Web lists-archives.com

Re: [Samba] design question for small environment

Presumably the unix servers are sharing network shares via samba but not NFS.      If you aren't using NFS and if regular users don't need to ssh or sftp into the server then winbind is probably sufficient.    My environment has a mix of unix and windows clients and servers so getting uidNumbers and gidNumbers consistent across machines and OS's is critical so winbind alone was not sufficient.

If you look at /etc/nsswitch.conf on linux systems you will see entries like

passwd:         compat sss
group:          compat sss

sss (sssd ) is the preferred solution for most network authentication.  sssd can be configured to work with ad, ldap, kerberos, and (i think) winbind.

I think the major advantage of sssd is that if you are looking thru linux documentation and help forums the examples will assume sssd.conf.     sssd allows for password caching which is really more useful on a workstation than a server.  And you have a lot of flexibility with configuring AD parameters (search paths, proxy accounts.)

I don't think samba uses pam so nsswitch.conf will need to point to winbind (either directly or via sssd.)    SSH server has several authentication mechanisms -  it checks for kerberos credentials, then it checks pam, and then pam would check unix authentication (ie. nsswitch.conf.)

On 09/12/18 14:01, Rowland Penny via samba wrote:
On Wed, 12 Sep 2018 13:33:15 -0400
Gaiseric Vandal via samba <samba@xxxxxxxxxxxxxxx> wrote:

As the unix servers  running linux (I know some people wouldn't call
that real unix) or a "real" unix like Solaris ?

Linux has sssd which can make things simpler.
Just how does sssd make thing simpler ?
Properly set up, winbind can do the same authentication that sssd can.
Or are you thinking of sudo ?, well sudo itself can talk to AD, or what
about autofs ? again this can talk to AD. No, you do not need the
red-hat tools at all.

In either case you probably need a proxy account for the unix system
to retrieve user and group info (not passwords) via LDAP.
No, you just need to set up pam correctly, which is easy on debian,
just install libpam_krb5


To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba