[Samba] samba4 kerberized nfs4 with sssd ad client
Rowland penny
rpenny at samba.org
Fri Jul 24 15:49:39 UTC 2020
On 24/07/2020 16:44, Robert Marcano via samba wrote:
> On 7/24/20 11:33 AM, Rowland penny via samba wrote:
>> On 24/07/2020 16:08, Robert Marcano via samba wrote:
>>> On 7/24/20 10:53 AM, Rowland penny via samba wrote:
>>>> On 24/07/2020 15:45, Jason Keltz via samba wrote:
>>>>>
>>>>> On 7/24/2020 7:25 AM, Peter Milesson via samba wrote:
>>>>>>
>>>>>> On 2020-07-24 12:57, Jason Keltz via samba wrote:
>>>>>>> Hi Rowland,
>>>>>>>
>>>>>>> In effect, I'm still using Samba on the DC, which is why I still
>>>>>>> thought this was relevant on the mailing list. :)
>>>>>>>
>>>>>>> The reason in particular that I was looking at sssd client as
>>>>>>> opposed to winbind was that we are running CentOS 7. I know if
>>>>>>> I want to use the latest Samba 4.12 on the clients, I'll have
>>>>>>> problems with gnutls because it's outdated in CentOS 7. Yes,
>>>>>>> someone has figured out a way around that by compiling a
>>>>>>> separate gnutls, but I'm just not 100% comfortable with that.
>>>>>>> It's still an option. The problem is that if I spend my days
>>>>>>> figuring out how to upgrade hundreds of custom CentOS machines
>>>>>>> from 7 to 8 (which I will no doubt eventually do) then I won't
>>>>>>> have time to figure out integration of this domain into AD. If I
>>>>>>> start with AD then I can't really use the latest 4.12. maybe
>>>>>>> that's fine because eventually we will move to CentOS 8.
>>>>>>> However, what if a later Samba version requires an even later
>>>>>>> version of gnutls that CentOS 8 doesn't run with in the
>>>>>>> future! Then I'll again be stuck in this position and may have
>>>>>>> to upgrade the OS clients to use the later Samba. There's al
>>>>>>> ways going to be this chicken and egg problem of course.
>>>>>>> That's just the environment we work in. That's why I was hoping
>>>>>>> that if I used SSSD then I could somewhat punt the problem . As
>>>>>>> long as the main DC was running the latest OS and could run the
>>>>>>> latest Samba then the clients could use their SSSD to connect.
>>>>>>> In addition, the SSSD configuration for AD is so trivial. The
>>>>>>> winbind configuration, I have tested and it works but it's
>>>>>>> definately more complex. I have to see whether it handles token
>>>>>>> groups because the SSSD configuration without token groups was
>>>>>>> very slow using SSSD because of the number of groups. I'm not
>>>>>>> fixed at using sssd but just thinking about all the options.
>>>>>>> There are always many ways to solve the same problem. :)
>>>>>>>
>>>>>>> Jason.
>>>>>>>
>>>>>>> On Jul. 24, 2020, 2:22 a.m., at 2:22 a.m., Rowland penny via
>>>>>>> samba <samba at lists.samba.org> wrote:
>>>>>>>> On 24/07/2020 03:42, Jason Keltz via samba wrote:
>>>>>>>>> Hi everyone,
>>>>>>>>>
>>>>>>>>> I have a samba DC, let's call it dc1.ad.example.com.
>>>>>>>>>
>>>>>>>>> I have two members of the domain - server1.ad.example.com and
>>>>>>>>> server2.ad.example.com. They are not running smbd and winbind.
>>>>>>>>> Instead, they are running SSSD with AD backend.
>>>>>>>> Sorry Jason, wrong mailing list, we do not produce sssd, so cannot
>>>>>>>> support it, because we know very little about it. I suggest you
>>>>>>>> try the
>>>>>>>>
>>>>>>>> sssd-users mailing list.
>>>>>>>>
>>>>>>>> If you want to use Samba instead, I am more than willing to
>>>>>>>> help you
>>>>>>>> with this, it is very easy and there is the bonus of being able to
>>>>>>>> share
>>>>>>>> files.
