Show Table of Contents
4.2. Using SMB shares with SSSD and Winbind
This section describes how you can use SSSD clients to access and fully use shares based on the Server Message Block (SMB) protocol, also known as the Common Internet File System (CIFS) protocol.
Note
Prior to Red Hat Enterprise Linux 7.1, only Winbind provided this functionality. In Red Hat Enterprise Linux 7.1 and later, you no longer need to run Winbind and SSSD in parallel to access SMB shares. For example, accessing the Access Control Lists (ACLs) no longer requires Winbind on SSSD clients.
Important
SSSD does not support all the services that Winbind provides. For example, SSSD does not support authentication using the NT LAN Manager (NTLM) or NetBIOS name lookup. If you need these services, use Winbind. Note that in Identity Management domains, Kerberos authentication and DNS name lookup are available for the same purposes.
4.2.1. How SSSD Works with SMB
The SMB file-sharing protocol is widely used on Windows machines. In Red Hat Enterprise Linux environments with a trust between Identity Management and Active Directory, SSSD enables seamless use of SMB as if it was a standard Linux file system.
To access a SMB share, the system must be able to translate Windows SIDs to Linux POSIX UIDs and GIDs. SSSD clients use the SID-to-ID or SID-to-name algorithm, which enables this ID mapping.
4.2.2. Determining Whether to Use SSSD or Winbind for SMB Shares
For most SSSD clients, using SSSD is recommended:
- Identity Management clients use SSSD by default to map Active Directory users to UNIX users. Using Winbind for the SMB ID mapping instead of SSSD can result in inconsistent mapping.
- In environments with direct Active Directory integration where the clients use SSSD for general Active Directory user mappings, using Winbind for the SMB ID mapping instead of SSSD can result in inconsistent mapping.
Important
SSSD does not support all the services that Winbind provides. For example, SSSD does not support authentication using the NT LAN Manager (NTLM) or NetBIOS name lookup. If you need these services, use Winbind. Note that in Identity Management domains, Kerberos authentication and DNS name lookup are available for the same purposes.
4.2.3. Accessing SMB Shares from SSSD Clients
You can access SMB shares from all SSSD clients that belong to the Samba domain.
To verify that the system uses SSSD for accessing SMB shares, use the
alternatives utility. The utility displays the currently used library. In the following example, the system uses the SSSD library:
# alternatives --list | grep -E cifs\|libwbclient
cifs-idmap-plugin auto /usr/lib64/cifs-utils/cifs_idmap_sss.so
libwbclient.so.0.11-64 auto /usr/lib64/sssd/modules/libwbclient.so.0.11.04.2.4. Switching Between SSSD and Winbind for SMB Share Access
This procedure describes how you can switch between SSSD and Winbind plug-ins that are used for accessing SMB shares from SSSD clients. For Winbind to be able to access SMB shares, you need to have the cifs-utils package installed on your client. To make sure that cifs-utils is installed on your machine:
$ rpm -q cifs-utils
- Optional. Find out whether you are currently using SSSD or Winbind to access SMB shares from the SSSD client:
# alternatives --display cifs-idmap-plugincifs-idmap-plugin - status is auto. link currently points to /usr/lib/cifs-utils/cifs_idmap_sss.so /usr/lib/cifs-utils/cifs_idmap_sss.so - priority 20 /usr/lib/cifs-utils/idmapwb.so - priority 10 Current `best' version is /usr/lib/cifs-utils/cifs_idmap_sss.so.If the SSSD plug-in (cifs_idmap_sss.so) is installed, it has a higher priority than the Winbind plug-in (idmapwb.so) by default. - Before switching to the Winbind plug-in, make sure Winbind is running on the system:
# systemctl is-active winbind.serviceactiveBefore switching to the SSSD plug-in, make sure SSSD is running on the system:# systemctl is-active sssd.serviceactive - To switch to a different plug-in, use the
alternatives --set cifs-idmap-plugincommand, and specify the path to the required plug-in. For example, to switch to Winbind:# alternatives --set cifs-idmap-plugin /usr/lib/cifs-utils/idmapwb.so
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.