[Samba] samba4 kerberized nfs4 with sssd ad client

Rowland penny rpenny at samba.org
Fri Jul 24 14:53:46 UTC 2020


On 24/07/2020 15:45, Jason Keltz via samba wrote:
>
> On 7/24/2020 7:25 AM, Peter Milesson via samba wrote:
>>
>> On 2020-07-24 12:57, Jason Keltz via samba wrote:
>>> Hi Rowland,
>>>
>>> In effect, I'm still using Samba on the DC, which is why I still 
>>> thought this was relevant on the mailing list. :)
>>>
>>> The reason in particular that I was looking at sssd client as 
>>> opposed to winbind was that  we are running CentOS 7. I know if I 
>>> want to use the latest Samba 4.12 on the clients, I'll have problems 
>>> with gnutls because it's outdated in CentOS 7. Yes, someone has 
>>> figured out a way around that by compiling a separate gnutls, but 
>>> I'm just not 100% comfortable with that. It's still an option.  The 
>>> problem is that if I spend my days figuring out how to upgrade 
>>> hundreds of custom CentOS machines from 7 to 8 (which I will no 
>>> doubt eventually do) then I won't have time to figure out 
>>> integration of this domain into AD. If I start with AD then I can't 
>>> really use the latest  4.12. maybe that's fine because eventually we 
>>> will move to CentOS 8. However, what if a later Samba version 
>>> requires  an even later version of  gnutls that CentOS 8 doesn't run 
>>> with in the future!  Then I'll again be stuck in this position and 
>>> may have to upgrade the OS clients to use the later Samba. There's al
>>>   ways going to be this chicken and egg problem of course. That's 
>>> just the environment we work in. That's why I was hoping that if I 
>>> used SSSD then I could somewhat punt the problem . As long as the 
>>> main DC was running the latest OS and could run the latest Samba 
>>> then the clients could use their SSSD to connect. In addition, the 
>>> SSSD configuration for AD is so trivial.  The winbind configuration, 
>>> I have tested and it works but it's definately more complex. I have 
>>> to see whether it handles token groups because the SSSD 
>>> configuration without token groups was very slow using SSSD because 
>>> of the number of groups.  I'm not fixed at using sssd but just 
>>> thinking about all the options. There are always many ways to solve 
>>> the same problem. :)
>>>
>>> Jason.
>>>
>>> On Jul. 24, 2020, 2:22 a.m., at 2:22 a.m., Rowland penny via samba 
>>> <samba at lists.samba.org> wrote:
>>>> On 24/07/2020 03:42, Jason Keltz via samba wrote:
>>>>> Hi everyone,
>>>>>
>>>>> I have a samba DC, let's call it dc1.ad.example.com.
>>>>>
>>>>> I have two members of the domain - server1.ad.example.com and
>>>>> server2.ad.example.com.   They are not running smbd and winbind.
>>>>> Instead, they are running SSSD with AD backend.
>>>> Sorry Jason, wrong mailing list, we do not produce sssd, so cannot
>>>> support it, because we know very little about it. I suggest you try 
>>>> the
>>>>
>>>> sssd-users mailing list.
>>>>
>>>> If you want to use Samba instead, I am more than willing to help you
>>>> with this, it is very easy and there is the bonus of being able to
>>>> share
>>>> files.
>>>>
>>>> Rowland
>>>>
>>>>
>>>>
>>>> -- 
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions:  https://lists.samba.org/mailman/options/samba
>> Hi Jason,
>>
>> I have got a few CentOS servers as Samba AD members. I found out that 
>> upgrading them to CentOS 8 isn't worth the hazzle, a completely 
>> different paradigm, and lots of migration issues to solve. As you 
>> have got lots of machines, it could probably pay off to create your 
>> own solution, but in your place, I would get nervous that every new 
>> update would break something.
>>
>> I'm going to migrate my few servers to Debian Buster instead. It 
>> seems to be a much less painful way. Up until recently, I have 
>> exclusively used CentOS, but I have found Debian very capable, and 
>> not very different to work with, compared to CentOS 7. The update 
>> policy is also fairly conservative.
>>
>> Just my five cents...
>>
>> Best regards,
>>
>> Peter 
>
>
> Hi Peter,
>
> Our client systems need to continue to run CentOS because a variety of 
> software that we use requires CentOS/RHEL.  Some of the software is 
> very version specific.  I can't even upgrade to CentOS 8 until certain 
> software is compatible with 8.  Running a separate Linux distribution 
> on the servers and the clients is possible, of course, but in a small 
> team, just a headache to handle multiple OS paths.   If we were a 
> bigger team, this is definately something I would consider though.
>
> Jason.
>
>
Rule one: Never run software that is tied to a specific OS, you get 
trapped, as you have found. If some entity tries selling you software 
that requires a specific OS (and worse a specific version), tell them to 
**** off.

Just what are these 'softwares' that require Centos ?

Rowland





More information about the samba mailing list