samba - Apr 2015 - sssd-ad cannot be installed with sernet samba

On 02/04/15 13:38, buhorojo wrote:
> On 02/04/15 14:09, Rowland Penny wrote:
>> On 02/04/15 12:41, buhorojo wrote:
>>> On 02/04/15 12:48, Rowland Penny wrote:
>>>> On 02/04/15 11:37, buhorojo wrote:
>>>>> On 02/04/15 12:19, Rowland Penny wrote:
>>>>>> On 02/04/15 11:05, buhorojo wrote:
>>>>>>> On 02/04/15 11:27, Rowland Penny wrote:
>>>>>>>> On 02/04/15 10:20, buhorojo wrote:
>>>>>>>>> On 02/04/15 08:36, L.P.H. van Belle wrote:
>>>>>>>>>> nss/winbind does work, yes, there is 1
missing file, just
>>>>>>>>>> created it.
>>>>>>>>>> ( and this is not needed on a DC ! )
>>>>>>>>> So you are telling us that something that
returns:
>>>>>>>>> /bin/false
>>>>>>>>>  when:
>>>>>>>>> /bin/bash
>>>>>
>>>>>
>>>>
>>>> WHERE is the output from getent wrong ?
>>>
>>> Please read the thread. One example is given above.
>>> Thanks. It really doesn't matter;)
>>>
>>
>> OK, I have re-read the thread, I cannot find one example of the 
>> errors you get when using samba with the winbind backend, loads of 
>> errors when trying to install sssd with sernet packages, but no 
>> actual winbind errors.
> Once again:
> winbind gives /bin/false
> sssd gives /bin/bash
> The user has:
> loginShell: /bin/bash
>
> If it doesn't matter for you, don't worry!
>
>
That is *NOT* an error, that is the way the winbind built into the samba 
daemon works, it does not pull anything else from AD other than the 
users uidNumber and the gidNumber of their primary group.
There is a work round involving the 'template' directories that can be 
set in smb.conf, these affect everybody that connects to the machine it 
is set on, per user settings cannot be set.

It is one of the reasons against using the DC as a file server, but 
there are others. People have complained about the hard drive filling up 
until the DC is restarted, there have also been problems with excessive 
use of memory.

I will put it this way, which part of the following statement do you not 
understand ?

*We _do not recommend_ using the Domain Controller as a file Server*.

As taken from the DC page on the samba wiki.

I have no worries about using windbind, it works for me because I use it 
as recommended, it would seem that you are the one with the worries.

Rowland

On 02/04/15 14:56, Rowland Penny wrote:
> On 02/04/15 13:38, buhorojo wrote:
>> On 02/04/15 14:09, Rowland Penny wrote:
>>> On 02/04/15 12:41, buhorojo wrote:
>>>> On 02/04/15 12:48, Rowland Penny wrote:
>>>>> On 02/04/15 11:37, buhorojo wrote:
>>>>>> On 02/04/15 12:19, Rowland Penny wrote:
>>>>>>> On 02/04/15 11:05, buhorojo wrote:
>>>>>>>> On 02/04/15 11:27, Rowland Penny wrote:
>>>>>>>>> On 02/04/15 10:20, buhorojo wrote:
>>>>>>>>>> On 02/04/15 08:36, L.P.H. van Belle
wrote:
>>>>>>>>>>> nss/winbind does work, yes, there
is 1 missing file, just
>>>>>>>>>>> created it.
>>>>>>>>>>> ( and this is not needed on a DC !
)
>>>>>>>>>> So you are telling us that something
that returns:
>>>>>>>>>> /bin/false
>>>>>>>>>>  when:
>>>>>>>>>> /bin/bash
>>>>>>
>>>>>>
>>>>>
>>>>> WHERE is the output from getent wrong ?
>>>>
>>>> Please read the thread. One example is given above.
>>>> Thanks. It really doesn't matter;)
>>>>
>>>
>>> OK, I have re-read the thread, I cannot find one example of the 
>>> errors you get when using samba with the winbind backend, loads of 
>>> errors when trying to install sssd with sernet packages, but no 
>>> actual winbind errors.
>> Once again:
>> winbind gives /bin/false
>> sssd gives /bin/bash
>> The user has:
>> loginShell: /bin/bash
>>
>> If it doesn't matter for you, don't worry!
>>
>>
>
> That is *NOT* an error, that is the way the winbind built into the 
> samba daemon works, it does not pull anything else from AD other than 
> the users uidNumber and the gidNumber of their primary group.
> There is a work round involving the 'template' directories that can
be
> set in smb.conf, these affect everybody that connects to the machine 
> it is set on, per user settings cannot be set.
>
> It is one of the reasons against using the DC as a file server, but 
> there are others. People have complained about the hard drive filling 
> up until the DC is restarted, there have also been problems with 
> excessive use of memory.
>
> I will put it this way, which part of the following statement do you 
> not understand ?
>
> *We _do not recommend_ using the Domain Controller as a file Server*.
>
We run scripts which require accurate nss information. So, no worries. 
On our machines, sssd works fine. winbind doesn't.

