[Samba] samba4 kerberized nfs4 with sssd ad client

Christian Naumer cn at brain-biotech.de
Fri Jul 24 11:35:22 UTC 2020

Am 24.07.20 um 12:57 schrieb Jason Keltz via samba:
> The reason in particular that I was looking at sssd client as opposed to winbind was that  we are running CentOS 7. I know if I want to use the latest Samba 4.12 on the clients, I'll have problems with gnutls because it's outdated in CentOS 7.  Yes, someone has figured out a way around that by compiling a separate gnutls, but I'm just not 100% comfortable with that.  It's still an option.  The problem is that if I spend my days figuring out how to upgrade hundreds of custom CentOS machines from 7 to 8 (which I will no doubt eventually do) then I won't have time to figure out integration of this domain into AD. If I start with AD then I can't really use the latest  4.12. maybe that's fine because eventually we will move to CentOS 8.  However, what if a later Samba version requires  an even later version of  gnutls that CentOS 8 doesn't run with in the future!  Then I'll again be stuck in this position and may have to upgrade the OS clients to use the later Samba.  There's al
>  ways going to be this chicken and egg problem of course. That's just the environment we work in. That's why I was hoping that if I used SSSD then I could somewhat punt the problem . As long as the main DC was running the latest OS and could run the latest Samba then the clients could use their SSSD to connect.  In addition, the SSSD configuration for AD is so trivial.  The winbind configuration, I have tested and it works but it's definately more complex. I have to see whether it handles token groups because the SSSD configuration without token groups was very slow using SSSD because of the number of groups.  I'm not fixed at using sssd but just thinking about all the options. There are always many ways to solve the same problem. :)

I can't say much about the NFS part here. However, my laptop uses SSSD
as client software and I mount our Samba shares via pam_mount and
kerberos. This all works fine. So I suspect that this should also work
with NFS. The IDs of your users need to be the same as on the server
otherwise I haven't found a restriction.



Dr. Christian Naumer
Unit Head Bioprocess Development

B.R.A.I.N Aktiengesellschaft
Darmstaedter Str. 34-36, D-64673 Zwingenberg
e-mail cn at brain-biotech.com, homepage www.brain-biotech.com
fon +49-6251-9331-30  /   fax +49-6251-9331-11

Sitz der Gesellschaft: Zwingenberg/Bergstrasse
Registergericht AG Darmstadt, HRB 24758
Vorstand: Adriaan Moelker (Vorstandsvorsitzender), 
Manfred Bender
Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen

More information about the samba mailing list