Am 23.09.21 um 09:57 schrieb Rowland Penny via samba:> Using sssd isn't supported by Samba because Samba doesn't produce it > and, as I have shown previously, not even red hat supports its use > with Samba.Samba also doesn't produce libc or the kernel, still we consume those system components and generally get some sane behaviour out of the combined system. For some scenarious supporting sss in nsswitch.conf is certainly possible with a few caveats by using idmap_nss or preferrable idmap_sss. -slow -- Ralph Boehme, Samba Team https://samba.org/ SerNet Samba Team Lead https://sernet.de/en/team-samba -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature Type: application/pgp-signature Size: 840 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20210923/4fb59168/OpenPGP_signature.sig>
Hello Ralph, Patrick,> For some scenarious supporting sss in nsswitch.conf is certainly > possible with a few caveats by using idmap_nss or preferrable idmap_sss.Thanks for chipping away at and digging into this. I've been following the discussion with much interest since, as discussed before in a (very) different context[1], I also work with a lot of environments with considerable investment in non-winbind-idmap_ad-accessible user data sources. I've been using the idmap_nss approach for years and would very much like to be able to use idmap_sss where it lends itself to it. Let me know if there's anything I can do to help move this forward. [1] https://lists.samba.org/archive/samba/2021-June/236384.html Regards. Michael ________________________________________ From: samba <samba-bounces at lists.samba.org> on behalf of Ralph Boehme via samba <samba at lists.samba.org> Sent: 23 September 2021 10:19:46 To: Rowland Penny; samba at lists.samba.org Subject: Re: [Samba] id mapping Am 23.09.21 um 09:57 schrieb Rowland Penny via samba:> Using sssd isn't supported by Samba because Samba doesn't produce it > and, as I have shown previously, not even red hat supports its use > with Samba.Samba also doesn't produce libc or the kernel, still we consume those system components and generally get some sane behaviour out of the combined system. For some scenarious supporting sss in nsswitch.conf is certainly possible with a few caveats by using idmap_nss or preferrable idmap_sss. -slow -- Ralph Boehme, Samba Team https://samba.org/ SerNet Samba Team Lead https://sernet.de/en/team-samba
On Thu, 2021-09-23 at 10:19 +0200, Ralph Boehme wrote:> Am 23.09.21 um 09:57 schrieb Rowland Penny via samba: > > Using sssd isn't supported by Samba because Samba doesn't produce > > it > > and, as I have shown previously, not even red hat supports its use > > with Samba. > > Samba also doesn't produce libc or the kernel, still we consume those > system components and generally get some sane behaviour out of the > combined system. > > For some scenarious supporting sss in nsswitch.conf is certainly > possible with a few caveats by using idmap_nss or preferrable > idmap_sss. > > -slowWhat you are saying is very possible, but, from my understanding, by using idmap-sss you only get authentication, something you can get by running winbind with idmap-rid. You can also get authentication by just using sssd without Samba, so what is the actual point of idmap-sss ? 'idmap-sss' is not in the Samba tree and shouldn't be in the Samba tree. It is where it belongs, in the sssd tree, because it is a part of sssd. Also dragging libc and the kernel into this is, in my opinion, an act of desperation, you know that there is no real need for idmap-sss. Rowland