux servers. So, for many of those users (not all) rfc2307 windows services for unix (SFU) attributes are needed, to make postfix, dovecot, apache, squid and others aware of them too. As far as I know there are 4 possible solutions: * Internal samba winbind * Winbind daemon * sssd * nss_ldap Which of each would bring my rfc2307 users with all their attributes defined on SFU, *and only those users*, to my linux system? If I create a user _without_ rc2307 means I don't want linux to know about him. If I define a user with /bin/false as shell on SFU, bring that to linux. That's it. As an admin, I don't care about idmapping, I already defined an uidNumber (or wathever AD attribute is used to store it) to the user, just use it. Also, to ease the discussion about those solutions, how about someone with knowledge of their internal mechanics sketch a feature matrix comparing those, listing advantages and drawbacks? I understand Samba team will always recommend winbind over others, but get the difference: a - Samba team does not recommend other solutions. b - Samba team recommend not using other solutions. I believe (a) is true, which does not disregard others. Best regards. -- *Marcio Merlone* TI - Administrador de redes *A1 Engenharia - Unidade Corporativa* Fone: +55 41 3616-3797 Cel: +55 41 9689-0036 http://www.a1.ind.br/ <http://www.a1.ind.br>
On 2014-01-28 12:22, M?rcio Merlone wrote:> Hi, > > Starting a fresh new thread, the ones about sssd x winbind are getting > boring, biased and personal. :) I'd like to bring this to an admin > point-of-view to be more useful for other Samba users (aka admins). > > Consider a network with about 200+ employees, most of them windows user. > Happens that one need to provide other non-windows services like e-mail, > proxy and many others to them, running on other linux servers. So, for > many of those users (not all) rfc2307 windows services for unix (SFU) > attributes are needed, to make postfix, dovecot, apache, squid and > others aware of them too. > > As far as I know there are 4 possible solutions: > > * Internal samba winbind > * Winbind daemon > * sssd > * nss_ldap > > Which of each would bring my rfc2307 users with all their attributes > defined on SFU, *and only those users*, to my linux system? If I create > a user _without_ rc2307 means I don't want linux to know about him. If I > define a user with /bin/false as shell on SFU, bring that to linux. > That's it. As an admin, I don't care about idmapping, I already defined > an uidNumber (or wathever AD attribute is used to store it) to the user, > just use it.Then you can safely ignore winbindd, as it doesn't honour shell settings. Food for thought: Is offline login (/resilience against domain controller outages) needed? nss_ldap afaik does not provide this natively, e.g., and needs external caching by pam_ccreds (which makes for a more complicated setup).> Also, to ease the discussion about those solutions, how about someone > with knowledge of their internal mechanics sketch a feature matrix > comparing those, listing advantages and drawbacks?That would indeed be appreciated.> I understand Samba > team will always recommend winbind over others, but get the difference: > > a - Samba team does not recommend other solutions. > b - Samba team recommend not using other solutions. > > I believe (a) is true, which does not disregard others. > > Best regards. >-- Mit freundlichen Gr??en, / Best Regards, Sven Schwedas Systemadministrator TAO Beratungs- und Management GmbH | Lendplatz 45 | A - 8020 Graz Mail/XMPP: sven.schwedas at tao.at | +43 (0)680 301 7167 http://software.tao.at -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 665 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20140128/6bd71bd7/attachment.pgp>
El 28/01/14 12:22, M?rcio Merlone ha escrit:> Consider a network with about 200+ employees, most of them windows user. > Happens that one need to provide other non-windows services like e-mail, > proxy and many others to them, running on other linux servers.A related but tangential question is if is there a way to provision these services when a new user is created from the windows administration tool, i.e., if is there a way for samba to run a script when a new user is created (or modified) from windows. If there isn't, would it be possible to add it as a new feature? Bye -- Luca Olivetti Wetron Automation Technology http://www.wetron.es Tel. +34 935883004 Fax +34 935883007
Hi M?rcio, On 2014-01-28 at 09:22 -0200, M?rcio Merlone wrote:> > I understand Samba team will always recommend winbind over others, but > get the difference: > > a - Samba team does not recommend other solutions. > b - Samba team recommend not using other solutions. > > I believe (a) is true, which does not disregard others.Of course (a). We simply don't actively recommend using a substitute of our own component. (But never say never... There might in theory be conrner cases where this might happen.) And we certainly DO NOT recommend not to use other solutions. I'd even say that testing / comparing other solutions or possible alternatives is highly welcome, especially if this results in technical comparison matrices. If we learn what our users would like in winbindd (or any other component), we have a chance to react... Cheers - Michael -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 215 bytes Desc: Digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20140129/9917baa1/attachment.pgp>