>>>>>>>>
>>>>>>>> Rowland
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>> Hi Jason,
>>>>>>
>>>>>> I have got a few CentOS servers as Samba AD members. I found out
>>>>>> that upgrading them to CentOS 8 isn't worth the hazzle, a
>>>>>> completely different paradigm, and lots of migration issues to
>>>>>> solve. As you have got lots of machines, it could probably pay
>>>>>> off to create your own solution, but in your place, I would get
>>>>>> nervous that every new update would break something.
>>>>>>
>>>>>> I'm going to migrate my few servers to Debian Buster instead. It
>>>>>> seems to be a much less painful way. Up until recently, I have
>>>>>> exclusively used CentOS, but I have found Debian very capable,
>>>>>> and not very different to work with, compared to CentOS 7. The
>>>>>> updaMIR te policy is also fairly conservative.
>>>>>>
>>>>>> Just my five cents...
>>>>>>
>>>>>> Best regards,
>>>>>>
>>>>>> Peter
>>>>>
>>>>>
>>>>> Hi Peter,
>>>>>
>>>>> Our client systems need to continue to run CentOS because a
>>>>> variety of software that we use requires CentOS/RHEL. Some of the
>>>>> software is very version specific. I can't even upgrade to CentOS
>>>>> 8 until certain software is compatible with 8. Running a separate
>>>>> Linux distribution on the servers and the clients is possible, of
>>>>> course, but in a small team, just a headache to handle multiple OS
>>>>> paths. If we were a bigger team, this is definately something I
>>>>> would consider though.
>>>>>
>>>>> Jason.
>>>>>
>>>>>
>>>> Rule one: Never run software that is tied to a specific OS, you get
>>>> trapped, as you have found. If some entity tries selling you
>>>> software that requires a specific OS (and worse a specific
>>>> version), tell them to **** off.
>>>>
>>>> Just what are these 'softwares' that require Centos ?
>>>>
>>>> Rowland
>>>>
>>>
>>> I usually avoid threads where someone mentions SSSD because they
>>> always end the same way. The original poster is asking a question
>>> about using a Samba DC server using winbind at the server and his
>>> problems our doubts about the using the Kerberos part of Samba AD,
>>> and the discussion goes down to SSSD no no no, change OS, etc. A
>>> user asking with problems with a Mac or Windows client doesn't get
>>> that kind of responses, clients more closed that anything Red Hat
>>> produces.
>>>
>>> The initial response that asking on the SSSD mailing list would be a
>>> better idea was probably the good end of it if no other person was
>>> able to help.
>>>
>>> I personally can't help, because I use FreeIPA for my Linux clients
>>> and Samba AD for Windows clients, establishing a trust between
>>> domains. I have done long ago the other way of the original poster
>>> problem, NFS Kerberized NFS shares from a domain using MIT Kerberos
>>> (via FreeIPA), shares to Windows clients with Samba, but Samba
>>> standalone shares, doing LDPA integration with FreeIPA 389 server,
>>> but I would not recommend that now that the AD implementation of
>>> Samba is robust enough.
>>>
>>> Note: Now that CentOS 8 where mentioned early on the list, CentOS 8
>>> clients joined to a Samba domain using SSSD works pretty well. Some
>>> tips at https://lists.samba.org/archive/samba/2020-March/228875.html
>>>
>>>
>>>
>> Robert, I have said numerous times that I personally have nothing
>> against sssd, just that I do not see the point in using it with
>> Samba. This forum cannot support sssd because we do not produce it
>> and know little about it, but it has its own mailing list,
>> sssd-users, that is undoubtedly the correct place to ask questions
>> about sssd.
>>
>> Also, you can use sssd on centos clients to access Samba shares on
>> another Unix domain member (this much I do know), but you cannot use
>> sssd on a Samba fileserver.
>>
>> Rowland
>>
>
> And the original mail said SSSD on client not on server, even the
> Subjects says it, It is just like someona asking problems using Samba
> Ad Kerberos problems from a Mac, the client on a Mac isn't even based
> on Samba. Web SSSDers should probably create a mailing list named
> "SSSD on Samba AD clients" :-P. If anyone comes an ask about winbind
> on clients, will get a lecture, again :-P
>
>
I replied:
Sorry Jason, wrong mailing list, we do not produce sssd, so cannot
support it, because we know very little about it. I suggest you try the
sssd-users mailing list.
If you want to use Samba instead, I am more than willing to help you
with this, it is very easy and there is the bonus of being able to share
files.
Just where is the lecture in that ?
Rowland
More information about the samba
mailing list