What is the difference between sssd (realm join) and net ads join

sssdubuntu-18.04ubuntu-20.04

I have been using ubuntu 18.04 with sssd to join my servers to my active directory domain for a while now. This worked quite nicely, enabling me to ssh to the servers with AD users and create samba shares with AD authentication as well.
what I usually do is set all the configuration files (krb5, sssd, smb.conf) and use realm join to join the server to the domain.

with Ubuntu 20 I followed my same procedure to join the server to the domain. However I encountered an error with my smb.conf file- the smbd service wouldn't start as long as I had the setting security = ads enabled.

In order to make it work I had to run net ads join command (this is after I already ran realm join)- only then did the smbd service agree to start with security = ads setting enabled.

Now I am left with open questions: what is the difference between net ads and realm, and what has changed between ubuntu-18 and ubuntu-20?

Best Answer

SSSD:

  • does not support NTLM, but NTLM is insecure and obsolete
  • is simpler to install (can be auto-configured using realmd)
  • does more than just Active Directory (e.g. LDAP)

Samba/Winbind/net ads:

  • is harder to secure due to its support for NTLM.
  • does not support AD DNS Aging and Scavenging (i.e. detecting if DNS entries for servers that have been removed or updated)
  • As of Oracle Linux 7, SSSD is the preferred tool, although Samba and Winbind remain fully supported.
Related Topic