[Samba] samba4 kerberized nfs4 with sssd ad client

Jason Keltz jas at eecs.yorku.ca
Fri Jul 24 11:25:24 UTC 2020 

Thanks a lot for all the details, Louis!  I will experiment with this on the 'winbind stream' of my project.

Jason.

On Jul. 24, 2020, 4:30 a.m., at 4:30 a.m., "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
>Depending on the OS. 
>
>Below is tested/in production since samba 4.9.x and debian stretch
>Currently running buster with samba 4.12.5 with samba and AD-Backends. 
>All users have UID assigned, and "Domain Users".
>
>This is really easy on any setup with systemd systems with samba and
>winbind. 
>
>I'll show how easy this is for any debian/ubuntu related system but
>using systemd, maybe you can use it. 
>Only, i'll show you the option with winbind, not sssd, and automounting
>the user homedir at logon. 
>
># You need this if you want the same setup/Homedir  for all server,
>AD-DC and Members.
>#  (! incl the server share-ing the nfs export ) 
>#
># This is the running setup in my production network.
># The real (samba) folder user=/home/samba/users = samba shared as
>\\server.fqdn\users 
># ADUC creates the users folders with : \\server.fqdn\users\%username%
>set in ADUC. 
>
># Samba users folder  = /home/samba/users
># Needed for NFS exports, a mount bind to = /exports/user
># Needed for linux logins on the other servers then where NFS server
>runs
># And 
># mount bind to 	    = /home/users	
># Only needed for linux logins on the same server where NFS server runs
># so all servers most probely.
>#
># Automounter enabled for /home/users on all servers
># Now, you can login everywhere and have /home/users available on all
>server. 
># Same all servers. 
>
>
>Whats needed, i installeded:
>NFS Server: apt install samba winbind acl xattr nfs-common
>nfs-kernel-server nfs4-acl-tools krb5-user
>NFS client: apt install winbind acl xattr nfs-common nfs4-acl-tools
>krb5-user 
>
>Example Setup NFS SERVER on server1. 
>
>### Example /etc/exports
>/exports        
>192.168.0.0/24(rw,sync,fsid=0,no_subtree_check,crossmnt,sec=sys:krb5:krb5i:krb5p)
>/exports/users  
>192.168.0.0/24(rw,sync,no_subtree_check,sec=sys:krb5:krb5i:krb5p)
>
>With these options sec=sys:krb5:krb5i:krb5p
>
>You can setup with any other server with or without kerberos, 
>if it didnt work, try sec=sys in a client, if that works, well, 
>then you setup needs fixing somewhere. DNS/resolvings/SPN's 
>
>#####  Below are the client and server configs. 
>
># Samba/winbind joined, and you need to add the NFS spn to the keytab
>file and AD.
>### Server1  (NFS SERVER SPN setup)
>net ads keytab add_update_ads nfs/$(hostname -f) -U Administrator
>
>### Server1  (NFS exports setup)
># /etc/default/nfs-kernel-server
>NEED_SVCGSSD="yes"
>
>### Server1 and 2 (NFS Server and client) ! only need if you setup as
>shown on server 1.
>/etc/default/nfs-common
>NEED_STATD="yes"
>STATDOPTS="no"
>NEED_IDMAPD="yes"
>NEED_GSSD="yes"
>
>### Server 1 (NFS export setup) 
># create the nfs shared folder.
>install -o root -g root -d -m 1777 /exports/users
>
># and load the exports. 
>exportfs -rav
>systemctl restart nfs-server nfs-client 
>
>### Server1 and 2. 
>mkdir /home/users  # ( the linux homedir ) 
>
>You see/noticed that : home-users.mount reflex /home/users.. 
>This is a must, or automounting wont work.
>
>The path must be the same as the file-name.mount/automount
>for systemd config and any mounts/automounts 
>
># Server1  for NFS export (mount-bind) 
># /etc/systemd/system/exports-users.mount
>[Unit]
>Description=SambaUsers Mount-bind (to /exports/users )
>Wants=network-online.target
>
>[Mount]
>What=/home/samba/users
>Where=/exports/users
>Type=none
>Options=bind
>
>[Install]
>WantedBy=multi-user.target
>
>#### NFS server is ready to serve 
>
>
># For a client HOME-USERS. 
