[Samba] samba4 kerberized nfs4 with sssd ad client

Rowland penny rpenny at samba.org
Fri Jul 24 15:49:39 UTC 2020

On 24/07/2020 16:44, Robert Marcano via samba wrote:
> On 7/24/20 11:33 AM, Rowland penny via samba wrote:
>> On 24/07/2020 16:08, Robert Marcano via samba wrote:
>>> On 7/24/20 10:53 AM, Rowland penny via samba wrote:
>>>> On 24/07/2020 15:45, Jason Keltz via samba wrote:
>>>>> On 7/24/2020 7:25 AM, Peter Milesson via samba wrote:
>>>>>> On 2020-07-24 12:57, Jason Keltz via samba wrote:
>>>>>>> Hi Rowland,
>>>>>>> In effect, I'm still using Samba on the DC, which is why I still 
>>>>>>> thought this was relevant on the mailing list. :)
>>>>>>> The reason in particular that I was looking at sssd client as 
>>>>>>> opposed to winbind was that  we are running CentOS 7. I know if 
>>>>>>> I want to use the latest Samba 4.12 on the clients, I'll have 
>>>>>>> problems with gnutls because it's outdated in CentOS 7. Yes, 
>>>>>>> someone has figured out a way around that by compiling a 
>>>>>>> separate gnutls, but I'm just not 100% comfortable with that. 
>>>>>>> It's still an option.  The problem is that if I spend my days 
>>>>>>> figuring out how to upgrade hundreds of custom CentOS machines 
>>>>>>> from 7 to 8 (which I will no doubt eventually do) then I won't 
>>>>>>> have time to figure out integration of this domain into AD. If I 
>>>>>>> start with AD then I can't really use the latest  4.12. maybe 
>>>>>>> that's fine because eventually we will move to CentOS 8. 
>>>>>>> However, what if a later Samba version requires an even later 
>>>>>>> version of  gnutls that CentOS 8 doesn't run with in the 
>>>>>>> future!  Then I'll again be stuck in this position and may have 
>>>>>>> to upgrade the OS clients to use the later Samba. There's al
>>>>>>>   ways going to be this chicken and egg problem of course. 
>>>>>>> That's just the environment we work in. That's why I was hoping 
>>>>>>> that if I used SSSD then I could somewhat punt the problem . As 
>>>>>>> long as the main DC was running the latest OS and could run the 
>>>>>>> latest Samba then the clients could use their SSSD to connect. 
>>>>>>> In addition, the SSSD configuration for AD is so trivial.  The 
>>>>>>> winbind configuration, I have tested and it works but it's 
>>>>>>> definately more complex. I have to see whether it handles token 
>>>>>>> groups because the SSSD configuration without token groups was 
>>>>>>> very slow using SSSD because of the number of groups.  I'm not 
>>>>>>> fixed at using sssd but just thinking about all the options. 
>>>>>>> There are always many ways to solve the same problem. :)
>>>>>>> Jason.
>>>>>>> On Jul. 24, 2020, 2:22 a.m., at 2:22 a.m., Rowland penny via 
>>>>>>> samba <samba at lists.samba.org> wrote:
>>>>>>>> On 24/07/2020 03:42, Jason Keltz via samba wrote:
>>>>>>>>> Hi everyone,
>>>>>>>>> I have a samba DC, let's call it dc1.ad.example.com.
>>>>>>>>> I have two members of the domain - server1.ad.example.com and
>>>>>>>>> server2.ad.example.com.   They are not running smbd and winbind.
>>>>>>>>> Instead, they are running SSSD with AD backend.
>>>>>>>> Sorry Jason, wrong mailing list, we do not produce sssd, so cannot
>>>>>>>> support it, because we know very little about it. I suggest you 
>>>>>>>> try the
>>>>>>>> sssd-users mailing list.
>>>>>>>> If you want to use Samba instead, I am more than willing to 
>>>>>>>> help you
>>>>>>>> with this, it is very easy and there is the bonus of being able to
>>>>>>>> share
>>>>>>>> files.
>>>>>>>> Rowland
>>>>>>>> -- 
>>>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>> Hi Jason,
>>>>>> I have got a few CentOS servers as Samba AD members. I found out 
>>>>>> that upgrading them to CentOS 8 isn't worth the hazzle, a 
>>>>>> completely different paradigm, and lots of migration issues to 
>>>>>> solve. As you have got lots of machines, it could probably pay 
>>>>>> off to create your own solution, but in your place, I would get 
>>>>>> nervous that every new update would break something.
