[Samba] samba4 kerberized nfs4 with sssd ad client

Jason Keltz jas at eecs.yorku.ca
Fri Jul 24 14:25:35 UTC 2020

On 7/24/2020 9:06 AM, Christian Naumer via samba wrote:

> Am 24.07.20 um 14:51 schrieb Rowland penny via samba:
> NFS shares != Samba shares and 'mounting' != hosting Samba shares ;-)
> Up until Samba 4.8.0, 'smbd' (the fileserver component on a Unix domain
> member) could contact AD directly, but after 4.8.0 , smbd must now go
> through winbind, sssd uses some of the winbind code, so it is
> incompatible with winbind.
> As I said, you can use sssd for authentication, but if you want to
> server files, you will have to use Samba with winbind.
> Hi Rowland,
> I was just referring to use a _client_! I am aware of the other
> limitations and use winbind on the server side.

On the DC, we run Samba, and on our Samba file server, we run Samba.  
Our large number of Windows hosts will continue to mount shares like 
home directories directly from the file server via Samba/winbind 
combination.  In order to simplify the file serving for the Linux 
clients, I was hoping that our Linux only clients could mount their NFS 
shares directly from the NFS file servers using a combination of SSSD, 
NFSv4, and Kerberos.  I understand that may be possible, but I haven't 
been able to find the steps to follow to do that.  Rowland - I know, I 
won't find that necessarily on the Samba list. :)   My alternative is to 
use samba/winbind everywhere, then everything is mostly laid out.  I 
just have to try it.    I like to see the solution from different 
angles.  The other solution is to use the Red Hat IPA for Linux users, 
and Samba for Windows users, but now I have multiple products to contend 
with, more upgrade issues, and more headaches.

Does winbind use token groups?  When I was experimenting with SSSD 
without token groups, a user that was a member of 20+ groups, would take 
25+ second pause to login.  When I enabled token groups, that delay went 
away entirely.    In addition, when using samba/winbind for auth,  
running on individual Linux clients, could I restrict the AD groups that 
can login to individual hosts via say, SSH through the samba/winbind 
config?  I know this is generally handled by group policy, but there are 
various issues associated with group policy under Linux.   I liked the 
simple approach with SSSD to enabling access to individual hosts via a 
user/group list.  I have synced all Linux users to AD, and now all 
groups as well including uid/gid.


More information about the samba mailing list