samba - Sep 2021 - working well with sssd

On Thu, 2021-09-23 at 21:04 +1200, Andrew Bartlett
wrote:
> On Thu, 2021-09-23 at 10:53 +0200, Ralph Boehme via samba wrote:
> > There is a real need.
> > 
> > -slow
> 
> There is also a real need for us to move past this 'we don't even
try
> to work with sssd' thing.  That is both in terms of working in the
> code
> to make this 'just work' as much as can be done, with clear
> limitations
> specified, and in the practice on the list when queries come up.
> 
> sssd has become established in terms of being the AD connector for
> Linux workstations and servers that don't run Samba.  We should
> congratulate their team for their achievements.  We were in the race,
> but didn't win this time.
Because we didn't try, you have been talking about doing a better
idmapping for the last 10 years that I know off, but that has all it
has been, talk.
> 
> Shockingly we find that Samba isn't always the centre of the
> universe,
> and sometimes we will need to fit in with the organisational
> arrangements where 'best for Samba' isn't the primary
> criteria.  (Just
> as we exist to help linux systems fit into otherwise windows
> networks). 
> 
> I would also really love Samba AD to be an even better server to
> sssd,
> and while also a code question, moving past this mode of interaction
> is
> an important step also.
> 
> Andrew Bartlett
I do not think we need sssd, we just need to make Samba easier to set
up, something along the lines of a combination of the 'rid' and
'ad'
backends, the 'rid' for idmapping and 'ad' for the rest of the
rfc2307
attributes. I cannot write 'C' code so cannot help here.

We either need to swallow sssd into Samba and alter it to our uses or
ignore it.

Rowland

On Thu, Sep 23, 2021 at 10:20:00AM +0100, Rowland Penny via samba
wrote:
>
>I do not think we need sssd, we just need to make Samba easier to set
>up, something along the lines of a combination of the 'rid' and
'ad'
>backends, the 'rid' for idmapping and 'ad' for the rest of
the rfc2307
>attributes. I cannot write 'C' code so cannot help here.
>
>We either need to swallow sssd into Samba and alter it to our uses or
>ignore it.
There are other options :-). Remember, some of the people
writing sssd are our colleagues on the Samba Team, and
we should try and appreciate their contributions a little
more :-).

Remember they are constrained by their job in how much they
can help w.r.t. making winbindd better (they are paid to
work on sssd after all) and unlike them you are able to
"speak truth to power" (that's one of the things I love
about you Rowland, you have a very Lancastrian ability to
speak your mind without fear or favour :-).

But if we can't help with sssd sometimes it's better
to be silent than berate people for what we think are..
lets just call them "less optimal choices" :-).

Proposing alternatives is fine, but remember, "you
can lead a horse to water, but.." :-).

Cheers,

Jeremy.