samba - Jun 2019 - sssd not a good idea

On 12/06/2019 16:56, Vincent S. Cojot via samba wrote:
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1719824
>
I counter that with:

https://bugzilla.redhat.com/show_bug.cgi?id=1663323

Rowland

Oh woaaaahhh (Sorry, I lack the words). 
I am sure that one must be re-visited for 7.6+, though since 7.6+ had a 
good overhaul of sssd to make it work better with AD (I heard that from 
the developper). Perhaps I'm going slightly insane here...

Vincent

On Wed, 12 Jun 2019, Rowland penny via samba wrote:
> On 12/06/2019 16:56, Vincent S. Cojot via samba wrote:
>>
>>  https://bugzilla.redhat.com/show_bug.cgi?id=1719824
>> 
> I counter that with:
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1663323
>
> Rowland
>
>
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
>

So, the bug reports referenced below are in regard to having Samba be a 
domain member.  My question is why would I want Samba to be a domain 
member?  I want the machine Samba runs on to be a domain member, because 
there are other things going on on that machine as well.

 From that perspective, unless you're using Samba as a PDC/BDC, the only 
security setting you ever want to use is

     security = user

Am I missing something?

On 6/12/19 11:12 AM, Rowland penny via samba wrote:
> On 12/06/2019 16:56, Vincent S. Cojot via samba wrote:
>>
>> https://bugzilla.redhat.com/show_bug.cgi?id=1719824
>>
> I counter that with:
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=1663323
> 
> Rowland
> 
>

On 6/12/19 12:23 PM, Vincent S. Cojot via samba wrote:
> 
> Oh woaaaahhh (Sorry, I lack the words). I am sure that one must be 
> re-visited for 7.6+, though since 7.6+ had a good overhaul of sssd to 
> make it work better with AD (I heard that from the developper). Perhaps 
> I'm going slightly insane here...
I wish they (Red Hat) clarified their position. There are many confusing 
signals. Let me explain the change's timeline and how I interpret them:

1. Older Samba releases allowed you to run a domain member server 
without using winbind. Samba had an alternate code path that when 
winbind wasn't running it did some things in the same process. 4.8 
release changed that, or was 4.7?, I don't remember the details.

2. On those older releases you could even run a domain member server 
without ever configuring NSS (/etc/nsswitch.conf) to use winbind. you 
could have a not common setup like creating domain users locally on the 
server and Samba didn't care from where those users and groups entries 
came from. I used this many years ago, before Samba AD, to manage users 
using the first FreeIPA releases that had zero AD integration support. 
Think about it as LDAP provider of users and groups. You could even 
write a custom NSS module that provided the users like the domain needed 
and a Samba server could work without winbind running.

3. Now that Samba requires winbind to be running, using winbind without 
NSS is still possible.  I have many domains running winbind for 
everything that it is used for, without using it for NSS, SSSD is used 
for that. I have only one reason for this and is the this request for 
enhancement "Implement synthetic private groups" [1]

I think all this comes from this, RH updated Samba on RHEL 7 to Samba 
4.8. So they must tell their customers winbind is needed to be running 
on Samba server, because it is.

I hope future Samba releases don't break the current behavior of don't 
caring from where the Unix user and group mapping come from, if NSS 
reports it exists, it use it. If the Samba developers ever add a direct 
way to winbind without using NSS, My current setup will break, unless 
they implement my RFE and I move to winbind ;-). Losing other features 
like managing of login policies to the server via Windows GPOs :-(


[1] https://bugzilla.samba.org/show_bug.cgi?id=13946


> 
> Vincent
> 
> On Wed, 12 Jun 2019, Rowland penny via samba wrote:
> 
>> On 12/06/2019 16:56, Vincent S. Cojot via samba wrote:
>>>
>>> ?https://bugzilla.redhat.com/show_bug.cgi?id=1719824
>>>
>> I counter that with:
>>
>> https://bugzilla.redhat.com/show_bug.cgi?id=1663323
>>
>> Rowland
>>
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:? https://lists.samba.org/mailman/options/samba
>>
>>
>

On 12/06/2019 18:02, Goetz, Patrick G via samba wrote:
> So, the bug reports referenced below are in regard to having Samba be a
> domain member.  My question is why would I want Samba to be a domain
> member?  I want the machine Samba runs on to be a domain member, because
> there are other things going on on that machine as well.
You cannot have one without the other, a Unix computer without Samba is 
just that, a Unix machine. Add Samba and you can join an AD domain, the 
letters 'S', 'M' and 'B' in Samba are there for a
reason.

