[Samba] samba4 kerberized nfs4 with sssd ad client
Jason Keltz
jas at eecs.yorku.ca
Fri Jul 24 11:25:24 UTC 2020
Thanks a lot for all the details, Louis! I will experiment with this on the 'winbind stream' of my project.
Jason.
On Jul. 24, 2020, 4:30 a.m., at 4:30 a.m., "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
>Depending on the OS.
>
>Below is tested/in production since samba 4.9.x and debian stretch
>Currently running buster with samba 4.12.5 with samba and AD-Backends.
>All users have UID assigned, and "Domain Users".
>
>This is really easy on any setup with systemd systems with samba and
>winbind.
>
>I'll show how easy this is for any debian/ubuntu related system but
>using systemd, maybe you can use it.
>Only, i'll show you the option with winbind, not sssd, and automounting
>the user homedir at logon.
>
># You need this if you want the same setup/Homedir for all server,
>AD-DC and Members.
># (! incl the server share-ing the nfs export )
>#
># This is the running setup in my production network.
># The real (samba) folder user=/home/samba/users = samba shared as
>\\server.fqdn\users
># ADUC creates the users folders with : \\server.fqdn\users\%username%
>set in ADUC.
>
># Samba users folder = /home/samba/users
># Needed for NFS exports, a mount bind to = /exports/user
># Needed for linux logins on the other servers then where NFS server
>runs
># And
># mount bind to = /home/users
># Only needed for linux logins on the same server where NFS server runs
># so all servers most probely.
>#
># Automounter enabled for /home/users on all servers
># Now, you can login everywhere and have /home/users available on all
>server.
># Same all servers.
>
>
>Whats needed, i installeded:
>NFS Server: apt install samba winbind acl xattr nfs-common
>nfs-kernel-server nfs4-acl-tools krb5-user
>NFS client: apt install winbind acl xattr nfs-common nfs4-acl-tools
>krb5-user
>
>Example Setup NFS SERVER on server1.
>
>### Example /etc/exports
>/exports
>192.168.0.0/24(rw,sync,fsid=0,no_subtree_check,crossmnt,sec=sys:krb5:krb5i:krb5p)
>/exports/users
>192.168.0.0/24(rw,sync,no_subtree_check,sec=sys:krb5:krb5i:krb5p)
>
>With these options sec=sys:krb5:krb5i:krb5p
>
>You can setup with any other server with or without kerberos,
>if it didnt work, try sec=sys in a client, if that works, well,
>then you setup needs fixing somewhere. DNS/resolvings/SPN's
>
>##### Below are the client and server configs.
>
># Samba/winbind joined, and you need to add the NFS spn to the keytab
>file and AD.
>### Server1 (NFS SERVER SPN setup)
>net ads keytab add_update_ads nfs/$(hostname -f) -U Administrator
>
>### Server1 (NFS exports setup)
># /etc/default/nfs-kernel-server
>NEED_SVCGSSD="yes"
>
>### Server1 and 2 (NFS Server and client) ! only need if you setup as
>shown on server 1.
>/etc/default/nfs-common
>NEED_STATD="yes"
>STATDOPTS="no"
>NEED_IDMAPD="yes"
>NEED_GSSD="yes"
>
>### Server 1 (NFS export setup)
># create the nfs shared folder.
>install -o root -g root -d -m 1777 /exports/users
>
># and load the exports.
>exportfs -rav
>systemctl restart nfs-server nfs-client
>
>### Server1 and 2.
>mkdir /home/users # ( the linux homedir )
>
>You see/noticed that : home-users.mount reflex /home/users..
>This is a must, or automounting wont work.
>
>The path must be the same as the file-name.mount/automount
>for systemd config and any mounts/automounts
>
># Server1 for NFS export (mount-bind)
># /etc/systemd/system/exports-users.mount
>[Unit]
>Description=SambaUsers Mount-bind (to /exports/users )
>Wants=network-online.target
>
>[Mount]
>What=/home/samba/users
>Where=/exports/users
>Type=none
>Options=bind
>
>[Install]
>WantedBy=multi-user.target
>
>#### NFS server is ready to serve
>
>
># For a client HOME-USERS.
