[Samba] samba4 kerberized nfs4 with sssd ad client
jas at eecs.yorku.ca
Fri Jul 24 14:25:35 UTC 2020
On 7/24/2020 9:06 AM, Christian Naumer via samba wrote:
> Am 24.07.20 um 14:51 schrieb Rowland penny via samba:
> NFS shares != Samba shares and 'mounting' != hosting Samba shares ;-)
> Up until Samba 4.8.0, 'smbd' (the fileserver component on a Unix domain
> member) could contact AD directly, but after 4.8.0 , smbd must now go
> through winbind, sssd uses some of the winbind code, so it is
> incompatible with winbind.
> As I said, you can use sssd for authentication, but if you want to
> server files, you will have to use Samba with winbind.
> Hi Rowland,
> I was just referring to use a _client_! I am aware of the other
> limitations and use winbind on the server side.
On the DC, we run Samba, and on our Samba file server, we run Samba.
Our large number of Windows hosts will continue to mount shares like
home directories directly from the file server via Samba/winbind
combination. In order to simplify the file serving for the Linux
clients, I was hoping that our Linux only clients could mount their NFS
shares directly from the NFS file servers using a combination of SSSD,
NFSv4, and Kerberos. I understand that may be possible, but I haven't
been able to find the steps to follow to do that. Rowland - I know, I
won't find that necessarily on the Samba list. :) My alternative is to
use samba/winbind everywhere, then everything is mostly laid out. I
just have to try it. I like to see the solution from different
angles. The other solution is to use the Red Hat IPA for Linux users,
and Samba for Windows users, but now I have multiple products to contend
with, more upgrade issues, and more headaches.
Does winbind use token groups? When I was experimenting with SSSD
without token groups, a user that was a member of 20+ groups, would take
25+ second pause to login. When I enabled token groups, that delay went
away entirely. In addition, when using samba/winbind for auth,
running on individual Linux clients, could I restrict the AD groups that
can login to individual hosts via say, SSH through the samba/winbind
config? I know this is generally handled by group policy, but there are
various issues associated with group policy under Linux. I liked the
simple approach with SSSD to enabling access to individual hosts via a
user/group list. I have synced all Linux users to AD, and now all
groups as well including uid/gid.
More information about the samba