Even if there are other things on the computer, they can probably be 
integrated with AD.
>
>   From that perspective, unless you're using Samba as a PDC/BDC, the
only
> security setting you ever want to use is
>
>       security = user
>
> Am I missing something?
Yes, using that means it can only be a standalone server and not part of 
a domain.

Rowland

On 15/06/2019 12:22, Simo wrote:
> On Wed, 2019-06-12 at 18:14 +0100, Rowland penny via samba wrote:
>> On 12/06/2019 18:02, Goetz, Patrick G via samba wrote:
>>> So, the bug reports referenced below are in regard to having Samba
be a
>>> domain member.  My question is why would I want Samba to be a
domain
>>> member?  I want the machine Samba runs on to be a domain member,
because
>>> there are other things going on on that machine as well.
>> You cannot have one without the other, a Unix computer without Samba is
>> just that, a Unix machine. Add Samba and you can join an AD domain, the
>> letters 'S', 'M' and 'B' in Samba are there for
a reason.
> Sorry Rowland, but this is incorrect, you need samba (smbd) only if you
> want to make the member server a file server.
So what do you suggest that Samba does?

Do not run smbd ?

Only run nmbd ? but network browsing is as good as dead

Only run winbindd ? but this could interfere with sssd.
> If you do not need to offer SMB file services there are many other
> products that join a unix machine to an AD server, including the
> mentioned sssd (with the realmd utility)
There well may be other products, but, as they are not produced by 
Samba, we cannot provide support for them.

There is also the little problem that Red-Hat no longer supports the use 
of sssd with Samba

Whilst I accept that there is nothing wrong with sssd and that people 
have made it work with Samba, this is not the mailing list to discuss 
any possible problems

Rowland

On Sat, 2019-06-15 at 12:38 +0100, Rowland penny via samba
wrote:
> On 15/06/2019 12:22, Simo wrote:
> > On Wed, 2019-06-12 at 18:14 +0100, Rowland penny via samba wrote:
> > > On 12/06/2019 18:02, Goetz, Patrick G via samba wrote:
> > > > So, the bug reports referenced below are in regard to having
Samba be a
> > > > domain member.  My question is why would I want Samba to be
a domain
> > > > member?  I want the machine Samba runs on to be a domain
member, because
> > > > there are other things going on on that machine as well.
> > > You cannot have one without the other, a Unix computer without
Samba is
> > > just that, a Unix machine. Add Samba and you can join an AD
domain, the
> > > letters 'S', 'M' and 'B' in Samba are
there for a reason.
> > Sorry Rowland, but this is incorrect, you need samba (smbd) only if
you
> > want to make the member server a file server.
> 
> So what do you suggest that Samba does?
> 
> Do not run smbd ?
> 
> Only run nmbd ? but network browsing is as good as dead
> 
> Only run winbindd ? but this could interfere with sssd.
Samba is a suite of software, for ages I ran winbindd only on Linux
domain members to deal with authentication, smbd wasn't even installed.
> > If you do not need to offer SMB file services there are many other
> > products that join a unix machine to an AD server, including the
> > mentioned sssd (with the realmd utility)
> 
> There well may be other products, but, as they are not produced by 
> Samba, we cannot provide support for them.
Of course, but we, traditionally interoperated with many, and did our
best to be an inclusive platform.
> There is also the little problem that Red-Hat no longer supports the use 
> of sssd with Samba
Well Samba made windbind necessary to run, that doesn't mean Red Hat
does not support running SSSD for NSS while windbindd runs for smbd
authentication purposes. In fact we allow that by using the sssd_idmap
plugin in winbindd.
> Whilst I accept that there is nothing wrong with sssd and that people 
> have made it work with Samba, this is not the mailing list to discuss 
> any possible problems
I do not agree with this, SSSD is the standard, client side user
management component used on one of the distributions samba works on.
We always allowed discussion and helped people configure their user
management stack be it NSS or AIXs own different one, or anything else.
This is no different.

If you have a personal problem with SSSD you are not required to help
people with it, you are also not required to scare them off for no
reason.

Simo.