[Samba] samba4 kerberized nfs4 with sssd ad client

Jason Keltz jas at eecs.yorku.ca
Fri Jul 24 10:57:55 UTC 2020

Hi Rowland,

In effect, I'm still using Samba on the DC, which is why I still thought this was relevant on the mailing list. :)

The reason in particular that I was looking at sssd client as opposed to winbind was that  we are running CentOS 7. I know if I want to use the latest Samba 4.12 on the clients, I'll have problems with gnutls because it's outdated in CentOS 7.  Yes, someone has figured out a way around that by compiling a separate gnutls, but I'm just not 100% comfortable with that.  It's still an option.  The problem is that if I spend my days figuring out how to upgrade hundreds of custom CentOS machines from 7 to 8 (which I will no doubt eventually do) then I won't have time to figure out integration of this domain into AD. If I start with AD then I can't really use the latest  4.12. maybe that's fine because eventually we will move to CentOS 8.  However, what if a later Samba version requires  an even later version of  gnutls that CentOS 8 doesn't run with in the future!  Then I'll again be stuck in this position and may have to upgrade the OS clients to use the later Samba.  There's always going to be this chicken and egg problem of course. That's just the environment we work in. That's why I was hoping that if I used SSSD then I could somewhat punt the problem . As long as the main DC was running the latest OS and could run the latest Samba then the clients could use their SSSD to connect.  In addition, the SSSD configuration for AD is so trivial.  The winbind configuration, I have tested and it works but it's definately more complex. I have to see whether it handles token groups because the SSSD configuration without token groups was very slow using SSSD because of the number of groups.  I'm not fixed at using sssd but just thinking about all the options. There are always many ways to solve the same problem. :)


On Jul. 24, 2020, 2:22 a.m., at 2:22 a.m., Rowland penny via samba <samba at lists.samba.org> wrote:
>On 24/07/2020 03:42, Jason Keltz via samba wrote:
>> Hi everyone,
>> I have a samba DC, let's call it dc1.ad.example.com.
>> I have two members of the domain - server1.ad.example.com and 
>> server2.ad.example.com.   They are not running smbd and winbind. 
>> Instead, they are running SSSD with AD backend.
>Sorry Jason, wrong mailing list, we do not produce sssd, so cannot 
>support it, because we know very little about it. I suggest you try the
>sssd-users mailing list.
>If you want to use Samba instead, I am more than willing to help you 
>with this, it is very easy and there is the bonus of being able to
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list