samba - May 2019 - Samba4 changing a user's password from linux workstation

Hello Rowland,

We’ve been using SSSD with Acitve Directory for a few years now…  It’s been
solid for us.

Our Linux clients use the AD-Kerberos via SSSD for secure NFS4 mounts with POSIX
attributes defined in AD (uidNumber, gidNumber, unixHomeDirectory, loginShell).

Before putting into production, I tested using Winbind and could not get it to
do what I wanted.   If I remember correctly, I had problems with groups.   I
didn’t want DOMAIN\groupname…  just groupname to show.   I don’t remember why
this was causing me problems… just that this was the main reason.

At the time, I found that the documentation for integrating AD with Linux was
best documented… in particular at RedHat:

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/summary-direct
<https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/summary-direct>

They give further reasons for choosing SSSD over Winbind in that document.

Cheers, Luc.
> On May 14, 2019, at 8:13 AM, Rowland penny via samba <samba at
lists.samba.org> wrote:
> 
> On 14/05/2019 12:58, Julien TEHERY via samba wrote:
>> I've gotten pretty unhappy with "realmd" and
"sssd". They try to hide
>>>> a lot of steps away from the user, but the internal
interactions are a
>>>> bit of a "mousetrap" game. When it works, you get the
mouse. But if
>>>> any of the many steps are even slightly worn, it becomes
erratic or
>>>> fails.
>>>> 
>>> 
>>> 
>>> 
>> Update: In fact i succeeded in reseting user password from a linux
workstation with kpasswd through pam_sssd.
>> At the beginning I thought we were prompted directly for new password,
but we had to first type in the old one before choosing a new one.
>> 
> kpasswd has nothing to do with sssd, it prompts for the old password, then
the new password (twice), it then changes the users password.
> 
> smbpasswd works in the same way (and it works with AD)
> 
> I cannot understand why anybody uses sssd, it is a program that requires
separate configuration and does very little that winbind (only one config file)
doesn't. Just what does sssd give you, what do you need it for ?
> 
> Rowland
> 
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL:
<http://lists.samba.org/pipermail/samba/attachments/20190514/3cdeffb3/signature.sig>

On 14/05/2019 14:35, Luc Lalonde wrote:
> Hello Rowland,
>
> We’ve been using SSSD with Acitve Directory for a few years now…  It’s 
> been solid for us.
I never said it wasn't solid (possibly because it it is built on top of 
some of the winbind code), I just said that you do not need it.
>
> Our Linux clients use the AD-Kerberos via SSSD for secure NFS4 mounts 
> with POSIX attributes defined in AD 
> (uidNumber, gidNumber, unixHomeDirectory, loginShell).
Funnily enough, you can do all of the above with
winbind.
>
> Before putting into production, I tested using Winbind and could not 
> get it to do what I wanted.   If I remember correctly, I had problems 
> with groups.   I didn’t want DOMAIN\groupname…  just groupname to 
> show.   I don’t remember why this was causing me problems… just that 
> this was the main reason.
You mean something like this:

getent group Domain\ Users
domain 
users:x:10000:testuser,user27,saducuser,testuser2,sudouser,user26,swanadmin,ktestuser,testuser1,example$,kte.....

If it didn't work for you, then your smb.conf was mis-configured.
>
> At the time, I found that the documentation for integrating AD with 
> Linux was best documented… in particular at RedHat:
>
>
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/summary-direct
>
> They give further reasons for choosing SSSD over Winbind in that document.
>
That just basically says 'Hey, use our product', it doesn't really
say
why and just how sssd is better than winbind.

You do not need either sssd or realmd, just about the only thing that 
sssd can do that winbind cannot do, is cache sudo rules, I think you 
will find that if you need cached sudo rules, you have much bigger 
problems. As for realmd, a bit of bash and 'net ads join' will do the
same.

But hey, it is your computer, you use what you want, just don't expect 
to get help with non Samba products here.

Rowland

On 5/14/19 9:58 AM, Rowland penny via samba wrote:
> On 14/05/2019 14:35, Luc Lalonde wrote:
>> Hello Rowland,
>>
>> We’ve been using SSSD with Acitve Directory for a few years now…  It’s 
>> been solid for us.
> 
> I never said it wasn't solid (possibly because it it is built on top of
> some of the winbind code), I just said that you do not need it.
> 
>>
>> Our Linux clients use the AD-Kerberos via SSSD for secure NFS4 mounts 
>> with POSIX attributes defined in AD 
>> (uidNumber, gidNumber, unixHomeDirectory, loginShell).
> Funnily enough, you can do all of the above with winbind.
>>
>> Before putting into production, I tested using Winbind and could not 
>> get it to do what I wanted.   If I remember correctly, I had problems 
>> with groups.   I didn’t want DOMAIN\groupname…  just groupname to 
>> show.   I don’t remember why this was causing me problems… just that 
>> this was the main reason.
> 
> You mean something like this:
> 
> getent group Domain\ Users
> domain 
>
users:x:10000:testuser,user27,saducuser,testuser2,sudouser,user26,swanadmin,ktestuser,testuser1,example$,kte.....
> 
> 
> If it didn't work for you, then your smb.conf was mis-configured.
> 
>>
>> At the time, I found that the documentation for integrating AD with 
>> Linux was best documented… in particular at RedHat:
>>
>>
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/summary-direct
>>
>>
>> They give further reasons for choosing SSSD over Winbind in that 
>> document.
>>
> That just basically says 'Hey, use our product', it doesn't
really say
> why and just how sssd is better than winbind.
I avoid SSSD discussions on this list for two reasons, It isn't a 
support list for SSSD and this kind or responses. winbind is not perfect 
and some people use SSSD with valid reasons. If we can't discuss why 
people choose it instead of winbind, always saying that winbind is 
enough, those people will continue to use sssd.

My two reasons for using SSSD:

1) I have servers that need to be joined to a non Windows Kerberos realm 
(MIT Kerberos managed by FreeIPA), this automate many things like for 
example services certificates generation and renewal. Those servers need 
at the same time to be joined to an AD domain. Using SSSD/Reamld makes 
the configuration of those realms too easy, with a single INI like 
configuration file, without the need to mess with PAM configuration that 
it is too easy to make a hole in your security, especially when 
configuring multiple realms like this setup. This will never be achieved 
by winbind because it should never have the responsibility to interact 
with non AD realms.

2) SSSD provides an option to generate synthetic private groups [1] for 
users without having to manually manage primary groups on AD, or having 
to create groups for that, or polluting AD with a lot of groups named 
like users. The default winbind/AD that the primary group is Domains 
Users is a security headache that requires to change the default umask 
of those users in order to avoid leaking data to all domain members. 
This is an option that could help winbind users if implemented. I 
remember mentioning it here previously but never created a RFE bug, I 
didn't get any response so I forgot, my mistake, I should have created it.

[1] https://docs.pagure.org/SSSD.sssd/design_pages/auto_private_groups.html
> 
> You do not need either sssd or realmd, just about the only thing that 
> sssd can do that winbind cannot do, is cache sudo rules, I think you 
> will find that if you need cached sudo rules, you have much bigger 
> problems. As for realmd, a bit of bash and 'net ads join' will do
the same.
> 
> But hey, it is your computer, you use what you want, just don't expect 
> to get help with non Samba products here.
> 
> Rowland
> 
> 
>