[Samba] samba4 kerberized nfs4 with sssd ad client
jas at eecs.yorku.ca
Fri Jul 24 02:42:05 UTC 2020
I have a samba DC, let's call it dc1.ad.example.com.
I have two members of the domain - server1.ad.example.com and
server2.ad.example.com. They are not running smbd and winbind.
Instead, they are running SSSD with AD backend.
I want to create an NFSv4 export on server1.ad.example.com and mount it
on server2.ad.example.com (say, sec=krb5).
I found some instructions online from 2015 that said:
-> on the server I create an nfs principal and export it to the keytab
$ samba-tool user add nfs-myserver --random-password
$ samba-tool spn add nfs/myserver.samdom.com nfs-myserver
$ samba-tool domain exportkeytab --principal=nfs/myserver.samdom.com
-> on the client I use the machine keytab.
$ samba-tool domain exportkeytab --principal=MYCLIENT$ /etc/krb5.keytab
It's not clear to me why the nfs-myserver" user is created. Doesn't the
spn apply to a host, and not a user?
Since I'm not running smbd/winbind on the two servers, would I still
create the keytab entries for nfs/server1.ad.example.com and SERVER2$
using the above instructions with samba-tool on DC1? (because it looks
like I can't use the -H ldap://dc1.ad.example.com syntax to export the
keytab from the server (-H is not a recognized option).
As far as I understand, Samba is running its own Kerberos
implementation. Will the OS Kerberos on server1 and server2 (CentOS
7.8) be compatible with the Samba Kerberos?
I like the simplicity of SSSD on the client. Can I somehow use a
combination of Samba Kerberos on the client *with* SSSD and not use winbind?
If anyone has done this before using SSSD, and can pass along the proper
syntax, that would be greatly appreciated.
More information about the samba