enterprise-ubuntu team mailing list archive

[Bolesław Tokarski <boleslaw.tokarski@xxxxxxxxx>]

Hello,

On 02/18/2013 11:46 PM, David Burke wrote:
> I often hear people mention SSSD as a good way to authenticate to 
> Active Directory or Samba. Is SSSD production ready on Ubuntu? Is 
> there a good getting started guide?
SSSD is definitely production ready. It's already in use for a long time 
on Fedoras and RedHats. Although SSSD is in the universe repository, 
Timo Aaltonen is really providing good support for it and it has a MIR 
(main inclusion request), so it will become part of main.

I don't have any getting started guide, if it's not on Google, perhaps 
somebody else has it.

> From the info I've seen of it, there's a lot to configure.

Well, isn't it the same for anything else? Perhaps I am paranoid, where 
I need to be able to fine-tune the software as it would run on hundreds 
of machines, but I still believe it's the case for anything else.

> The thing that absolutely frightens me is comments saying things like 
> "Hey make sure to add this conf option".

If somebody doesn't give the reason for such a conf line, I'd either say 
it's irrelevant, connected to an old bug or just supposed to deal with a 
particular problem. If you have the problem - you need to check for 
yourself.

> After setting up pam_ldap (and cached credentials, and cron jobs to 
> update nss, etc) once I'm rather afraid of the do everything yourself 
> method as I know I'll make mistakes and forget things.

Great to hear I've not been the only one doing it. For Ubuntu Lucid we 
have used a ldap+krb5+ccreds pam.d setup. Yes, it was a little tricky, 
especially krb5 delay when DNS entries were unavailable and caused the 
whole login process to fail.

I guess then you bumped already into a number of GnuTLS-related pam_ldap 
problems, tweaking the pam.d stack and everything. I'd say - it's easier 
with SSSD, although the sssd.conf is perhaps less documented on the 
Internet than /etc/ldap.conf. See its manpage or I can provide you with 
mine.

> I've heard people on this list say likewise open is not the best, but 
> it is certainly easy to use. I'm curious why SSSD might be a better 
> option.

Well, perhaps then Likewise Open is an answer for you? It has a nice GUI 
to join the domain and everything. I will give you the reasons why we 
did not use Likewise Open:
1. Its functionality is crippled and the reason for it is the fact they 
are selling also the Enterprise version. The Enterprise version costs 
more than we can afford and their commercial support for the Open 
version is costly as well.
2. If you have already configured AD with Unix attributes and gave those 
to users, you will not be able to use that. It's an Enterprise version 
feature. In your case (when I see you configured nss_update to cache the 
NSS data), you may wonder: 'Hey, I'll use cached NSS from LDAP and 
Likewise for PAM'. Nope, sorry, it doesn't work. I tested it. To get the 
AD Unix attributes with Likewise, you need to buy the Enterprise version.
3. I have seen a number of Ubuntu version <-> Likewise version 
incompatibilities. You need to make sure the version you are using works 
with Ubuntu you want to use it with. Not cool.
4. Likewise ships with its own set of LDAP and Kerberos libraries. Aside 
from the fact it's not elegant, you need to configure other 
Kerberos-aware software pieces that their Kerberos library is not in 
/usr/lib. Hopefully, it's possible to tell Firefox where it should seek 
its kerberos libs/ticket. Due to that, it may turn out you cannot use 
some kerberos-aware tools because you would need to wrap all those 
around the likewise kerberos libs.
5. Likewise Open assigns very high UIDs. Aside from the fact it's not 
handy, we would not have a consistent UID naming scheme throughout 
organization. I was told that some Solaris versions we use do not 
support so high UID numbers.

Aside from those above SSSD brings a number of benefits:
1. You can separate the NSS part from the PAM part, so you can have a 
NIS or OpenLDAP server with just user data and you can authenticate to 
AD Kerberos at the same time.
2. It's fully open-source. Not a single euro spent for software/support. 
I guess we owe to RedHat as it's the sponsor of the upstream software 
and to Timo for .deb packaging and ubuntu version maintenance. No 
strings attached.
3. Multi-arch support. You can just use libnss-sss from the foreign arch 
to connect to sssd daemon running on native arch.

> I think my requirements are fairly standard - user can log in, cached 
> credentials work, kerberos tickets would be nice, changing passwords 
> in a sane way would be nice.

Read those above well. It might be that none of the problems is related 
to your current or future environment and it seems Likewise Open fulfils 
your requirements.

Of course you can do the same with SSSD.

Cheers,
Ballock