0

I'm working on validating and migrating to a more robust solution to manage a growing number of linux servers. We've traditionally been running Centos 7.

Some of the servers are simply standalone with a few local accounts because primarily running some vendor software A few more are joined to Windows AD with sssd a few more are joined with windbind because they are hosting SAMBA shares so that windows users can access the files. This has worked ok, but windbind is querky, we don't have central policies and ID mapping between windows and linux assigns different ids on each local box.

Reading Redhat documentation IDM with cross forest trust seems like the better way to go. Certificates, login etc is working mostly as expected (my users don't like typing in user principal names which i don't see a way around when their account is from another domain)

However I am struggling with the SAMBA setup.

I followed this:

https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA

but now smb service won't start. I've been searching for some other documentation on the way to integrate these.

Nicholas Tripp
  • 11
  • 2
  • Not an direct answer to your question, but we are using SSSD with Linux file shares. SSSD let's you select a active directory field to use as the Linux UID, so you could use any parameter within the schema or add your own. This way, we assign a UID to each new AD user, and this stays consistent within the domain. – KHobbits May 30 '20 at 02:37
  • That's helpful, although I think using FreeIPA / IDM will also take care of this. What configuration does that though? – Nicholas Tripp Jun 01 '20 at 12:23

1 Answers1

0

If you want to use Samba >= 4.8.0 with shares, then you cannot use sssd, you must use winbind and if you are getting different ID's on different machines, then you are using different smb.conf files. To be specific, the 'idmap config' lines and/or winbind backend. If you also throw sssd into the mix, I am not surprised you get get different ID's. As I said, if you want shares, use winbind on all Unix machines with the same [global] section, if you just want authentication, then use sssd everywhere, do not use winbind on some machines and sssd on others.

Rowland Penny
  • 161
  • 2
  • I only use winbind on servers providing shares because it's finicky and suboptimal. Even on the same machine with same global conf (obviously since it is same machines) when I added a user to a group I had to manually clear cache files and then the groups got new ids messing up all the permissions. – Nicholas Tripp Jun 01 '20 at 12:23
  • You must have a messed up smb.conf, just adding a user to a group should not change any IDs. 99% of Samba problems are caused by either a misconfigured smb.conf or doing something stupid. – Rowland Penny Jun 06 '20 at 09:41