Hi,
>> SSSD configuration option for the Winbind provider can be
found in
>> /etc/sssd/sssd.api.d/sssd-winbind.conf. The correspond pretty much to
>> Winbind options normally found in smb.conf.
>
> I looked at the configuration options provided and I think some
> additions might be helpful.
>
> It should be possible to adjust "client ldap sasl wrapping", "ldap
ssl",
> and "ldap ssl ads". "ldap debug level" probably not needed.
Are you sure the ldap options are used by winbind?
yes, with ldap ssl = start tls / ldap ssl ads = yes winbindd will try to
use StartTLS. client ldap sasl wrapping affects to all users of the the
libads code in Samba (which are net client utility mostly).
> Not sure would "winbind use default domain = yes" be
useful / possible.
> Same for "create krb5 conf = no".
I think most, if not all, comments are valid. But the idea was to have a
basic sssd winbind provider as an experimental feature in the sssd
master branch and add more features over time. Would you mind to open an
enhancement ticket in trac and add your comments there?
Sure. I created two tickets, the first one should be pretty
straightforward, it's just about adding configuration options not
needing any additional SSSD/Winbind logic:
https://fedorahosted.org/sssd/ticket/1084
And the other for options which might require some additional logic
(e.g., template shell vs allowed_shells/vetoed_shells/shell_fallback):
https://fedorahosted.org/sssd/ticket/1085
FWIW, those who are testing the Winbind backend and joining a machine to
a 2008R2 domain should be probably aware that currently Samba does not
provide AES keys causing issues with krb5, I've recently filed these BZs
about the issue:
https://bugzilla.redhat.com/show_bug.cgi?id=748407
https://bugzilla.redhat.com/show_bug.cgi?id=748528
Cheers,
--
Marko Myllynen