SSSD vs Winbind

In a previous post, I compared the features and capabilities of Samba winbind and SSSD. In this post, I will focus on formulating a set of criteria for how to choose between SSSD and winbind. In general, my recommendation is to choose SSSD… but there are some notable exceptions.

  • The first exception is if you have a deployment of Linux systems that are already leveraging Samba winbind for integration purposes. While, in this scenario, it might be cost prohibitive to switch to SSSD – you might eventually consider switching off Samba winbind due to changing / shifting requirements. In such cases we recommend engaging with a Red Hat representative to receive an overview of the latest integration capabilities (…as SSSD and IdM technologies are actively being developed – each incorporating additional features and capabilities over time).
  • The second exception is if you use Active Directory (AD) with the NTLM protocol enabled and fallback to NTLM authentication is still a requirement for your environment. In this scenario, winbind is a better choice as SSSD does not support the NTLM protocol.
  • The third exception is if SSSD fails to support a specific feature that you require (i.e. one that winbind supports); indeed, not all use cases are addressed in the same way between SSSD and winbind. For example, SSSD does not support cross forest AD trusts when connected directly to AD (and winbind does). However, in this example, the work around is to use IdM. Being connected to IdM, SSSD recognizes other AD forests that are in trust relationships with the IdM domain. Irrespective, if there are specific features that you require, ones that SSSD fails to support, we’d be very interested to hear more about your needs.

Is Samba winbind deprecated? The answer is most certainly: no. The reality is that there’s currently a shift in emphasis from one technology to another and, as always, Red Hat is committed to supporting features and components that are (already) widely adopted and deployed while also making sure we provide support for new deployments to select the best available option. Have you shifted from Samba winbind to SSSD? If not, what’s holding you back? Let me know what you think in the comments section below.

  1. We’re starting to implement SSSD here on our new RHEL 7 systems as well as configuring our existing RHEL 6 systems with it, it’s working pretty good so far.

    1. Hello, it depends on what method you are using for UIDs and GIDs with windbind. What id mapping configuration you are using with winbind? Generally if you are Red Hat customer you can open a support case and get help. If you are not you can ask this question on the sssd-users https://lists.fedorahosted.org/admin/lists/sssd-users.lists.fedorahosted.org/ and get help there. But anyways you will need to provide your current id mapping configuration.

    1. No. And we did some investigation and realized several things:
      – It will be very hard to accomplish and a lot of work
      – Winbind has some implementation that works for not all use cases
      – We might be able to integrate some portions of winbind to accomplish this but it will be a long road.

      So far the best options are:
      – to use IdM which can have trusts with several different forests – this is a preferred solution as it adds a lot of other benefits, not only solves this trust problem
      – use multi-domain setup in SSSD when you explicitly list the domains that you want to try for authentication and identity lookups. See this chapter in documentation for more information https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/Configuring_Domains.html

      1. Do you specifically know if winbind support one-way forest AD trusts? We are having problem authenticating users from trusted domain in a one-way trust environment using winbind. Bye the way, it works fine for windows member servers joining the trusting domain but not linux (redhat).

      2. I know that not all paths work. I do not know the details from the top of my head. You might be hitting a limitation of winbind or a bug. If it is a Red Hat server you can open a support case and get a definitive answer if it is a limitation or a bug and when/if it can be addressed.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s