[Samba] samba4 kerberized nfs4 with sssd ad client
Robert Marcano
robert at marcanoonline.com
Fri Jul 24 15:44:43 UTC 2020
On 7/24/20 11:33 AM, Rowland penny via samba wrote:
> On 24/07/2020 16:08, Robert Marcano via samba wrote:
>> On 7/24/20 10:53 AM, Rowland penny via samba wrote:
>>> On 24/07/2020 15:45, Jason Keltz via samba wrote:
>>>>
>>>> On 7/24/2020 7:25 AM, Peter Milesson via samba wrote:
>>>>>
>>>>> On 2020-07-24 12:57, Jason Keltz via samba wrote:
>>>>>> Hi Rowland,
>>>>>>
>>>>>> In effect, I'm still using Samba on the DC, which is why I still
>>>>>> thought this was relevant on the mailing list. :)
>>>>>>
>>>>>> The reason in particular that I was looking at sssd client as
>>>>>> opposed to winbind was that we are running CentOS 7. I know if I
>>>>>> want to use the latest Samba 4.12 on the clients, I'll have
>>>>>> problems with gnutls because it's outdated in CentOS 7. Yes,
>>>>>> someone has figured out a way around that by compiling a separate
>>>>>> gnutls, but I'm just not 100% comfortable with that. It's still an
>>>>>> option. The problem is that if I spend my days figuring out how
>>>>>> to upgrade hundreds of custom CentOS machines from 7 to 8 (which I
>>>>>> will no doubt eventually do) then I won't have time to figure out
>>>>>> integration of this domain into AD. If I start with AD then I
>>>>>> can't really use the latest 4.12. maybe that's fine because
>>>>>> eventually we will move to CentOS 8. However, what if a later
>>>>>> Samba version requires an even later version of gnutls that
>>>>>> CentOS 8 doesn't run with in the future! Then I'll again be stuck
>>>>>> in this position and may have to upgrade the OS clients to use the
>>>>>> later Samba. There's al
>>>>>> ways going to be this chicken and egg problem of course. That's
>>>>>> just the environment we work in. That's why I was hoping that if I
>>>>>> used SSSD then I could somewhat punt the problem . As long as the
>>>>>> main DC was running the latest OS and could run the latest Samba
>>>>>> then the clients could use their SSSD to connect. In addition, the
>>>>>> SSSD configuration for AD is so trivial. The winbind
>>>>>> configuration, I have tested and it works but it's definately more
>>>>>> complex. I have to see whether it handles token groups because the
>>>>>> SSSD configuration without token groups was very slow using SSSD
>>>>>> because of the number of groups. I'm not fixed at using sssd but
>>>>>> just thinking about all the options. There are always many ways to
>>>>>> solve the same problem. :)
>>>>>>
>>>>>> Jason.
>>>>>>
>>>>>> On Jul. 24, 2020, 2:22 a.m., at 2:22 a.m., Rowland penny via samba
>>>>>> <samba at lists.samba.org> wrote:
>>>>>>> On 24/07/2020 03:42, Jason Keltz via samba wrote:
>>>>>>>> Hi everyone,
>>>>>>>>
>>>>>>>> I have a samba DC, let's call it dc1.ad.example.com.
>>>>>>>>
>>>>>>>> I have two members of the domain - server1.ad.example.com and
>>>>>>>> server2.ad.example.com. They are not running smbd and winbind.
>>>>>>>> Instead, they are running SSSD with AD backend.
>>>>>>> Sorry Jason, wrong mailing list, we do not produce sssd, so cannot
>>>>>>> support it, because we know very little about it. I suggest you
>>>>>>> try the
>>>>>>>
>>>>>>> sssd-users mailing list.
>>>>>>>
>>>>>>> If you want to use Samba instead, I am more than willing to help you
>>>>>>> with this, it is very easy and there is the bonus of being able to
>>>>>>> share
>>>>>>> files.
