On Fri, 2011-12-02 at 10:06 -0500, Stephen Gallagher wrote: > On Fri, 2011-12-02 at 15:59 +0100, Ondrej Valousek wrote: > > Small update so I am not only throwing dirt on winbind: > > > > Winbind has still its use if you can not use / do not have RFC2307 > > attributes in AD. > > So simply, if you want to use RFC2307 attributes, sssd is here for > > you. If not, go for winbind. But yet I would not bother about winbind > > plugin for sssd as it does not make too much sense - that's why we > > have Glibc and its /etc/nsswitch.conf! > > Well, just to make one point, there are a few advantages to the winbind > backend over pure winbind: > > 1) SSSD caching instead of nscd
Winbindd has its own caching and nscd use is not recommend with Winbindd either. > 2) Support for multiple AD domains without trust But complete lack of support of multiple trusted domains which is extremely common on Windows networks. > 3) One-to-one mapping of identity domain to authentication domain (so > you're not exposing your password to multiple authentication domains > until you find the right one, as with traditional PAM). Well this is interesting only if you have multiple unrelated identity domains to care about, I wouldn't count this as something better/worse than what Winbindd provides, Winbindd is clearly built for a single Ad domain which is the norm and the point is already captured in 2. 4) Winbindd can use MS-RPC to handle legacy NT/Samba3 domains and NTLM authentication. SSSD has no support for any of that nor Site discovery ala Windows way etc ... I do not want to say one is better than the other, they are different. When I architected SSSD I was full aware of both Winbind limitations and good features. The point is that AD domain support was not a goal for SSSD and so it was not built to support multiple trusted domain through one provider or Windows like domains. This is changing to some degree so SSSD may grow that ability. I am neutral to whether we should integrate winbindd through a plugin or re-implement its functionality, I can see positive and negative aspects in both approaches and I really do not have a strong preference at this stage. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users