Dear sssd users,

I would like to get informations about the use of sssd with samba (centos 7, samba 4.8.3).

I need it because I configured a samba share, accessible with sssd.
The authentication is against a windows AD.

My /etc/nsswitch.cnf is configured only with sssd :
passwd:     files sss
shadow:     files sss
group:      files sss

For an other purpose, I set an  sftpd access also configured with sssd against the AD.

I followed some discussions on the samba user list about samba + sssd.
I would like to understand if there are some issues with sssd and samba 4.8.3 on centos 7 ?
Or is it with next RHEL 8 ?

The RHEL 8 documentation states this:

"Red Hat only supports running Samba as a server with the winbindd
service to provide domain users and groups to the local system. Due to
certain limitations, such as missing Windows access control list (ACL)
support and NT LAN Manager (NTLM) fallback, SSSD is not supported."

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/deploying_different_types_of_servers/assembly_using-samba-as-a-server_deploying-different-types-of-servers


What's confusing is that the RHEL 7 documentation says:

"Prior to Red Hat Enterprise Linux 7.1, only Winbind provided this
functionality. In Red Hat Enterprise Linux 7.1 and later, you no longer
need to run Winbind and SSSD in parallel to access SMB shares. For
example, accessing the Access Control Lists (ACLs) no longer requires
Winbind on SSSD clients."

and

"4.2.2. Determining Whether to Use SSSD or Winbind for SMB Shares
For most SSSD clients, using SSSD is recommended:"

and most worrisome, in my use case:

"In environments with direct Active Directory integration where the
clients use SSSD for general Active Directory user mappings, using
Winbind for the SMB ID mapping instead of SSSD can result in
inconsistent mapping."

In my case, running samba 4.8.3 with SSSD on centos 7 do I need to :
- enable and start winbind service , in conjunction to sssd ?
- or only sssd is enough with samba ?
- Do I have to fear issues in next release of sssd for the support of samba ? especially for acls support ?

A nsswitch.conf like :
passwd:     files sss winbind
shadow:     files sss winbind
group:      files sss winbind

or

passwd:     files winbind sss
shadow:     files winbind sss
group:      files winbind sss

Does not seem to work... I test and this is not stable.

Best Regards,
Edouard