Hello Rowland, Am 23.08.2019 13:12, schrieb Rowland penny via samba:> Do not bother, I take it you missed that red-hat (who produces sssd) > no longer supports using sssd with Winbind. So your cure is obvious: > apt-get purge sssdas I'm not using sssd and winbind for the same authentication domain (rather, winbind is for a windows domain, sssd for an LDAP-based authentication domain, and the usernames don't overlap), my only solution would be to switch to sssd completely, which is definitely possible thanks to idmap_sss (i.e., there's interoperability between winbind and sssd when both go against the same domain, as not having any integration would break all the other Samba services when working with sssd). So, anyway, this comment is neither correct (RedHat explicitly states how to configure winbind/samba to work in tandem with sssd), and is also not applicable to my situation. Thanks anyway. -- --- Heiko Wundram.
On 23/08/2019 12:38, Heiko Wundram via samba wrote:> Hello Rowland, > > Am 23.08.2019 13:12, schrieb Rowland penny via samba: >> Do not bother, I take it you missed that red-hat (who produces sssd) >> no longer supports using sssd with Winbind. So your cure is obvious: >> apt-get purge sssd > > as I'm not using sssd and winbind for the same authentication domain > (rather, winbind is for a windows domain, sssd for an LDAP-based > authentication domain, and the usernames don't overlap), my only > solution would be to switch to sssd completely, which is definitely > possible thanks to idmap_sss (i.e., there's interoperability between > winbind and sssd when both go against the same domain, as not having > any integration would break all the other Samba services when working > with sssd). > > So, anyway, this comment is neither correct (RedHat explicitly states > how to configure winbind/samba to work in tandem with sssd), and is > also not applicable to my situation. Thanks anyway. >see Red-Hat bug: https://bugzilla.redhat.com/show_bug.cgi?id=1663323 They no longer support using sssd with winbind. If you are running sssd and winbind on the same computer, then you shouldn't, but it is your computer, just do not expect to get support from here, mainly because we do not provide sssd and do not really know anything about it, you need to approach the sssd-users mailing list. Rowland Penny Samba Team member
Hey, Am 23.08.2019 13:56, schrieb Rowland penny via samba:> see Red-Hat bug: https://bugzilla.redhat.com/show_bug.cgi?id=1663323 > They no longer support using sssd with winbind.Yes, I know that discussion, and if you read the corresponding bug report, the case that was mentioned (which is outdated already, please look for info on idmap_sss for Samba for combining the two) is if sssd and winbind run against the same domain and both derive information for the same user base. There are later bug reports which explicitly state that the corresponding note, which was added to the documentation at the beginning of this year, is outdated again/should be fixed. Anyway, all this doesn't apply to my case, as sssd and winbind run against completely different authentication sources, and from what I could gather from the Samba bug report I mentioned, the problem is that sss is not reentrant as an authentication source, whereas winbind is, which causes mayhem when looking up accounts that are in neither source. sssd has this fixed in some version which doesn't appear to be in Debian yet. But I'll leave it at that and now try to get some information on the patch that's required. Have a pleasant afternoon. -- --- Heiko Wundram.