[Freeipa-users] a bit off topic- samba + sssd => AD

Alexander Bokovoy abokovoy at redhat.com
Mon Jun 6 15:47:36 UTC 2016 

On Mon, 06 Jun 2016, lejeczek wrote:
>>>Users mapping concept (which I do not grasp completely yet) - when 
>>>an AD client (win10) now gets to samba shares okey it is done with 
>>>AD user credentials, win client sees share like: user at my.dom which 
>>>user is not IPA's user (there are no trusts no syncing).
>>I don't know details of what you have configured. For IPA with 
>>trusts
>>both Kerberos and passwords should work when Samba is running on IPA
>>master. For IPA client, we have procedure defined for SSSD+Samba. 
>>For
>>anything else only Kerberos would work.
>I emailed (this thread) most of the configs, if not all, ~two emails 
>ago, last Friday.
Configs were not really helpful without a bigger picture.

>>>Now, when you say mapping - this would be winbind/smb 
>>>translating/mapping AD's SIDs to match IPA's UIDs - which is/would 
>>>be different from syncying users from AD => IPA ,correct?
>>SIDs to UID/GID on the system. You seem to confuse a lot in your
>>emails -- you are claiming that there is no IPA trust or sync in place
>>yet you expect somehow things to magically work, I simply don't
>>understand your situation to comment on it.
>not magically, no, it's the same one box, IPA server and at the same 
>time samba(non-IPA, might be why smbclient without kerberos does Not 
>work) + sssd to an AD.
>And now after fixing keytabs all seems to work ok, and no winbind yet 
>- thus my only question now is more about concepts, which - yes - I 
>don't grasp fully.
Ok.

>Yes I confuse, the way I understand is: my linux box now has two 
>separate user db backends, two different users catalogs, first one is 
>IPA's and the second is AD's via sssd(which samba being an AD's client 
>also uses) with no winbind at this point.
Yes, you have two different user db backends, and there is not enough
interoperability between them yet. As you can guess, this is not really
supported -- I would rather not spend time on that myself as there are
more urgent issues to fix that scale better.

>Last thing I wonder is that SIDs/UIDs mapping - one: do I want/need 
>it? and if one then two: how to achieve it running setup like mine?
It is not a question of whether you want something. It is required, as
Windows world is different from POSIX and something needs to map between
concepts in both worlds. That something is called Samba and it requires
a proper configuration for SID/ID mapping -- which is done by winbindd.

-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list