I’ve searched all over the web and found many articles on the subject of installing and configuring Samba, but NONE cover a computer that needs to be connected to from a windows PC in a domain.
They all ask me for my Workgroup. I don’t have a workgroup. the Windows PC s are in a Active Directory domain.
Can anyone help me? Keep it VERY simple. I have very large ‘L’ plates where Linux is involved.
I’ve used this link to accomplish what you are trying to do. Only thing the article doesnt really cover is the syntax of the valid users and write list for the share. Im able to use
valid users = @“Domain Admins@example.local”
write list = @“Domain Adminns@example.local”
There is one big problem with using sssd with Samba, red-hat doesn’t actually support it.
sssd is great if you just want authentication, but as soon as you require Samba with shares, that is the time to turn sssd off and use winbind instead.
Setting up a Samba Unix domain member on Rocky Linux is much the same as any other Linux OS, you just need to know the ‘incantations’ to use.
I believe Samba + SSSD is supported with some restrictions, one restriction is that Samba is not supported on IdM servers.
The support article that 1yv0s posted describes how to do it.
Then why does the red-hat documentation here:
Under the heading:
3.1.1. The Samba services
Say this:
Important
Red Hat only supports running Samba as a server with the winbindd service to
provide domain users and groups to the local system. Due to certain limitations,
such as missing Windows access control list (ACL) support and NT LAN Manager
(NTLM) fallback, SSSD is not supported.
I would say that was pretty unambiguous.
Yes, that seems clear until you read “What is the support status for Samba file server running on IdM clients or directly enrolled AD clients where SSSD is used as the client daemon”, excerpt:
In many deployments SSSD has already been configured for system-level authentication and authorization purposes. The sssd-winbind-idmap package provides a winbind idmap module, called idmap_sss which can be used by winbindd as an identity mapping module to leverage SSSD capabilities.
Support status
There are a few limitations, though, when the idmap_sss module is used with Red Hat Enterprise Linux 7. Please see Red Hat System Administrator Guide for more details. Therefore Red Hat currently does not recommend using the idmap_sss module for Samba file server enrolled into an IdM or AD domain.
There are a few exceptions though:
idmap_sss module and where the setup works as expected, Red Hat would still provide support for a single domain (e.g, Samba file server machine is enrolled in AD.COM and all users who want to access the Samba share are managed in this domain).For some configurations it is supported to use SSSD with Samba, however not recommended.
In any case, Winbind is required for Samba even if you are using SSSD to authenticate users for the operating system.
Red-hat appears to be in two minds here, they do not support the use of sssd with Samba, but then again, yes you can use it.
idmap-sss is not produced by Samba, it is a package produced by red-hat and, as far as I can see, hasn’t been updated for quite sometime.
sssd works quite well against AD all by itself, but all you get is authentication and if that is all you require, then great, just use sssd. However, if you require shares, then you need the smbd binary, which for quite sometimes has required winbind. Winbind and sssd do virtually the same thing (they would, a lot of both was written by the same person), so there really is no point in running both. Given that you have to run winbind on a Samba Unix domain member, along with sssd’s limitations, there is absolutely no point in running sssd on a Samba Unix domain member.
Having said all that, non of this is actually helping the OP, so yes you can set up a Unix domain member on Rocky Linux 8 or 9 and if so required, I can talk him through it.
One reason for using Samba with SSSD is that the rest of the environment already uses SSSD to integrate with Active Directory. Having a consistent configuration has its advantages.
I agree that if you do not have SSSD installed previously there is no point in adding it to a Samba domain member, just use Winbind.