Rowland, wasn't it you who asked the developers how much work it would 
cost them to (to use your term) 'pull' unixHomeDirectory and loginShell 
from AD using winbind? You seemed misled that it was to be made 
available in the next version. It seems that the developers themselves 
regretted that it wouldn't be.

El 02/04/15 a les 14:56, Rowland Penny ha escrit:
> 
> *We _do not recommend_ using the Domain Controller as a file Server*.
I'm sorry to chime in again, but I have no intention of using the DC as
a file server *but* I like to have the user mapping in place for other
purposes (e.g. see the file ownership when I nfs mount the netapp storage).
Since I already configured sssd in all member servers (in the test
network, this isn't going to go live for a while) and winbind is not
supposed to work on the DC (or so I read in this list) I simply thought
that sssd was the natural solution.

Bye
-- 
Luca Olivetti
Wetron Automation Technology http://www.wetron.es
Tel. +34 935883004  Fax +34 935883007

On 02/04/15 14:35, buhorojo wrote:
> On 02/04/15 14:56, Rowland Penny wrote:
>> On 02/04/15 13:38, buhorojo wrote:
>>> On 02/04/15 14:09, Rowland Penny wrote:
>>>> On 02/04/15 12:41, buhorojo wrote:
>>>>> On 02/04/15 12:48, Rowland Penny wrote:
>>>>>> On 02/04/15 11:37, buhorojo wrote:
>>>>>>> On 02/04/15 12:19, Rowland Penny wrote:
>>>>>>>> On 02/04/15 11:05, buhorojo wrote:
>>>>>>>>> On 02/04/15 11:27, Rowland Penny wrote:
>>>>>>>>>> On 02/04/15 10:20, buhorojo wrote:
>>>>>>>>>>> On 02/04/15 08:36, L.P.H. van Belle
wrote:
>>>>>>>>>>>> nss/winbind does work, yes,
there is 1 missing file, just
>>>>>>>>>>>> created it.
>>>>>>>>>>>> ( and this is not needed on a
DC ! )
>>>>>>>>>>> So you are telling us that
something that returns:
>>>>>>>>>>> /bin/false
>>>>>>>>>>>  when:
>>>>>>>>>>> /bin/bash
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> WHERE is the output from getent wrong ?
>>>>>
>>>>> Please read the thread. One example is given above.
>>>>> Thanks. It really doesn't matter;)
>>>>>
>>>>
>>>> OK, I have re-read the thread, I cannot find one example of the
>>>> errors you get when using samba with the winbind backend, loads
of
>>>> errors when trying to install sssd with sernet packages, but no
>>>> actual winbind errors.
>>> Once again:
>>> winbind gives /bin/false
>>> sssd gives /bin/bash
>>> The user has:
>>> loginShell: /bin/bash
>>>
>>> If it doesn't matter for you, don't worry!
>>>
>>>
>>
>> That is *NOT* an error, that is the way the winbind built into the 
>> samba daemon works, it does not pull anything else from AD other than 
>> the users uidNumber and the gidNumber of their primary group.
>> There is a work round involving the 'template' directories that
can
>> be set in smb.conf, these affect everybody that connects to the 
>> machine it is set on, per user settings cannot be set.
>>
>> It is one of the reasons against using the DC as a file server, but 
>> there are others. People have complained about the hard drive filling 
>> up until the DC is restarted, there have also been problems with 
>> excessive use of memory.
>>
>> I will put it this way, which part of the following statement do you 
>> not understand ?
>>
>> *We _do not recommend_ using the Domain Controller as a file Server*.
>>
>
> We run scripts which require accurate nss information. So, no worries. 
> On our machines, sssd works fine. winbind doesn't.
>
> Rowland, wasn't it you who asked the developers how much work it would 
> cost them to (to use your term) 'pull' unixHomeDirectory and 
> loginShell from AD using winbind? You seemed misled that it was to be 
> made available in the next version. It seems that the developers 
> themselves regretted that it wouldn't be.
>
If you use samba as recommended, winbind will do all that sssd does for 
authentication.

Yes I did ask, but I had it explained to me why it didn't yet work, I 
was also told that sssd is *not* a samba component and not to ask 
questions about it here on the *SAMBA* mailing list.

Rowland

On 02/04/15 14:37, Luca Olivetti wrote:
> El 02/04/15 a les 14:56, Rowland Penny ha escrit:
>
>> *We _do not recommend_ using the Domain Controller as a file Server*.
> I'm sorry to chime in again, but I have no intention of using the DC as
> a file server *but* I like to have the user mapping in place for other
> purposes (e.g. see the file ownership when I nfs mount the netapp storage).
> Since I already configured sssd in all member servers (in the test
> network, this isn't going to go live for a while) and winbind is not
> supposed to work on the DC (or so I read in this list) I simply thought
> that sssd was the natural solution.
>
> Bye
If the nfs mount is the DC, you are using the DC as a file server, but 
if you are just using the DC for authentication, then winbind will do 
what sssd does, you just need to set winbind correctly on the member 
servers.