>>>>>> I'm going to migrate my few servers to Debian Buster instead. It 
>>>>>> seems to be a much less painful way. Up until recently, I have 
>>>>>> exclusively used CentOS, but I have found Debian very capable, 
>>>>>> and not very different to work with, compared to CentOS 7. The 
>>>>>> updaMIR te policy is also fairly conservative.
>>>>>> Just my five cents...
>>>>>> Best regards,
>>>>>> Peter 
>>>>> Hi Peter,
>>>>> Our client systems need to continue to run CentOS because a 
>>>>> variety of software that we use requires CentOS/RHEL. Some of the 
>>>>> software is very version specific.  I can't even upgrade to CentOS 
>>>>> 8 until certain software is compatible with 8. Running a separate 
>>>>> Linux distribution on the servers and the clients is possible, of 
>>>>> course, but in a small team, just a headache to handle multiple OS 
>>>>> paths. If we were a bigger team, this is definately something I 
>>>>> would consider though.
>>>>> Jason.
>>>> Rule one: Never run software that is tied to a specific OS, you get 
>>>> trapped, as you have found. If some entity tries selling you 
>>>> software that requires a specific OS (and worse a specific 
>>>> version), tell them to **** off.
>>>> Just what are these 'softwares' that require Centos ?
>>>> Rowland
>>> I usually avoid threads where someone mentions SSSD because they 
>>> always end the same way. The original poster is asking a question 
>>> about using a Samba DC server using winbind at the server and his 
>>> problems our doubts about the using the Kerberos part of Samba AD, 
>>> and the discussion goes down to SSSD no no no, change OS, etc. A 
>>> user asking with problems with a Mac or Windows client doesn't get 
>>> that kind of responses, clients more closed that anything Red Hat 
>>> produces.
>>> The initial response that asking on the SSSD mailing list would be a 
>>> better idea was probably the good end of it if no other person was 
>>> able to help.
>>> I personally can't help, because I use FreeIPA for my Linux clients 
>>> and Samba AD for Windows clients, establishing a trust between 
>>> domains. I have done long ago the other way of the original poster 
>>> problem, NFS Kerberized NFS shares from a domain using MIT Kerberos 
>>> (via FreeIPA), shares to Windows clients with Samba, but Samba 
>>> standalone shares, doing LDPA integration with FreeIPA 389 server, 
>>> but I would not recommend that now that the AD implementation of 
>>> Samba is robust enough.
>>> Note: Now that CentOS 8 where mentioned early on the list, CentOS 8 
>>> clients joined to a Samba domain using SSSD works pretty well. Some 
>>> tips at https://lists.samba.org/archive/samba/2020-March/228875.html
>> Robert, I have said numerous times that I personally have nothing 
>> against sssd, just that I do not see the point in using it with 
>> Samba. This forum cannot support sssd because we do not produce it 
>> and know little about it, but it has its own mailing list, 
>> sssd-users, that is undoubtedly the correct place to ask questions 
>> about sssd.
>> Also, you can use sssd on centos clients to access Samba shares on 
>> another Unix domain member (this much I do know), but you cannot use 
>> sssd on a Samba fileserver.
>> Rowland
> And the original mail said SSSD on client not on server, even the 
> Subjects says it, It is just like someona asking problems using Samba 
> Ad Kerberos problems from a Mac, the client on a Mac isn't even based 
> on Samba. Web SSSDers should probably create a mailing list named 
> "SSSD on Samba AD clients" :-P. If anyone comes an ask about winbind 
> on clients, will get a lecture, again :-P
I replied:

Sorry Jason, wrong mailing list, we do not produce sssd, so cannot 
support it, because we know very little about it. I suggest you try the 
sssd-users mailing list.

If you want to use Samba instead, I am more than willing to help you 
with this, it is very easy and there is the bonus of being able to share 

Just where is the lecture in that ?


More information about the samba mailing list