On Fri, Jan 27, 2017 at 05:46:11PM -0000, rdratlos(a)yahoo.co.uk wrote:
Dear Sumit,
thank you for your quick reply and the good hints.
Access works now as expected. The reason of the failure was one wrong libwbclient link.
Admins have to really be carefully, when switching to sssd's libwbclient.so.
In parallel, I also switched the member server to Samba's winbind to compare the
outputs, as even up to level 10 there was no useful information in the smbd logs.
Interestingly the output of smbcacl is now (with winbind):
REVISION:1
CONTROL:SR|PD|SI|DI|DP
OWNER:Unix User\root
GROUP:Unix Group\root
ACL:SAMDOM\Domain Admins:ALLOWED/OI|CI/FULL
ACL:SAMDOM\Domain Users:ALLOWED/OI|CI/READ
ACL:SAMDOM\Department:ALLOWED/OI|CI/CHANGE
smbcacl seems to require winbind to translate SIDs into uids/guids.
I have to check how smbcacl does the lookup for the mapping, currently I
have no idea why it does only work with winbind.
On the other hand getent group domain\ admins now prints:
domain admins@samdom.com:*:512.
I. e. on the linux side the group member information gets lost when using winbind.
'domain users' is special because it is typically the primary group of
the AD users. But iirc there are also smb.conf options to control the
listing of group members, see e.g. winbind expand groups.
From a long samba list discussion I have got the impression, that it's more a
philosophy question, if to use sssd or winbind on a domain member server. Do you still
agree? Or what is your recommendation especially, when taking your long term statement
above into account.
It might be a philosophical question for a general domain member but not
when running Samba on the domain member. Since there are a number of
limitations in SSSD's implementation of libwbclient it is more a
question of the use-case. E.g if it is ok to restrict authentication to
the Samba fileserver to Kerberos, which in general implies that the
fully-qualified DNS name of the Samba server has to be used to access
the service then SSSD's libwbclient might work for you. If you need NTLM
because you want to use IP addresses of short names to access the
fileserver you have to use winbind.
bye,
Sumit
>
> Best regards
>
> Thomas
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org