4.4. Using SMB shares with SSSD
4.4.1. How SSSD Works with SMB
4.4.2. Determining Whether to Use SSSD or Winbind for SMB Shares
- Identity Management clients use SSSD by default to map Active Directory users to UNIX users. Using Winbind for the SMB ID mapping instead of SSSD can result in inconsistent mapping.
- In environments with direct Active Directory integration where the clients use SSSD for general Active Directory user mappings, using Winbind for the SMB ID mapping instead of SSSD can result in inconsistent mapping.
4.4.3. Accessing SMB Shares from SSSD Clients
alternativesutility. The utility displays the currently used library. In the following example, the system uses the SSSD library:
# alternatives --list | grep -E cifs\|libwbclientcifs-idmap-plugin auto /usr/lib64/cifs-utils/cifs_idmap_sss.so libwbclient.so.0.11-64 auto /usr/lib64/sssd/modules/libwbclient.so.0.11.0
4.4.4. Switching Between SSSD and Winbind for SMB Share Access
- Optional. Find out whether you are currently using SSSD or Winbind to access SMB shares from the SSSD client:
# alternatives --display cifs-idmap-plugincifs-idmap-plugin - status is auto. link currently points to /usr/lib/cifs-utils/cifs_idmap_sss.so /usr/lib/cifs-utils/cifs_idmap_sss.so - priority 20 /usr/lib/cifs-utils/idmapwb.so - priority 10 Current `best' version is /usr/lib/cifs-utils/cifs_idmap_sss.so.If the SSSD plug-in (
cifs_idmap_sss.so) is installed, it has a higher priority than the Winbind plug-in (
idmapwb.so) by default.
- Before switching to the Winbind plug-in, make sure Winbind is running on the system:
# systemctl is-active winbind.serviceactiveBefore switching to the SSSD plug-in, make sure SSSD is running on the system:
# systemctl is-active sssd.serviceactive
- To switch to a different plug-in, use the
alternatives --set cifs-idmap-plugincommand, and specify the path to the required plug-in. For example, to switch to Winbind:
# alternatives --set cifs-idmap-plugin /usr/lib/cifs-utils/idmapwb.so
4.4.5. Configuring an SSSD Client to Run a Samba Server Without Using Winbind
winbinddservice is used internally not only for identity resolution, but also for pass-through authentication in Samba. SSSD does not support these modes and therefore cannot serve as a replacement for Winbind in this situation.
# yum install sssd-libwbclient
libwbclient.solibrary. The library is the SSSD alternative to the library provided by the libwbclient package used by the Winbind service.
- Open the
- In the
[global]section, use the
kerberos methodoption to define the method to verify Kerberos tickets.
- Example of typical configuration in environments with direct Active Directory integration:
[global] security = ads workgroup = ADSHORTNAME realm = ADREALM kerberos method = system keytabThe
system keytabvalue specifies that the keytab required for Kerberos access to the SMB share is the same as the keytab that SSSD uses:
- Example of typical configuration in environments with Active Directory trust:
[global] security = ads workgroup = IDM realm = IDMREALM kerberos method = dedicated keytab dedicated keytab file = /etc/samba/samba.keytabThe
dedicated keytabvalue specifies that a dedicated keytab is required to verify Kerberos tickets.