4.2. Using SMB shares with SSSD and Winbind

This section describes how you can use SSSD clients to access and fully use shares based on the Server Message Block (SMB) protocol, also known as the Common Internet File System (CIFS) protocol.

Important

Using SSSD as a client in IdM or Active Directory domains has certain limitations, and Red Hat does not recommend using SSSD as ID mapping plug-in for Winbind. For further details, see the What is the support status for Samba file server running on IdM clients or directly enrolled AD clients where SSSD is used as the client daemon article.
SSSD does not support all the services that Winbind provides. For example, SSSD does not support authentication using the NT LAN Manager (NTLM) or NetBIOS name lookup. If you need these services, use Winbind. Note that in Identity Management domains, Kerberos authentication and DNS name lookup are available for the same purposes.

4.2.1. How SSSD Works with SMB

The SMB file-sharing protocol is widely used on Windows machines. In Red Hat Enterprise Linux environments with a trust between Identity Management and Active Directory, SSSD enables seamless use of SMB as if it was a standard Linux file system.
To access a SMB share, the system must be able to translate Windows SIDs to Linux POSIX UIDs and GIDs. SSSD clients use the SID-to-ID or SID-to-name algorithm, which enables this ID mapping.

4.2.2. Switching Between SSSD and Winbind for SMB Share Access

This procedure describes how you can switch between SSSD and Winbind plug-ins that are used for accessing SMB shares from SSSD clients. For Winbind to be able to access SMB shares, you need to have the cifs-utils package installed on your client. To make sure that cifs-utils is installed on your machine:
$ rpm -q cifs-utils
  1. Optional. Find out whether you are currently using SSSD or Winbind to access SMB shares from the SSSD client:
    # alternatives --display cifs-idmap-plugin
    cifs-idmap-plugin - status is auto.
     link currently points to /usr/lib/cifs-utils/cifs_idmap_sss.so
    /usr/lib/cifs-utils/cifs_idmap_sss.so - priority 20
    /usr/lib/cifs-utils/idmapwb.so - priority 10
    Current `best' version is /usr/lib/cifs-utils/cifs_idmap_sss.so.
    If the SSSD plug-in (cifs_idmap_sss.so) is installed, it has a higher priority than the Winbind plug-in (idmapwb.so) by default.
  2. Before switching to the Winbind plug-in, make sure Winbind is running on the system:
    # systemctl is-active winbind.service
    active
    Before switching to the SSSD plug-in, make sure SSSD is running on the system:
    # systemctl is-active sssd.service
    active
  3. To switch to a different plug-in, use the alternatives --set cifs-idmap-plugin command, and specify the path to the required plug-in. For example, to switch to Winbind:
    # alternatives --set cifs-idmap-plugin /usr/lib/cifs-utils/idmapwb.so