># The mounter ( mount --bind ) and for the NFS export. ( server 1 only)
>
>
># /etc/systemd/system/home-users.mount
>[Unit]
>Description=SambaUsers Mount-bind (to /home/users)
>Wants=network-online.target
>
>[Mount]
>What=/home/samba/users
>Where=/home/users
>Type=none
>Options=bind
>
>[Install]
>WantedBy=multi-user.target
>
>### enable it
>systemctl enable home-users.mount
># test it : systemctl start home-users.mount
># test it : systemctl stop home-users.mount
>###
>
>
># For a client HOME-USERS.
># The mounter server2+
>
># /etc/systemd/system/home-users.mount
>[Unit]
>Description=Samba UsersHomeDir (/home/users)
>Wants=network-online.target nfs-common.service
>After=network-online.target nfs-common.service
>
>[Mount]
>What=sername.fqdn.of.server1:/users
>Where=/home/users
>Type=nfs4
>Options=sec=krb5p
>
>[Install]
>WantedBy=multi-user.target
>
>
>### The automounter (HOME-USERS) ( server 1 and 2 )
># /etc/systemd/system/home-users.automount
>[Unit]
>Description=Automount Samba UsersHomeDir
>
>[Automount]
>Where=/home/users
>
>[Install]
>WantedBy=multi-user.target
>
>systemctl enable home-users.automount
>systemctl start home-users.automount
># test it : ls /home/users
>
>I might have forgoten something//
>
>Above is shown for NFS and for CIFS. (almost the same)
>This is the most important :
>net ads keytab add_update_ads nfs/$(hostname -f) -U Administrator
>net ads keytab add_update_ads cifs/$(hostname -f) -U Administrator
>
>And all servers must have an A and PTR record.
>If you have mulitiple hostnames, use CNAME.
>
>Enjoy, questions, just ask.
>
>Greetz,
>
>Louis
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>> Jason Keltz via samba
>> Verzonden: vrijdag 24 juli 2020 4:42
>> Aan: samba at lists.samba.org
>> Onderwerp: [Samba] samba4 kerberized nfs4 with sssd ad client
>>
>> Hi everyone,
>>
>> I have a samba DC, let's call it dc1.ad.example.com.
>>
>> I have two members of the domain - server1.ad.example.com and
>> server2.ad.example.com. They are not running smbd and winbind.
>> Instead, they are running SSSD with AD backend.
>>
>> I want to create an NFSv4 export on server1.ad.example.com
>> and mount it
>> on server2.ad.example.com (say, sec=krb5).
>>
>> I found some instructions online from 2015 that said:
>>
>> -> on the server I create an nfs principal and export it to the
>keytab
>> $ samba-tool user add nfs-myserver --random-password
>> $ samba-tool spn add nfs/myserver.samdom.com nfs-myserver
>> $ samba-tool domain exportkeytab --principal=nfs/myserver.samdom.com
>> /etc/krb5.keytab
>>
>> -> on the client I use the machine keytab.
>> $ samba-tool domain exportkeytab --principal=MYCLIENT$
>/etc/krb5.keytab
>>
>> It's not clear to me why the nfs-myserver" user is created.
>> Doesn't the
>> spn apply to a host, and not a user?
>>
>> Since I'm not running smbd/winbind on the two servers, would I still
>> create the keytab entries for nfs/server1.ad.example.com and SERVER2$
>
>> using the above instructions with samba-tool on DC1? (because
>> it looks
>> like I can't use the -H ldap://dc1.ad.example.com syntax to
>> export the
>> keytab from the server (-H is not a recognized option).
>>
>> As far as I understand, Samba is running its own Kerberos
>> implementation. Will the OS Kerberos on server1 and server2 (CentOS
>> 7.8) be compatible with the Samba Kerberos?
>>
>> I like the simplicity of SSSD on the client. Can I somehow use a
>> combination of Samba Kerberos on the client *with* SSSD and
>> not use winbind?
>>
>> If anyone has done this before using SSSD, and can pass along
>> the proper
>> syntax, that would be greatly appreciated.
>>
>> Thanks!
>>
>> Jason.
>>
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>
>
>--
>To unsubscribe from this list go to the following URL and read the
>instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list