[Samba] samba4 kerberized nfs4 with sssd ad client
Rowland penny
rpenny at samba.org
Fri Jul 24 14:53:46 UTC 2020
On 24/07/2020 15:45, Jason Keltz via samba wrote:
>
> On 7/24/2020 7:25 AM, Peter Milesson via samba wrote:
>>
>> On 2020-07-24 12:57, Jason Keltz via samba wrote:
>>> Hi Rowland,
>>>
>>> In effect, I'm still using Samba on the DC, which is why I still
>>> thought this was relevant on the mailing list. :)
>>>
>>> The reason in particular that I was looking at sssd client as
>>> opposed to winbind was that we are running CentOS 7. I know if I
>>> want to use the latest Samba 4.12 on the clients, I'll have problems
>>> with gnutls because it's outdated in CentOS 7. Yes, someone has
>>> figured out a way around that by compiling a separate gnutls, but
>>> I'm just not 100% comfortable with that. It's still an option. The
>>> problem is that if I spend my days figuring out how to upgrade
>>> hundreds of custom CentOS machines from 7 to 8 (which I will no
>>> doubt eventually do) then I won't have time to figure out
>>> integration of this domain into AD. If I start with AD then I can't
>>> really use the latest 4.12. maybe that's fine because eventually we
>>> will move to CentOS 8. However, what if a later Samba version
>>> requires an even later version of gnutls that CentOS 8 doesn't run
>>> with in the future! Then I'll again be stuck in this position and
>>> may have to upgrade the OS clients to use the later Samba. There's al
>>> ways going to be this chicken and egg problem of course. That's
>>> just the environment we work in. That's why I was hoping that if I
>>> used SSSD then I could somewhat punt the problem . As long as the
>>> main DC was running the latest OS and could run the latest Samba
>>> then the clients could use their SSSD to connect. In addition, the
>>> SSSD configuration for AD is so trivial. The winbind configuration,
>>> I have tested and it works but it's definately more complex. I have
>>> to see whether it handles token groups because the SSSD
>>> configuration without token groups was very slow using SSSD because
>>> of the number of groups. I'm not fixed at using sssd but just
>>> thinking about all the options. There are always many ways to solve
>>> the same problem. :)
>>>
>>> Jason.
>>>
>>> On Jul. 24, 2020, 2:22 a.m., at 2:22 a.m., Rowland penny via samba
>>> <samba at lists.samba.org> wrote:
>>>> On 24/07/2020 03:42, Jason Keltz via samba wrote:
>>>>> Hi everyone,
>>>>>
>>>>> I have a samba DC, let's call it dc1.ad.example.com.
>>>>>
>>>>> I have two members of the domain - server1.ad.example.com and
>>>>> server2.ad.example.com. They are not running smbd and winbind.
>>>>> Instead, they are running SSSD with AD backend.
>>>> Sorry Jason, wrong mailing list, we do not produce sssd, so cannot
>>>> support it, because we know very little about it. I suggest you try
>>>> the
>>>>
>>>> sssd-users mailing list.
>>>>
>>>> If you want to use Samba instead, I am more than willing to help you
>>>> with this, it is very easy and there is the bonus of being able to
>>>> share
>>>> files.
>>>>
>>>> Rowland
>>>>
>>>>
>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions: https://lists.samba.org/mailman/options/samba
>> Hi Jason,
>>
>> I have got a few CentOS servers as Samba AD members. I found out that
>> upgrading them to CentOS 8 isn't worth the hazzle, a completely
>> different paradigm, and lots of migration issues to solve. As you
>> have got lots of machines, it could probably pay off to create your
>> own solution, but in your place, I would get nervous that every new
>> update would break something.
>>
>> I'm going to migrate my few servers to Debian Buster instead. It
>> seems to be a much less painful way. Up until recently, I have
>> exclusively used CentOS, but I have found Debian very capable, and
>> not very different to work with, compared to CentOS 7. The update
>> policy is also fairly conservative.
>>
>> Just my five cents...
>>
>> Best regards,
>>
>> Peter
>
>
> Hi Peter,
>
> Our client systems need to continue to run CentOS because a variety of
> software that we use requires CentOS/RHEL. Some of the software is
> very version specific. I can't even upgrade to CentOS 8 until certain
> software is compatible with 8. Running a separate Linux distribution
> on the servers and the clients is possible, of course, but in a small
> team, just a headache to handle multiple OS paths. If we were a
> bigger team, this is definately something I would consider though.
>
> Jason.
>
>
Rule one: Never run software that is tied to a specific OS, you get
trapped, as you have found. If some entity tries selling you software
that requires a specific OS (and worse a specific version), tell them to
**** off.
Just what are these 'softwares' that require Centos ?
Rowland
More information about the samba
mailing list