># The mounter ( mount --bind ) and for the NFS export. ( server 1 only)
>
>
># /etc/systemd/system/home-users.mount
>[Unit]
>Description=SambaUsers Mount-bind (to /home/users)
>Wants=network-online.target
>
>[Mount]
>What=/home/samba/users
>Where=/home/users
>Type=none
>Options=bind
>
>[Install]
>WantedBy=multi-user.target
>
>### enable it 
>systemctl enable home-users.mount
># test it : systemctl start home-users.mount
># test it : systemctl stop home-users.mount
>### 
>
>
># For a client HOME-USERS. 
># The mounter server2+ 
>
># /etc/systemd/system/home-users.mount
>[Unit]
>Description=Samba UsersHomeDir (/home/users)
>Wants=network-online.target nfs-common.service
>After=network-online.target nfs-common.service
>
>[Mount]
>What=sername.fqdn.of.server1:/users
>Where=/home/users
>Type=nfs4
>Options=sec=krb5p
>
>[Install]
>WantedBy=multi-user.target
>
>
>### The automounter (HOME-USERS)  ( server 1 and 2 ) 
># /etc/systemd/system/home-users.automount
>[Unit]
>Description=Automount Samba UsersHomeDir
>
>[Automount]
>Where=/home/users
>
>[Install]
>WantedBy=multi-user.target
>
>systemctl enable home-users.automount
>systemctl start home-users.automount
># test it : ls /home/users
>
>I might have forgoten something// 
>
>Above is shown for NFS and for CIFS. (almost the same) 
>This is the most important : 
>net ads keytab add_update_ads nfs/$(hostname -f) -U Administrator
>net ads keytab add_update_ads cifs/$(hostname -f) -U Administrator
>
>And all servers must have an A and PTR record.
>If you have mulitiple hostnames, use CNAME.
>
>Enjoy, questions, just ask. 
>
>Greetz, 
>
>Louis
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
>> Jason Keltz via samba
>> Verzonden: vrijdag 24 juli 2020 4:42
>> Aan: samba at lists.samba.org
>> Onderwerp: [Samba] samba4 kerberized nfs4 with sssd ad client
>> 
>> Hi everyone,
>> 
>> I have a samba DC, let's call it dc1.ad.example.com.
>> 
>> I have two members of the domain - server1.ad.example.com and 
>> server2.ad.example.com.   They are not running smbd and winbind. 
>> Instead, they are running SSSD with AD backend.
>> 
>> I want to create an NFSv4 export on server1.ad.example.com 
>> and mount it 
>> on server2.ad.example.com (say, sec=krb5).
>> 
>> I found some instructions online from 2015 that said:
>> 
>> -> on the server I create an nfs principal and export it to the
>keytab
>> $ samba-tool user add nfs-myserver --random-password
>> $ samba-tool spn add nfs/myserver.samdom.com nfs-myserver
>> $ samba-tool domain exportkeytab --principal=nfs/myserver.samdom.com
>> /etc/krb5.keytab
>> 
>> -> on the client I use the machine keytab.
>> $ samba-tool domain exportkeytab --principal=MYCLIENT$ 
>/etc/krb5.keytab
>> 
>> It's not clear to me why the nfs-myserver" user is created. 
>> Doesn't the 
>> spn apply to a host, and not a user?
>> 
>> Since I'm not running smbd/winbind on the two servers, would I still 
>> create the keytab entries for nfs/server1.ad.example.com and SERVER2$
>
>> using the above instructions with samba-tool on DC1? (because 
>> it looks 
>> like I can't use the -H ldap://dc1.ad.example.com syntax to 
>> export the 
>> keytab from the server (-H is not a recognized option).
>> 
>> As far as I understand, Samba is running its own Kerberos 
>> implementation.  Will the OS Kerberos on server1 and server2 (CentOS 
>> 7.8) be compatible with the Samba Kerberos?
>> 
>> I like the simplicity of SSSD on the client.  Can I somehow use a 
>> combination of Samba Kerberos on the client *with* SSSD and 
>> not use winbind?
>> 
>> If anyone has done this before using SSSD, and can pass along 
>> the proper 
>> syntax, that would be greatly appreciated.
>> 
>> Thanks!
>> 
>> Jason.
>> 
>> 
>> 
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>> 
>> 
>
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list