4.4. Using SMB shares with SSSD

This section describes how you can use SSSD clients to access and fully use shares based on the Server Message Block (SMB) protocol, also known as the Common Internet File System (CIFS) protocol.

Note

Prior to Red Hat Enterprise Linux 7.1, only Winbind provided this functionality. In Red Hat Enterprise Linux 7.1 and later, you no longer need to run Winbind and SSSD in parallel to access SMB shares. For example, accessing the Access Control Lists (ACLs) no longer requires Winbind on SSSD clients.

Important

SSSD does not support all the services that Winbind provides. For example, SSSD does not support authentication using the NT LAN Manager (NTLM) or NetBIOS name lookup. If you need these services, use Winbind. Note that in Identity Management domains, Kerberos authentication and DNS name lookup are available for the same purposes.

4.4.1. How SSSD Works with SMB

The SMB file-sharing protocol is widely used on Windows machines. In Red Hat Enterprise Linux environments with a trust between Identity Management and Active Directory, SSSD enables seamless use of SMB as if it was a standard Linux file system.
To access a SMB share, the system must be able to translate Windows SIDs to Linux POSIX UIDs and GIDs. SSSD clients use the SID-to-ID or SID-to-name algorithm, which enables this ID mapping.

4.4.2. Determining Whether to Use SSSD or Winbind for SMB Shares

For most SSSD clients, using SSSD is recommended:
  • Identity Management clients use SSSD by default to map Active Directory users to UNIX users. Using Winbind for the SMB ID mapping instead of SSSD can result in inconsistent mapping.
  • In environments with direct Active Directory integration where the clients use SSSD for general Active Directory user mappings, using Winbind for the SMB ID mapping instead of SSSD can result in inconsistent mapping.

Important

SSSD does not support all the services that Winbind provides. For example, SSSD does not support authentication using the NT LAN Manager (NTLM) or NetBIOS name lookup. If you need these services, use Winbind. Note that in Identity Management domains, Kerberos authentication and DNS name lookup are available for the same purposes.

4.4.3. Accessing SMB Shares from SSSD Clients

You can access SMB shares from all SSSD clients that belong to the Samba domain.
To verify that the system uses SSSD for accessing SMB shares, use the alternatives utility. The utility displays the currently used library. In the following example, the system uses the SSSD library:
# alternatives --list | grep -E cifs\|libwbclient
cifs-idmap-plugin       auto     /usr/lib64/cifs-utils/cifs_idmap_sss.so
libwbclient.so.0.11-64 auto /usr/lib64/sssd/modules/libwbclient.so.0.11.0

4.4.4. Switching Between SSSD and Winbind for SMB Share Access

This procedure describes how you can switch between SSSD and Winbind plug-ins that are used for accessing SMB shares from SSSD clients.
  1. Optional. Find out whether you are currently using SSSD or Winbind to access SMB shares from the SSSD client:
    # alternatives --display cifs-idmap-plugin
    cifs-idmap-plugin - status is auto.
     link currently points to /usr/lib/cifs-utils/cifs_idmap_sss.so
    /usr/lib/cifs-utils/cifs_idmap_sss.so - priority 20
    /usr/lib/cifs-utils/idmapwb.so - priority 10
    Current `best' version is /usr/lib/cifs-utils/cifs_idmap_sss.so.
    If the SSSD plug-in (cifs_idmap_sss.so) is installed, it has a higher priority than the Winbind plug-in (idmapwb.so) by default.
  2. Before switching to the Winbind plug-in, make sure Winbind is running on the system:
    # systemctl is-active winbind.service
    active
    Before switching to the SSSD plug-in, make sure SSSD is running on the system:
    # systemctl is-active sssd.service
    active
  3. To switch to a different plug-in, use the alternatives --set cifs-idmap-plugin command, and specify the path to the required plug-in. For example, to switch to Winbind:
    # alternatives --set cifs-idmap-plugin /usr/lib/cifs-utils/idmapwb.so

4.4.5. Configuring an SSSD Client to Run a Samba Server Without Using Winbind

This procedure configures the SSSD client to run Samba as a server and use SSSD to authenticate clients to the SMB server.

Important

Without Winbind, you might experience problems when setting up a Samba server in multi-domain environments. The winbindd service is used internally not only for identity resolution, but also for pass-through authentication in Samba. SSSD does not support these modes and therefore cannot serve as a replacement for Winbind in this situation.

Prerequisites

Install the sssd-libwbclient package:
# yum install sssd-libwbclient
The package provides the libwbclient.so library. The library is the SSSD alternative to the library provided by the libwbclient package used by the Winbind service.

Important

If you use Winbind, sssd-libwbclient can cause problems when attempting to access the SMB share.

Procedure

  1. Open the /etc/samba/smb.conf file.
  2. In the [global] section, use the kerberos method option to define the method to verify Kerberos tickets.
    • Example of typical configuration in environments with direct Active Directory integration:
      [global]
      	security = ads
      	workgroup = ADSHORTNAME
      	realm = ADREALM
      	kerberos method = system keytab
      The system keytab value specifies that the keytab required for Kerberos access to the SMB share is the same as the keytab that SSSD uses: /etc/krb5.keytab.
    • Example of typical configuration in environments with Active Directory trust:
      [global]
      	security = ads
      	workgroup = IDM
      	realm = IDMREALM
      	kerberos method = dedicated keytab
      	dedicated keytab file = /etc/samba/samba.keytab
      The dedicated keytab value specifies that a dedicated keytab is required to verify Kerberos tickets.