[Samba] samba4 kerberized nfs4 with sssd ad client

L.P.H. van Belle belle at bazuin.nl
Fri Jul 24 08:29:42 UTC 2020

Depending on the OS. 

Below is tested/in production since samba 4.9.x and debian stretch
Currently running buster with samba 4.12.5 with samba and AD-Backends. 
All users have UID assigned, and "Domain Users".

This is really easy on any setup with systemd systems with samba and winbind. 

I'll show how easy this is for any debian/ubuntu related system but using systemd, maybe you can use it. 
Only, i'll show you the option with winbind, not sssd, and automounting the user homedir at logon. 

# You need this if you want the same setup/Homedir  for all server, AD-DC and Members.
#  (! incl the server share-ing the nfs export ) 
# This is the running setup in my production network.
# The real (samba) folder user=/home/samba/users = samba shared as \\server.fqdn\users 
# ADUC creates the users folders with : \\server.fqdn\users\%username% set in ADUC. 

# Samba users folder  = /home/samba/users
# Needed for NFS exports, a mount bind to = /exports/user
# Needed for linux logins on the other servers then where NFS server runs
# And 
# mount bind to 	    = /home/users	
# Only needed for linux logins on the same server where NFS server runs
# so all servers most probely.
# Automounter enabled for /home/users on all servers
# Now, you can login everywhere and have /home/users available on all server. 
# Same all servers. 

Whats needed, i installeded:
NFS Server: apt install samba winbind acl xattr nfs-common nfs-kernel-server nfs4-acl-tools krb5-user
NFS client: apt install winbind acl xattr nfs-common nfs4-acl-tools krb5-user 

Example Setup NFS SERVER on server1. 

### Example /etc/exports

With these options sec=sys:krb5:krb5i:krb5p

You can setup with any other server with or without kerberos, 
if it didnt work, try sec=sys in a client, if that works, well, 
then you setup needs fixing somewhere. DNS/resolvings/SPN's 

#####  Below are the client and server configs. 

# Samba/winbind joined, and you need to add the NFS spn to the keytab file and AD.
### Server1  (NFS SERVER SPN setup)
net ads keytab add_update_ads nfs/$(hostname -f) -U Administrator

### Server1  (NFS exports setup)
# /etc/default/nfs-kernel-server

### Server1 and 2 (NFS Server and client) ! only need if you setup as shown on server 1.

### Server 1 (NFS export setup) 
# create the nfs shared folder.
install -o root -g root -d -m 1777 /exports/users

# and load the exports. 
exportfs -rav
systemctl restart nfs-server nfs-client 

### Server1 and 2. 
mkdir /home/users  # ( the linux homedir ) 

You see/noticed that : home-users.mount reflex /home/users.. 
This is a must, or automounting wont work.

The path must be the same as the file-name.mount/automount
for systemd config and any mounts/automounts 

# Server1  for NFS export (mount-bind) 
# /etc/systemd/system/exports-users.mount
Description=SambaUsers Mount-bind (to /exports/users )



#### NFS server is ready to serve 

# For a client HOME-USERS. 
# The mounter ( mount --bind ) and for the NFS export. ( server 1 only) 

# /etc/systemd/system/home-users.mount
Description=SambaUsers Mount-bind (to /home/users)



### enable it 
systemctl enable home-users.mount
# test it : systemctl start home-users.mount
# test it : systemctl stop home-users.mount

# For a client HOME-USERS. 
# The mounter server2+ 

# /etc/systemd/system/home-users.mount
Description=Samba UsersHomeDir (/home/users)
Wants=network-online.target nfs-common.service
After=network-online.target nfs-common.service



### The automounter (HOME-USERS)  ( server 1 and 2 ) 
# /etc/systemd/system/home-users.automount
Description=Automount Samba UsersHomeDir



systemctl enable home-users.automount
systemctl start home-users.automount
# test it : ls /home/users

I might have forgoten something// 

Above is shown for NFS and for CIFS. (almost the same) 
This is the most important : 
net ads keytab add_update_ads nfs/$(hostname -f) -U Administrator
net ads keytab add_update_ads cifs/$(hostname -f) -U Administrator

And all servers must have an A and PTR record.
If you have mulitiple hostnames, use CNAME.

Enjoy, questions, just ask. 



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Jason Keltz via samba
> Verzonden: vrijdag 24 juli 2020 4:42
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] samba4 kerberized nfs4 with sssd ad client
> Hi everyone,
> I have a samba DC, let's call it dc1.ad.example.com.
> I have two members of the domain - server1.ad.example.com and 
> server2.ad.example.com.   They are not running smbd and winbind. 
> Instead, they are running SSSD with AD backend.
> I want to create an NFSv4 export on server1.ad.example.com 
> and mount it 
> on server2.ad.example.com (say, sec=krb5).
> I found some instructions online from 2015 that said:
> -> on the server I create an nfs principal and export it to the keytab
> $ samba-tool user add nfs-myserver --random-password
> $ samba-tool spn add nfs/myserver.samdom.com nfs-myserver
> $ samba-tool domain exportkeytab --principal=nfs/myserver.samdom.com
> /etc/krb5.keytab
> -> on the client I use the machine keytab.
> $ samba-tool domain exportkeytab --principal=MYCLIENT$ 
> It's not clear to me why the nfs-myserver" user is created. 
> Doesn't the 
> spn apply to a host, and not a user?
> Since I'm not running smbd/winbind on the two servers, would I still 
> create the keytab entries for nfs/server1.ad.example.com and SERVER2$ 
> using the above instructions with samba-tool on DC1? (because 
> it looks 
> like I can't use the -H ldap://dc1.ad.example.com syntax to 
> export the 
> keytab from the server (-H is not a recognized option).
> As far as I understand, Samba is running its own Kerberos 
> implementation.  Will the OS Kerberos on server1 and server2 (CentOS 
> 7.8) be compatible with the Samba Kerberos?
> I like the simplicity of SSSD on the client.  Can I somehow use a 
> combination of Samba Kerberos on the client *with* SSSD and 
> not use winbind?
> If anyone has done this before using SSSD, and can pass along 
> the proper 
> syntax, that would be greatly appreciated.
> Thanks!
> Jason.
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list