[Samba] samba4 kerberized nfs4 with sssd ad client

Jason Keltz jas at eecs.yorku.ca
Fri Jul 24 02:42:05 UTC 2020

Hi everyone,

I have a samba DC, let's call it dc1.ad.example.com.

I have two members of the domain - server1.ad.example.com and 
server2.ad.example.com.   They are not running smbd and winbind. 
Instead, they are running SSSD with AD backend.

I want to create an NFSv4 export on server1.ad.example.com and mount it 
on server2.ad.example.com (say, sec=krb5).

I found some instructions online from 2015 that said:

-> on the server I create an nfs principal and export it to the keytab
$ samba-tool user add nfs-myserver --random-password
$ samba-tool spn add nfs/myserver.samdom.com nfs-myserver
$ samba-tool domain exportkeytab --principal=nfs/myserver.samdom.com

-> on the client I use the machine keytab.
$ samba-tool domain exportkeytab --principal=MYCLIENT$ /etc/krb5.keytab

It's not clear to me why the nfs-myserver" user is created. Doesn't the 
spn apply to a host, and not a user?

Since I'm not running smbd/winbind on the two servers, would I still 
create the keytab entries for nfs/server1.ad.example.com and SERVER2$ 
using the above instructions with samba-tool on DC1? (because it looks 
like I can't use the -H ldap://dc1.ad.example.com syntax to export the 
keytab from the server (-H is not a recognized option).

As far as I understand, Samba is running its own Kerberos 
implementation.  Will the OS Kerberos on server1 and server2 (CentOS 
7.8) be compatible with the Samba Kerberos?

I like the simplicity of SSSD on the client.  Can I somehow use a 
combination of Samba Kerberos on the client *with* SSSD and not use winbind?

If anyone has done this before using SSSD, and can pass along the proper 
syntax, that would be greatly appreciated.



More information about the samba mailing list