similar to: please confirm: sssd not a good idea :)

On 08/06/2019 21:32, Rowland penny via samba wrote: > On 08/06/2019 16:24, Uwe Laverenz via samba wrote: >> Hi all, >> >> when you join a linux server to an active directory with "realm" it >> uses "sssd" as default. This works well as long as you just want to >> be a simple domain member. >> >> As soon as you want a real member

There is probably some amount of redtape on this but AFAIK it works fine for me: My RHEL7.6 hypervisors are joined to my AD DC 4.10.4 VMs through use of realm '(and thus sssd): Here's a RHEL7.6 client: # realm list ad.lasthome.solace.krynn type: kerberos realm-name: AD.LASTHOME.SOLACE.KRYNN domain-name: ad.lasthome.solace.krynn configured: kerberos-member server-software:

That's clearly a documentation bug. As for the samba integration, it's now in its own guide: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/index (this is what I followed on 7.5/7.6 to consume realmd). Let me open a BZ about this... Regards, Vincent On Wed, 12 Jun 2019, Rowland penny via samba wrote: > On 12/06/2019 16:31,

On 08/06/2019 16:24, Uwe Laverenz via samba wrote: > Hi all, > > when you join a linux server to an active directory with "realm" it > uses "sssd" as default. This works well as long as you just want to be > a simple domain member. > > As soon as you want a real member server, with acls for example, you > need winbind instead of sssd. You can't

On 6/12/19 7:00 AM, Rowland penny wrote: > Until yesterday I would have pointed you at the sssd-users mailing list, that was until I found this: > *Important* > Red Hat only supports running Samba as a server with the |winbindd| service to provide domain users and groups to the local system. Due to certain limitations, such as missing Windows access control list (ACL) support and NT LAN

On 03/09/2020 21:18, Robert Marcano via samba wrote: > This is what I do, if the domain start using more than the slice size, > there could be a problem because SSSD allows multiple slices. I > haven't tested sssd-winbind-idmap yet I mentioned in another response That is what was known as idmap-sss and relies on the winbind libs provided by sssd and is probably not compatible with

On 10/06/2019 16:04, vincent at cojot.name wrote: > > There is probably some amount of redtape on this but AFAIK it works > fine for me: My RHEL7.6 hypervisors are joined to my AD DC 4.10.4 VMs > through use of realm '(and thus sssd): > > Here's a RHEL7.6 client: > # realm list > ad.lasthome.solace.krynn > ? type: kerberos > ? realm-name:

On Wed, Jun 12, 2019 at 4:38 AM Rowland penny via samba <samba at lists.samba.org> wrote: > > On 10/06/2019 16:04, vincent at cojot.name wrote: > > > > There is probably some amount of redtape on this but AFAIK it works > > fine for me: My RHEL7.6 hypervisors are joined to my AD DC 4.10.4 VMs > > through use of realm '(and thus sssd): > > > >

On 12/06/2019 16:31, Goetz, Patrick G via samba wrote: > > On 6/12/19 7:00 AM, Rowland penny wrote: >> Until yesterday I would have pointed you at the sssd-users mailing list, that was until I found this: >> *Important* >> Red Hat only supports running Samba as a server with the |winbindd| service to provide domain users and groups to the local system. Due to certain

https://bugzilla.redhat.com/show_bug.cgi?id=1719824 ,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-, Vincent S. Cojot, Computer Engineering. STEP project. _.,-*~'`^`'~*-,._.,-*~ Ecole Polytechnique de Montreal, Comite Micro-Informatique. _.,-*~'`^`'~*-,. Linux Xview/OpenLook resources page

On 12/06/2019 19:37, Vincent S. Cojot via samba wrote: > > Hi Robert & Rowland, > > So, I reached out to one of the developpers of 'sssd' that I know > personally. He assured me that 'sssd' is fully supported by RedHat and > he also said that they only test against MS-AD, not Samba-AD. He > thought that since Samba-AD aims for retro-compatibility with

On Sat, 2019-06-15 at 12:38 +0100, Rowland penny via samba wrote: > On 15/06/2019 12:22, Simo wrote: > > On Wed, 2019-06-12 at 18:14 +0100, Rowland penny via samba wrote: > > > On 12/06/2019 18:02, Goetz, Patrick G via samba wrote: > > > > So, the bug reports referenced below are in regard to having Samba be a > > > > domain member. My question is why

On 6/12/19 12:23 PM, Vincent S. Cojot via samba wrote: > > Oh woaaaahhh (Sorry, I lack the words). I am sure that one must be > re-visited for 7.6+, though since 7.6+ had a good overhaul of sssd to > make it work better with AD (I heard that from the developper). Perhaps > I'm going slightly insane here... I wish they (Red Hat) clarified their position. There are many

On 17/06/2019 17:45, Edouard Guign? via samba wrote: > Hello, > > I do not know how should be nsswitch.conf configured. > What should I change in it according to "/you either do not have the > passwd, group and shadow lines or you have chosen not to show them/" ? > Something like this? added to nsswitch.conf ? > passwd : files > group : files > shadow : files

On 15/06/2019 12:22, Simo wrote: > On Wed, 2019-06-12 at 18:14 +0100, Rowland penny via samba wrote: >> On 12/06/2019 18:02, Goetz, Patrick G via samba wrote: >>> So, the bug reports referenced below are in regard to having Samba be a >>> domain member. My question is why would I want Samba to be a domain >>> member? I want the machine Samba runs on to be a

Hi Robert & Rowland, So, I reached out to one of the developpers of 'sssd' that I know personally. He assured me that 'sssd' is fully supported by RedHat and he also said that they only test against MS-AD, not Samba-AD. He thought that since Samba-AD aims for retro-compatibility with MS-AD, things "should just work" with Samba-AD but again the term

On 12/06/2019 16:56, Vincent S. Cojot via samba wrote: > > https://bugzilla.redhat.com/show_bug.cgi?id=1719824 > I counter that with: https://bugzilla.redhat.com/show_bug.cgi?id=1663323 Rowland

On 12/06/2019 18:02, Goetz, Patrick G via samba wrote: > So, the bug reports referenced below are in regard to having Samba be a > domain member. My question is why would I want Samba to be a domain > member? I want the machine Samba runs on to be a domain member, because > there are other things going on on that machine as well. You cannot have one without the other, a Unix

I am setting up a CentOS 7 system as a file server within an AD domain, following the following Red Hat documentation: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-file_and_print_servers Here is some information that likely complicates things: - we have a number of users and groups with sub-1000 uid or gid numbers which can't

On 6/12/19 12:14 PM, Rowland penny via samba wrote: >> >> ? From that perspective, unless you're using Samba as a PDC/BDC, the only >> security setting you ever want to use is >> >> ????? security = user >> >> Am I missing something? > > Yes, using that means it can only be a standalone server and not part of > a domain. > I guess I