It isn't that winbind doesn't work on the DC, it is that, until 4.2, 
winbind was built into the samba daemon and did not have the 
capabilities of the standalone winbindd daemon. Unfortunately when 4.2 
came out, it was found that though winbindd was now being used and some 
of the problems had been solved, the unixhomedirectory & shell 
attributes are still not available from AD. The devs seem to be 
concentrating on getting the windows side working better/correctly 
before any Unix problems, a mistake in my opinion, but they are writing 
the code (something I couldn't do) and as such they get to say in which 
direction to go (could be worse, LP could be one of the devs). I am sure 
that the Unix winbindd problems will get fixed, I just unsure when :-)

Rowland

On 16:59:22 wrote buhorojo:
> We run scripts which require accurate nss information. So, no
> worries.  On our machines, sssd works fine. winbind doesn't.
You may try nslcd, it works on a DC with debian packages. I have never 
tried the sernet package, because of the dependies.

Maybe your solution is self building the sssd packages. If you are not 
able to do this ask one who will do.


-- 

Regards
	Harry Jede

Greetings, Rowland Penny!
>> Once again:
>> winbind gives /bin/false
>> sssd gives /bin/bash
>> The user has:
>> loginShell: /bin/bash
>>
>> If it doesn't matter for you, don't worry!
>>
>>
> That is *NOT* an error,
NSS backend outright lying to the user is not a bug?
What is it then? A butterfly?
You're making so little sense, I begin to doubt your qualification.
> that is the way the winbind built into the samba
> daemon works, it does not pull anything else from AD other than the 
> users uidNumber and the gidNumber of their primary group.
> There is a work round involving the 'template' directories that can
be
> set in smb.conf, these affect everybody that connects to the machine it 
> is set on, per user settings cannot be set.
That is a direct contradiction to the very idea of having a single
authoritative user management database.
Or, if you like, I can compress the previous phrase into one word, starting
with "b".
> It is one of the reasons against using the DC as a file server,
How's setting winbind on a member server would alter the outcome?
> but there are others. People have complained about the hard drive filling
up
> until the DC is restarted, there have also been problems with excessive 
> use of memory.
That's clearly indicate bugs breeding and multiplying in the application.
Instead of telling people "oh, just don't do it", why not fix the
bugs?
> I will put it this way, which part of the following statement do you not 
> understand ?
> *We _do not recommend_ using the Domain Controller as a file Server*.
So, you are recommending to not use domain controller at all, I got it right?
Because a system that does nothing at all, just sitting there and grinning,
is an useless junk and should be discarded as soon as possible.
> As taken from the DC page on the samba wiki.
> I have no worries about using windbind, it works for me because I use it 
> as recommended, it would seem that you are the one with the worries.
So, you are not using your linux servers for terminal access?
SSH/SFTP/Git/whatever?
That explains your ignorance.


-- 
With best regards,
Andrey Repin
Thursday, April 2, 2015 20:04:41

Sorry for my terrible english...

On 02/04/15 18:14, Andrey Repin wrote:
> Greetings, Rowland Penny!
>
>>> Once again:
>>> winbind gives /bin/false
>>> sssd gives /bin/bash
>>> The user has:
>>> loginShell: /bin/bash
>>>
>>> If it doesn't matter for you, don't worry!
>>>
>>>
>> That is *NOT* an error,
> NSS backend outright lying to the user is not a bug?
> What is it then? A butterfly?
> You're making so little sense, I begin to doubt your qualification.
>
>> that is the way the winbind built into the samba
>> daemon works, it does not pull anything else from AD other than the
>> users uidNumber and the gidNumber of their primary group.
>> There is a work round involving the 'template' directories that
can be
>> set in smb.conf, these affect everybody that connects to the machine it
>> is set on, per user settings cannot be set.
> That is a direct contradiction to the very idea of having a single
> authoritative user management database.
> Or, if you like, I can compress the previous phrase into one word, starting
> with "b".
>
>> It is one of the reasons against using the DC as a file server,
> How's setting winbind on a member server would alter the outcome?
>
>> but there are others. People have complained about the hard drive
filling up
>> until the DC is restarted, there have also been problems with excessive
>> use of memory.
> That's clearly indicate bugs breeding and multiplying in the
application.
> Instead of telling people "oh, just don't do it", why not fix
the bugs?
>
>> I will put it this way, which part of the following statement do you
not
>> understand ?
>> *We _do not recommend_ using the Domain Controller as a file Server*.
> So, you are recommending to not use domain controller at all, I got it
right?
> Because a system that does nothing at all, just sitting there and grinning,
> is an useless junk and should be discarded as soon as possible.
>
>> As taken from the DC page on the samba wiki.
>> I have no worries about using windbind, it works for me because I use
it
>> as recommended, it would seem that you are the one with the worries.
> So, you are not using your linux servers for terminal access?
> SSH/SFTP/Git/whatever?
> That explains your ignorance.
>
>
Look, I am with you here, samba no matter where you use it should use 
the rfc2307 attributes if they are available, but they aren't all used 
on the DC. We will just have to wait until the devs get round to making 
the others work. It is no use complaining to me, I actually opened a bug 
on this for 4.2rc2 10886, perhaps if people add to this, something may 
happen, I don't know, I have no control over the devs.

Rowland