[Samba] samba4 kerberized nfs4 with sssd ad client

Rowland penny rpenny at samba.org
Fri Jul 24 12:06:45 UTC 2020 

On 24/07/2020 11:57, Jason Keltz wrote:
> Hi Rowland,
>
> In effect, I'm still using Samba on the DC, which is why I still 
> thought this was relevant on the mailing list. :)
>
> The reason in particular that I was looking at sssd client as opposed 
> to winbind was that  we are running CentOS 7. I know if I want to use 
> the latest Samba 4.12 on the clients, I'll have problems with gnutls 
> because it's outdated in CentOS 7.  Yes, someone has figured out a way 
> around that by compiling a separate gnutls, but I'm just not 100% 
> comfortable with that.  It's still an option.  The problem is that if 
> I spend my days figuring out how to upgrade hundreds of custom CentOS 
> machines from 7 to 8 (which I will no doubt eventually do) then I 
> won't have time to figure out integration of this domain into AD. If I 
> start with AD then I can't really use the latest  4.12. maybe that's 
> fine because eventually we will move to CentOS 8.  However, what if a 
> later Samba version requires an even later version of  gnutls that 
> CentOS 8 doesn't run with in the future!  Then I'll again be stuck in 
> this position and may have to upgrade the OS clients to use the later 
> Samba. There's always going to be this chicken and egg problem of 
> course. That's just the environment we work in. That's why I was 
> hoping that if I used SSSD then I could somewhat punt the problem . As 
> long as the main DC was running the latest OS and could run the latest 
> Samba then the clients could use their SSSD to connect.  In addition, 
> the SSSD configuration for AD is so trivial.  The winbind 
> configuration, I have tested and it works but it's definately more 
> complex. I have to see whether it handles token groups because the 
> SSSD configuration without token groups was very slow using SSSD 
> because of the number of groups.  I'm not fixed at using sssd but just 
> thinking about all the options. There are always many ways to solve 
> the same problem. :)
>
Hi, I am not saying you cannot use sssd, I am just saying that we do not 
support it, because we do not produce it and have little knowledge of it.

We do produce winbind, so we can support it and I cannot understand why 
anyone thinks setting up sssd is easier than Samba. If you require 
shares and are using Samba >= 4.8.0, then you cannot use sssd. If you 
don't require shares and do want to use Samba, then you can, but you 
will need to set up two conf files, smb.conf and sssd's.

  Rowland

More information about the samba mailing list