[Samba] samba4 kerberized nfs4 with sssd ad client
Jason Keltz
jas at eecs.yorku.ca
Fri Jul 24 02:42:05 UTC 2020
Hi everyone,
I have a samba DC, let's call it dc1.ad.example.com.
I have two members of the domain - server1.ad.example.com and
server2.ad.example.com. They are not running smbd and winbind.
Instead, they are running SSSD with AD backend.
I want to create an NFSv4 export on server1.ad.example.com and mount it
on server2.ad.example.com (say, sec=krb5).
I found some instructions online from 2015 that said:
-> on the server I create an nfs principal and export it to the keytab
$ samba-tool user add nfs-myserver --random-password
$ samba-tool spn add nfs/myserver.samdom.com nfs-myserver
$ samba-tool domain exportkeytab --principal=nfs/myserver.samdom.com
/etc/krb5.keytab
-> on the client I use the machine keytab.
$ samba-tool domain exportkeytab --principal=MYCLIENT$ /etc/krb5.keytab
It's not clear to me why the nfs-myserver" user is created. Doesn't the
spn apply to a host, and not a user?
Since I'm not running smbd/winbind on the two servers, would I still
create the keytab entries for nfs/server1.ad.example.com and SERVER2$
using the above instructions with samba-tool on DC1? (because it looks
like I can't use the -H ldap://dc1.ad.example.com syntax to export the
keytab from the server (-H is not a recognized option).
As far as I understand, Samba is running its own Kerberos
implementation. Will the OS Kerberos on server1 and server2 (CentOS
7.8) be compatible with the Samba Kerberos?
I like the simplicity of SSSD on the client. Can I somehow use a
combination of Samba Kerberos on the client *with* SSSD and not use winbind?
If anyone has done this before using SSSD, and can pass along the proper
syntax, that would be greatly appreciated.
Thanks!
Jason.
More information about the samba
mailing list