[Samba] samba4 kerberized nfs4 with sssd ad client

[Jason Keltz]

Hi everyone,

I have a samba DC, let's call it dc1.ad.example.com.

I have two members of the domain - server1.ad.example.com and 
server2.ad.example.com.   They are not running smbd and winbind. 
Instead, they are running SSSD with AD backend.

I want to create an NFSv4 export on server1.ad.example.com and mount it 
on server2.ad.example.com (say, sec=krb5).

I found some instructions online from 2015 that said:

-> on the server I create an nfs principal and export it to the keytab
$ samba-tool user add nfs-myserver --random-password
$ samba-tool spn add nfs/myserver.samdom.com nfs-myserver
$ samba-tool domain exportkeytab --principal=nfs/myserver.samdom.com
/etc/krb5.keytab

-> on the client I use the machine keytab.
$ samba-tool domain exportkeytab --principal=MYCLIENT$ /etc/krb5.keytab

It's not clear to me why the nfs-myserver" user is created. Doesn't the 
spn apply to a host, and not a user?

Since I'm not running smbd/winbind on the two servers, would I still 
create the keytab entries for nfs/server1.ad.example.com and SERVER2$ 
using the above instructions with samba-tool on DC1? (because it looks 
like I can't use the -H ldap://dc1.ad.example.com syntax to export the 
keytab from the server (-H is not a recognized option).

As far as I understand, Samba is running its own Kerberos 
implementation.  Will the OS Kerberos on server1 and server2 (CentOS 
7.8) be compatible with the Samba Kerberos?

I like the simplicity of SSSD on the client.  Can I somehow use a 
combination of Samba Kerberos on the client *with* SSSD and not use winbind?

If anyone has done this before using SSSD, and can pass along the proper 
syntax, that would be greatly appreciated.

Thanks!

Jason.