samba - Dec 2024 - Error when joining new DC

If not using sssd, how do you join the clients to the domain? We are not using
GPO, only user authentication and DNS.

Due to security restrictions we are not able to install Samba packages on all
the clients. Sssd is the simplest solution, and the only one recommended and
officially supported by RedHat.

Br


________________________________
From: samba <samba-bounces at lists.samba.org> on behalf of Rowland Penny
via samba <samba at lists.samba.org>
Sent: Tuesday, December 17, 2024 8:43:52 AM
To: samba at lists.samba.org <samba at lists.samba.org>
Cc: Rowland Penny <rpenny at samba.org>
Subject: Re: [Samba] Error when joining new DC

On Tue, 17 Dec 2024 05:54:55 +0000
Peter Mittermayer via samba <samba at lists.samba.org> wrote:
> AFAIK sssd on RHEL is by default doing dyndny updates and it needs to
> be disabled in the config. Same for a Windows.
That is easy to fix, there is no reason to use sssd with Samba, it is
pointless, so, on redhat:
systemctl stop sssd
systemctl disable sssd
>
> Instead of client configuration which can be changed by any sysadmin
> I prefer to deny DNS updates centrally, where I have control.
As I said, Linux doesn't do them and you can use a GPO to stop any
Windows clients doing them, but you really should have the 'tkey' line
active in your named.conf.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

On Tue, 17 Dec 2024 08:04:27 +0000
Peter Mittermayer via samba <samba at lists.samba.org> wrote:
> If not using sssd, how do you join the clients to the domain? We are
> not using GPO, only user authentication and DNS.
> 
> Due to security restrictions we are not able to install Samba
> packages on all the clients. Sssd is the simplest solution, and the
> only one recommended and officially supported by RedHat.
> 
First all sssd gives you is authentication, something Samba can also
do, but Samba can give you something that sssd cannot, shares.

You do not actually use sssd to join, your are probably using realmd,
but in either case, this isn't really the mailing list to discuss sssd
or realmd, neither are Samba products, I suggest you ask on the
sssd-users mailing list about any problems with sssd.

To join a Samba machine to an AD domain, you would run 'net ads join'
after configuring the client.

In my opinion (for what is worth), you either install Samba or sssd,
never both, this mailing list can help you with any Samba problems.

As for your 'security restrictions', let me tell you a story.

A person wrote most of winbind for Samba, that person then went to work
for redhat, were they wrote most of sssd, basing it on, you guessed it,
winbind. This means that if you run sssd, you are running code that is
very similar to winbind, so which is more secure ? (bearing in mind
that you have to install some Samba packages to get sssd to work.)

Rowland