On Thu, 2017-01-26 at 09:35 +0100, Sumit Bose wrote:
On Wed, Jan 25, 2017 at 10:54:17PM -0000, smfrench(a)gmail.com wrote:
> It wasn't obvious from the documentation whether with sssd-libwbclient (only, ie
without sssd-winbind-idmap installed and configured in smb.conf, since sssd-winbind-idmap
is not available in most versions of RHEL7 as it was only recently added),
>
> Samba's uid_to_sid(function) can always do the lookup uid_to_sid to AD if using
winbind but it wasn't clear whether this would work with sssd-libwbclient (only)
installed and what additional Samba configuration is needed for that.
It is sufficient in install sssd-libwbclient and make sure it is used
instead of Samba's libwbclient, use the alternatives command to check
this.
No additional Samba configuration is needed but there are certain
restrictions you should be aware of. Only Kerberos authentication is
support since SSSD cannot handle NTLM. Additionally SSSD must be
configured to return fully-qualified user and group names
('use_fully_qualified_names = True') to make
"use_fully_qualified_names = true" forces user(a)domain.com as login name(and my
NetworkManager got some
problem, needs debugging though).
Why is "use_fully_qualified_names = true"Â required for sssd-libwbclient? We use
it
without "use_fully_qualified_names = true" already so am not sure why it is
need.
> sssd-libwbclient work as expected. The option will be set by default if
> you join the AD domain with realmd.
>
> HTH
>
> bye,
> Sumit