1

I have been using ubuntu 18.04 with sssd to join my servers to my active directory domain for a while now. This worked quite nicely, enabling me to ssh to the servers with AD users and create samba shares with AD authentication as well. what I usually do is set all the configuration files (krb5, sssd, smb.conf) and use realm join to join the server to the domain.

with Ubuntu 20 I followed my same procedure to join the server to the domain. However I encountered an error with my smb.conf file- the smbd service wouldn't start as long as I had the setting security = ads enabled.

In order to make it work I had to run net ads join command (this is after I already ran realm join)- only then did the smbd service agree to start with security = ads setting enabled.

Now I am left with open questions: what is the difference between net ads and realm, and what has changed between ubuntu-18 and ubuntu-20?

GKman
  • 495
  • 3
  • 9
  • 16

2 Answers2

2

SSSD:

  • does not support NTLM, but NTLM is insecure and obsolete
  • is simpler to install (can be auto-configured using realmd)
  • does more than just Active Directory (e.g. LDAP)

Samba/Winbind/net ads:

  • is harder to secure due to its support for NTLM.
  • does not support AD DNS Aging and Scavenging (i.e. detecting if DNS entries for servers that have been removed or updated)
  • As of Oracle Linux 7, SSSD is the preferred tool, although Samba and Winbind remain fully supported.
Community
  • 1
Ron
  • 171
  • 7
1

Commenting on "Is it possible to have samba security=ads to work with sssd? How do I configure it?"

Adding below directives for smb.conf worked for me

    client signing = if_required
    kerberos method = secrets and keytab
    security = ads
    idmap config * : backend = tdb
    idmap config * : range = 3000-7999
    workgroup = YOURWORKGROUP
    realm = yourworkgroup.com
    idmap config YOURWORKGROUP:backend = ad
    idmap config YOURWORKGROUP:schema_mode = rfc2307
    idmap config YOURWORKGROUP:range = 10000-9999999

Refer to this wiki https://wiki.debian.org/AuthenticatingLinuxWithActiveDirectorySssd

Andy
  • 11
  • 1