[Samba] samba4 kerberized nfs4 with sssd ad client

Robert Marcano robert at marcanoonline.com
Fri Jul 24 15:44:43 UTC 2020

On 7/24/20 11:33 AM, Rowland penny via samba wrote:
> On 24/07/2020 16:08, Robert Marcano via samba wrote:
>> On 7/24/20 10:53 AM, Rowland penny via samba wrote:
>>> On 24/07/2020 15:45, Jason Keltz via samba wrote:
>>>> On 7/24/2020 7:25 AM, Peter Milesson via samba wrote:
>>>>> On 2020-07-24 12:57, Jason Keltz via samba wrote:
>>>>>> Hi Rowland,
>>>>>> In effect, I'm still using Samba on the DC, which is why I still 
>>>>>> thought this was relevant on the mailing list. :)
>>>>>> The reason in particular that I was looking at sssd client as 
>>>>>> opposed to winbind was that  we are running CentOS 7. I know if I 
>>>>>> want to use the latest Samba 4.12 on the clients, I'll have 
>>>>>> problems with gnutls because it's outdated in CentOS 7. Yes, 
>>>>>> someone has figured out a way around that by compiling a separate 
>>>>>> gnutls, but I'm just not 100% comfortable with that. It's still an 
>>>>>> option.  The problem is that if I spend my days figuring out how 
>>>>>> to upgrade hundreds of custom CentOS machines from 7 to 8 (which I 
>>>>>> will no doubt eventually do) then I won't have time to figure out 
>>>>>> integration of this domain into AD. If I start with AD then I 
>>>>>> can't really use the latest  4.12. maybe that's fine because 
>>>>>> eventually we will move to CentOS 8. However, what if a later 
>>>>>> Samba version requires an even later version of  gnutls that 
>>>>>> CentOS 8 doesn't run with in the future!  Then I'll again be stuck 
>>>>>> in this position and may have to upgrade the OS clients to use the 
>>>>>> later Samba. There's al
>>>>>>   ways going to be this chicken and egg problem of course. That's 
>>>>>> just the environment we work in. That's why I was hoping that if I 
>>>>>> used SSSD then I could somewhat punt the problem . As long as the 
>>>>>> main DC was running the latest OS and could run the latest Samba 
>>>>>> then the clients could use their SSSD to connect. In addition, the 
>>>>>> SSSD configuration for AD is so trivial.  The winbind 
>>>>>> configuration, I have tested and it works but it's definately more 
>>>>>> complex. I have to see whether it handles token groups because the 
>>>>>> SSSD configuration without token groups was very slow using SSSD 
>>>>>> because of the number of groups.  I'm not fixed at using sssd but 
>>>>>> just thinking about all the options. There are always many ways to 
>>>>>> solve the same problem. :)
>>>>>> Jason.
>>>>>> On Jul. 24, 2020, 2:22 a.m., at 2:22 a.m., Rowland penny via samba 
>>>>>> <samba at lists.samba.org> wrote:
>>>>>>> On 24/07/2020 03:42, Jason Keltz via samba wrote:
>>>>>>>> Hi everyone,
>>>>>>>> I have a samba DC, let's call it dc1.ad.example.com.
>>>>>>>> I have two members of the domain - server1.ad.example.com and
>>>>>>>> server2.ad.example.com.   They are not running smbd and winbind.
>>>>>>>> Instead, they are running SSSD with AD backend.
>>>>>>> Sorry Jason, wrong mailing list, we do not produce sssd, so cannot
>>>>>>> support it, because we know very little about it. I suggest you 
>>>>>>> try the
>>>>>>> sssd-users mailing list.
>>>>>>> If you want to use Samba instead, I am more than willing to help you
>>>>>>> with this, it is very easy and there is the bonus of being able to
>>>>>>> share
>>>>>>> files.
>>>>>>> Rowland
>>>>>>> -- 
>>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>> Hi Jason,
>>>>> I have got a few CentOS servers as Samba AD members. I found out 
>>>>> that upgrading them to CentOS 8 isn't worth the hazzle, a 
>>>>> completely different paradigm, and lots of migration issues to 
>>>>> solve. As you have got lots of machines, it could probably pay off 
>>>>> to create your own solution, but in your place, I would get nervous 
>>>>> that every new update would break something.
>>>>> I'm going to migrate my few servers to Debian Buster instead. It 
>>>>> seems to be a much less painful way. Up until recently, I have 
>>>>> exclusively used CentOS, but I have found Debian very capable, and 
>>>>> not very different to work with, compared to CentOS 7. The updaMIR 
>>>>> te policy is also fairly conservative.
>>>>> Just my five cents...
>>>>> Best regards,
>>>>> Peter 
>>>> Hi Peter,
>>>> Our client systems need to continue to run CentOS because a variety 
>>>> of software that we use requires CentOS/RHEL.  Some of the software 
>>>> is very version specific.  I can't even upgrade to CentOS 8 until 
>>>> certain software is compatible with 8. Running a separate Linux 
>>>> distribution on the servers and the clients is possible, of course, 
>>>> but in a small team, just a headache to handle multiple OS paths. If 
>>>> we were a bigger team, this is definately something I would consider 
>>>> though.
>>>> Jason.
>>> Rule one: Never run software that is tied to a specific OS, you get 
>>> trapped, as you have found. If some entity tries selling you software 
>>> that requires a specific OS (and worse a specific version), tell them 
>>> to **** off.
>>> Just what are these 'softwares' that require Centos ?
>>> Rowland
>> I usually avoid threads where someone mentions SSSD because they 
>> always end the same way. The original poster is asking a question 
>> about using a Samba DC server using winbind at the server and his 
>> problems our doubts about the using the Kerberos part of Samba AD, and 
>> the discussion goes down to SSSD no no no, change OS, etc. A user 
>> asking with problems with a Mac or Windows client doesn't get that 
>> kind of responses, clients more closed that anything Red Hat produces.
>> The initial response that asking on the SSSD mailing list would be a 
>> better idea was probably the good end of it if no other person was 
>> able to help.
>> I personally can't help, because I use FreeIPA for my Linux clients 
>> and Samba AD for Windows clients, establishing a trust between 
>> domains. I have done long ago the other way of the original poster 
>> problem, NFS Kerberized NFS shares from a domain using MIT Kerberos 
>> (via FreeIPA), shares to Windows clients with Samba, but Samba 
>> standalone shares, doing LDPA integration with FreeIPA 389 server, but 
>> I would not recommend that now that the AD implementation of Samba is 
>> robust enough.
>> Note: Now that CentOS 8 where mentioned early on the list, CentOS 8 
>> clients joined to a Samba domain using SSSD works pretty well. Some 
>> tips at https://lists.samba.org/archive/samba/2020-March/228875.html
> Robert, I have said numerous times that I personally have nothing 
> against sssd, just that I do not see the point in using it with Samba. 
> This forum cannot support sssd because we do not produce it and know 
> little about it, but it has its own mailing list, sssd-users, that is 
> undoubtedly the correct place to ask questions about sssd.
> Also, you can use sssd on centos clients to access Samba shares on 
> another Unix domain member (this much I do know), but you cannot use 
> sssd on a Samba fileserver.
> Rowland

And the original mail said SSSD on client not on server, even the 
Subjects says it, It is just like someona asking problems using Samba Ad 
Kerberos problems from a Mac, the client on a Mac isn't even based on 
Samba. Web SSSDers should probably create a mailing list named "SSSD on 
Samba AD clients" :-P. If anyone comes an ask about winbind on clients, 
will get a lecture, again :-P

More information about the samba mailing list