[Samba] samba4 kerberized nfs4 with sssd ad client

Rowland penny rpenny at samba.org
Fri Jul 24 15:18:10 UTC 2020

On 24/07/2020 16:03, Jason Keltz via samba wrote:
> On 7/24/2020 10:53 AM, Rowland penny via samba wrote:
>> On 24/07/2020 15:45, Jason Keltz via samba wrote:
>>> On 7/24/2020 7:25 AM, Peter Milesson via samba wrote:
>>>> On 2020-07-24 12:57, Jason Keltz via samba wrote:
>>>>> Hi Rowland,
>>>>> In effect, I'm still using Samba on the DC, which is why I still 
>>>>> thought this was relevant on the mailing list. :)
>>>>> The reason in particular that I was looking at sssd client as 
>>>>> opposed to winbind was that  we are running CentOS 7. I know if I 
>>>>> want to use the latest Samba 4.12 on the clients, I'll have 
>>>>> problems with gnutls because it's outdated in CentOS 7. Yes, 
>>>>> someone has figured out a way around that by compiling a separate 
>>>>> gnutls, but I'm just not 100% comfortable with that. It's still an 
>>>>> option.  The problem is that if I spend my days figuring out how 
>>>>> to upgrade hundreds of custom CentOS machines from 7 to 8 (which I 
>>>>> will no doubt eventually do) then I won't have time to figure out 
>>>>> integration of this domain into AD. If I start with AD then I 
>>>>> can't really use the latest  4.12. maybe that's fine because 
>>>>> eventually we will move to CentOS 8. However, what if a later 
>>>>> Samba version requires an even later version of gnutls that CentOS 
>>>>> 8 doesn't run with in the future!  Then I'll again be stuck in 
>>>>> this position and may have to upgrade the OS clients to use the 
>>>>> later Samba. There's al
>>>>>   ways going to be this chicken and egg problem of course. That's 
>>>>> just the environment we work in. That's why I was hoping that if I 
>>>>> used SSSD then I could somewhat punt the problem . As long as the 
>>>>> main DC was running the latest OS and could run the latest Samba 
>>>>> then the clients could use their SSSD to connect. In addition, the 
>>>>> SSSD configuration for AD is so trivial.  The winbind 
>>>>> configuration, I have tested and it works but it's definately more 
>>>>> complex. I have to see whether it handles token groups because the 
>>>>> SSSD configuration without token groups was very slow using SSSD 
>>>>> because of the number of groups.  I'm not fixed at using sssd but 
>>>>> just thinking about all the options. There are always many ways to 
>>>>> solve the same problem. :)
>>>>> Jason.
>>>>> On Jul. 24, 2020, 2:22 a.m., at 2:22 a.m., Rowland penny via samba 
>>>>> <samba at lists.samba.org> wrote:
>>>>>> On 24/07/2020 03:42, Jason Keltz via samba wrote:
>>>>>>> Hi everyone,
>>>>>>> I have a samba DC, let's call it dc1.ad.example.com.
>>>>>>> I have two members of the domain - server1.ad.example.com and
>>>>>>> server2.ad.example.com.   They are not running smbd and winbind.
>>>>>>> Instead, they are running SSSD with AD backend.
>>>>>> Sorry Jason, wrong mailing list, we do not produce sssd, so cannot
>>>>>> support it, because we know very little about it. I suggest you 
>>>>>> try the
>>>>>> sssd-users mailing list.
>>>>>> If you want to use Samba instead, I am more than willing to help you
>>>>>> with this, it is very easy and there is the bonus of being able to
>>>>>> share
>>>>>> files.
>>>>>> Rowland
>>>>>> -- 
>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>> Hi Jason,
>>>> I have got a few CentOS servers as Samba AD members. I found out 
>>>> that upgrading them to CentOS 8 isn't worth the hazzle, a 
>>>> completely different paradigm, and lots of migration issues to 
>>>> solve. As you have got lots of machines, it could probably pay off 
>>>> to create your own solution, but in your place, I would get nervous 
>>>> that every new update would break something.
>>>> I'm going to migrate my few servers to Debian Buster instead. It 
>>>> seems to be a much less painful way. Up until recently, I have 
>>>> exclusively used CentOS, but I have found Debian very capable, and 
>>>> not very different to work with, compared to CentOS 7. The update 
>>>> policy is also fairly conservative.
>>>> Just my five cents...
>>>> Best regards,
>>>> Peter 
>>> Hi Peter,
>>> Our client systems need to continue to run CentOS because a variety 
>>> of software that we use requires CentOS/RHEL.  Some of the software 
>>> is very version specific.  I can't even upgrade to CentOS 8 until 
>>> certain software is compatible with 8. Running a separate Linux 
>>> distribution on the servers and the clients is possible, of course, 
>>> but in a small team, just a headache to handle multiple OS paths.   
>>> If we were a bigger team, this is definately something I would 
>>> consider though.
>>> Jason.
>> Rule one: Never run software that is tied to a specific OS, you get 
>> trapped, as you have found. If some entity tries selling you software 
>> that requires a specific OS (and worse a specific version), tell them 
>> to **** off.
>> Just what are these 'softwares' that require Centos ?
>> Rowland 
> HI Rowland,
> If only we had that choice our lives would be so much easier! In the 
> education world, we are told the software  that needs to run and we 
> need to provide the environment that will suitably run it. :)   At the 
> moment, the software that comes to mind on first thought is 
> engineering software like Cadence (which plans to support RHEL8 soon), 
> Synopsys (which may support it), and COMSOL, but this is just at first 
> thought.  We support hundreds of packages.
> Jason.
Sounds like our education system here in the UK, don't go with what's 
best and open, go with whatever the salesman tells you is better. I 
personally wouldn't believe anything a salesman says, probably because 
every salesman I have met has turned out to be an inveterate liar ;-)


More information about the samba mailing list