Samba and SSSD Interoperability

Latest response

I am writing this in case someone who has gone through a similar investigation has advice to share, or if anyone notices errors in the conclusions that are stated.

I am upgrading a development server for teaching to RedHat 8 or 9 and I am revisiting my Windows AD and workstation connectivity. I currently have Samba and SSSD running (sssd is doing system authentication and userid mapping) as the lab computers that access this server dual boot to both Windows and Linux and use SMB for Windows and NFS for Linux. Some users are also allowed to connect to the SMB shares from their own computers using their domain username and password.

I have run into the Samba secrets file issue: https://access.redhat.com/discussions/5972861 and have been working around that but would obviously prefer a cleaner solution if there is one.

I ended up switching to the sssd idmap in winbind after the security updates that changed the UID mappings in Samba last year but according to: https://access.redhat.com/articles/4355391, RedHat does not recommend using idmap_sss as a long term plan. This suggests to me that if I use Samba for the development server (hosting both smb and nfs shares to all users) I would have to convert all of the lab computers over to Samba connected so that I get matching uids in a manner that will be supported going forward.

It looks like I can get most of what I need from Samba by populating the AD SFU schema objects. But SSSD seems a better fit on a lab machine which is not sharing files and could use the benefits of policy management, so I would rather not convert them unless I am sure there is no other way.

As an aside, I have noticed that SSSD will refer to the AD unixHomeDirectory before applying the default path, which is also very convenient as some of the users are placed in a different path for group security reasons. It is useful to only change those who need custom paths instead of setting that property for all the user accounts.

I welcome any suggestions that I may be overlooking or corrections about faulty assumptions or conclusions.

CF

Responses