>>>>>>>
>>>>>>> Rowland
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>> Hi Jason,
>>>>>
>>>>> I have got a few CentOS servers as Samba AD members. I found out
>>>>> that upgrading them to CentOS 8 isn't worth the hazzle, a
>>>>> completely different paradigm, and lots of migration issues to
>>>>> solve. As you have got lots of machines, it could probably pay off
>>>>> to create your own solution, but in your place, I would get nervous
>>>>> that every new update would break something.
>>>>>
>>>>> I'm going to migrate my few servers to Debian Buster instead. It
>>>>> seems to be a much less painful way. Up until recently, I have
>>>>> exclusively used CentOS, but I have found Debian very capable, and
>>>>> not very different to work with, compared to CentOS 7. The updaMIR
>>>>> te policy is also fairly conservative.
>>>>>
>>>>> Just my five cents...
>>>>>
>>>>> Best regards,
>>>>>
>>>>> Peter
>>>>
>>>>
>>>> Hi Peter,
>>>>
>>>> Our client systems need to continue to run CentOS because a variety
>>>> of software that we use requires CentOS/RHEL. Some of the software
>>>> is very version specific. I can't even upgrade to CentOS 8 until
>>>> certain software is compatible with 8. Running a separate Linux
>>>> distribution on the servers and the clients is possible, of course,
>>>> but in a small team, just a headache to handle multiple OS paths. If
>>>> we were a bigger team, this is definately something I would consider
>>>> though.
>>>>
>>>> Jason.
>>>>
>>>>
>>> Rule one: Never run software that is tied to a specific OS, you get
>>> trapped, as you have found. If some entity tries selling you software
>>> that requires a specific OS (and worse a specific version), tell them
>>> to **** off.
>>>
>>> Just what are these 'softwares' that require Centos ?
>>>
>>> Rowland
>>>
>>
>> I usually avoid threads where someone mentions SSSD because they
>> always end the same way. The original poster is asking a question
>> about using a Samba DC server using winbind at the server and his
>> problems our doubts about the using the Kerberos part of Samba AD, and
>> the discussion goes down to SSSD no no no, change OS, etc. A user
>> asking with problems with a Mac or Windows client doesn't get that
>> kind of responses, clients more closed that anything Red Hat produces.
>>
>> The initial response that asking on the SSSD mailing list would be a
>> better idea was probably the good end of it if no other person was
>> able to help.
>>
>> I personally can't help, because I use FreeIPA for my Linux clients
>> and Samba AD for Windows clients, establishing a trust between
>> domains. I have done long ago the other way of the original poster
>> problem, NFS Kerberized NFS shares from a domain using MIT Kerberos
>> (via FreeIPA), shares to Windows clients with Samba, but Samba
>> standalone shares, doing LDPA integration with FreeIPA 389 server, but
>> I would not recommend that now that the AD implementation of Samba is
>> robust enough.
>>
>> Note: Now that CentOS 8 where mentioned early on the list, CentOS 8
>> clients joined to a Samba domain using SSSD works pretty well. Some
>> tips at https://lists.samba.org/archive/samba/2020-March/228875.html
>>
>>
>>
> Robert, I have said numerous times that I personally have nothing
> against sssd, just that I do not see the point in using it with Samba.
> This forum cannot support sssd because we do not produce it and know
> little about it, but it has its own mailing list, sssd-users, that is
> undoubtedly the correct place to ask questions about sssd.
>
> Also, you can use sssd on centos clients to access Samba shares on
> another Unix domain member (this much I do know), but you cannot use
> sssd on a Samba fileserver.
>
> Rowland
>
And the original mail said SSSD on client not on server, even the
Subjects says it, It is just like someona asking problems using Samba Ad
Kerberos problems from a Mac, the client on a Mac isn't even based on
Samba. Web SSSDers should probably create a mailing list named "SSSD on
Samba AD clients" :-P. If anyone comes an ask about winbind on clients,
will get a lecture, again :-P
More information about the samba
mailing list