Proposed F19 Feature: SSSD improve AD integration

Jaroslav Reznik jreznik at
Wed Jan 23 16:55:49 UTC 2013

= Features/SSSDImproveADIntegration =

Feature owner(s): Jakub Hrozek <jhrozek at>,  Sumit Bose 
<sbose at>  

The next major release of SSSD will include support for more advanced AD 
features for domain members. This includes site support and trusted domains. 
Additionally it will include a plugin for the cifs-utils package which would 
allow a CIFS client to use SSSD for lookups which were currently only possible 
with winbind. 

== Detailed description ==
So far SSSD development of AD provider concentrated on doing the user and 
group lookups for the joined domain efficiently with high performance. With the 
next major release of SSSD support for some features which are specific to AD 
domain will be added. This includes:

   * Site support: AD domains which include different physical locations can be 
split into sites. Each site represents a single physical location. With 
specially crafted DNS service record lookups an AD client can find the nearest 
domain controller, i.e. the domain controller in its site. This helps to keep 
network traffic local and allows clients to talk to the server with the lowest 
   * Trusted domains: currently the SSSD AD provider can only look up user and 
groups of the joined domain. With the support of Global Catalogs all users and 
groups of the forest the AD domain belongs to are available. Additionally it 
is planned to follow cross forest trust to look up users and groups in trusted 
   * CIFS client integration: in version 5.9 of the cifs-utils a plugin 
interface for ID mapping was added. This allows cifs-utils to use other 
services than winbind for those lookups. While those lookups are not needed 
for basic operation, i.e. accessing files from a Linux client on a 
Windows/Samba file server, they are needed e.g. when accessing and modifying 
access control lists (ACLs). 

More information about the devel-announce mailing list