[Samba] samba4 kerberized nfs4 with sssd ad client

[Jason Keltz]

On 7/24/2020 7:25 AM, Peter Milesson via samba wrote:
>
> On 2020-07-24 12:57, Jason Keltz via samba wrote:
>> Hi Rowland,
>>
>> In effect, I'm still using Samba on the DC, which is why I still 
>> thought this was relevant on the mailing list. :)
>>
>> The reason in particular that I was looking at sssd client as opposed 
>> to winbind was that  we are running CentOS 7. I know if I want to use 
>> the latest Samba 4.12 on the clients, I'll have problems with gnutls 
>> because it's outdated in CentOS 7.  Yes, someone has figured out a 
>> way around that by compiling a separate gnutls, but I'm just not 100% 
>> comfortable with that. It's still an option.  The problem is that if 
>> I spend my days figuring out how to upgrade hundreds of custom CentOS 
>> machines from 7 to 8 (which I will no doubt eventually do) then I 
>> won't have time to figure out integration of this domain into AD. If 
>> I start with AD then I can't really use the latest  4.12. maybe 
>> that's fine because eventually we will move to CentOS 8. However, 
>> what if a later Samba version requires  an even later version of  
>> gnutls that CentOS 8 doesn't run with in the future!  Then I'll again 
>> be stuck in this position and may have to upgrade the OS clients to 
>> use the later Samba.  There's al
>>   ways going to be this chicken and egg problem of course. That's 
>> just the environment we work in. That's why I was hoping that if I 
>> used SSSD then I could somewhat punt the problem . As long as the 
>> main DC was running the latest OS and could run the latest Samba then 
>> the clients could use their SSSD to connect. In addition, the SSSD 
>> configuration for AD is so trivial.  The winbind configuration, I 
>> have tested and it works but it's definately more complex. I have to 
>> see whether it handles token groups because the SSSD configuration 
>> without token groups was very slow using SSSD because of the number 
>> of groups.  I'm not fixed at using sssd but just thinking about all 
>> the options. There are always many ways to solve the same problem. :)
>>
>> Jason.
>>
>> On Jul. 24, 2020, 2:22 a.m., at 2:22 a.m., Rowland penny via samba 
>> <samba at lists.samba.org> wrote:
>>> On 24/07/2020 03:42, Jason Keltz via samba wrote:
>>>> Hi everyone,
>>>>
>>>> I have a samba DC, let's call it dc1.ad.example.com.
>>>>
>>>> I have two members of the domain - server1.ad.example.com and
>>>> server2.ad.example.com.   They are not running smbd and winbind.
>>>> Instead, they are running SSSD with AD backend.
>>> Sorry Jason, wrong mailing list, we do not produce sssd, so cannot
>>> support it, because we know very little about it. I suggest you try the
>>>
>>> sssd-users mailing list.
>>>
>>> If you want to use Samba instead, I am more than willing to help you
>>> with this, it is very easy and there is the bonus of being able to
>>> share
>>> files.
>>>
>>> Rowland
>>>
>>>
>>>
>>> -- 
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
> Hi Jason,
>
> I have got a few CentOS servers as Samba AD members. I found out that 
> upgrading them to CentOS 8 isn't worth the hazzle, a completely 
> different paradigm, and lots of migration issues to solve. As you have 
> got lots of machines, it could probably pay off to create your own 
> solution, but in your place, I would get nervous that every new update 
> would break something.
>
> I'm going to migrate my few servers to Debian Buster instead. It seems 
> to be a much less painful way. Up until recently, I have exclusively 
> used CentOS, but I have found Debian very capable, and not very 
> different to work with, compared to CentOS 7. The update policy is 
> also fairly conservative.
>
> Just my five cents...
>
> Best regards,
>
> Peter 


Hi Peter,

Our client systems need to continue to run CentOS because a variety of 
software that we use requires CentOS/RHEL.  Some of the software is very 
version specific.  I can't even upgrade to CentOS 8 until certain 
software is compatible with 8.  Running a separate Linux distribution on 
the servers and the clients is possible, of course, but in a small team, 
just a headache to handle multiple OS paths.   If we were a bigger team, 
this is definately something I would consider though.

Jason.