[Samba] samba4 kerberized nfs4 with sssd ad client
Robert Marcano
robert at marcanoonline.com
Fri Jul 24 15:56:00 UTC 2020
On 7/24/20 11:49 AM, Rowland penny via samba wrote:
> On 24/07/2020 16:44, Robert Marcano via samba wrote:
>> On 7/24/20 11:33 AM, Rowland penny via samba wrote:
>>> On 24/07/2020 16:08, Robert Marcano via samba wrote:
>>>> On 7/24/20 10:53 AM, Rowland penny via samba wrote:
>>>>> On 24/07/2020 15:45, Jason Keltz via samba wrote:
>>>>>>
>>>>>> On 7/24/2020 7:25 AM, Peter Milesson via samba wrote:
>>>>>>>
>>>>>>> On 2020-07-24 12:57, Jason Keltz via samba wrote:
>>>>>>>> Hi Rowland,
>>>>>>>>
>>>>>>>> In effect, I'm still using Samba on the DC, which is why I still
>>>>>>>> thought this was relevant on the mailing list. :)
>>>>>>>>
>>>>>>>> The reason in particular that I was looking at sssd client as
>>>>>>>> opposed to winbind was that we are running CentOS 7. I know if
>>>>>>>> I want to use the latest Samba 4.12 on the clients, I'll have
>>>>>>>> problems with gnutls because it's outdated in CentOS 7. Yes,
>>>>>>>> someone has figured out a way around that by compiling a
>>>>>>>> separate gnutls, but I'm just not 100% comfortable with that.
>>>>>>>> It's still an option. The problem is that if I spend my days
>>>>>>>> figuring out how to upgrade hundreds of custom CentOS machines
>>>>>>>> from 7 to 8 (which I will no doubt eventually do) then I won't
>>>>>>>> have time to figure out integration of this domain into AD. If I
>>>>>>>> start with AD then I can't really use the latest 4.12. maybe
>>>>>>>> that's fine because eventually we will move to CentOS 8.
>>>>>>>> However, what if a later Samba version requires an even later
>>>>>>>> version of gnutls that CentOS 8 doesn't run with in the
>>>>>>>> future! Then I'll again be stuck in this position and may have
>>>>>>>> to upgrade the OS clients to use the later Samba. There's al
>>>>>>>> ways going to be this chicken and egg problem of course.
>>>>>>>> That's just the environment we work in. That's why I was hoping
>>>>>>>> that if I used SSSD then I could somewhat punt the problem . As
>>>>>>>> long as the main DC was running the latest OS and could run the
>>>>>>>> latest Samba then the clients could use their SSSD to connect.
>>>>>>>> In addition, the SSSD configuration for AD is so trivial. The
>>>>>>>> winbind configuration, I have tested and it works but it's
>>>>>>>> definately more complex. I have to see whether it handles token
>>>>>>>> groups because the SSSD configuration without token groups was
>>>>>>>> very slow using SSSD because of the number of groups. I'm not
>>>>>>>> fixed at using sssd but just thinking about all the options.
>>>>>>>> There are always many ways to solve the same problem. :)
>>>>>>>>
>>>>>>>> Jason.
>>>>>>>>
>>>>>>>> On Jul. 24, 2020, 2:22 a.m., at 2:22 a.m., Rowland penny via
>>>>>>>> samba <samba at lists.samba.org> wrote:
>>>>>>>>> On 24/07/2020 03:42, Jason Keltz via samba wrote:
>>>>>>>>>> Hi everyone,
>>>>>>>>>>
>>>>>>>>>> I have a samba DC, let's call it dc1.ad.example.com.
>>>>>>>>>>
>>>>>>>>>> I have two members of the domain - server1.ad.example.com and
>>>>>>>>>> server2.ad.example.com. They are not running smbd and winbind.
>>>>>>>>>> Instead, they are running SSSD with AD backend.
>>>>>>>>> Sorry Jason, wrong mailing list, we do not produce sssd, so cannot
>>>>>>>>> support it, because we know very little about it. I suggest you
>>>>>>>>> try the
>>>>>>>>>
>>>>>>>>> sssd-users mailing list.
>>>>>>>>>
>>>>>>>>> If you want to use Samba instead, I am more than willing to
>>>>>>>>> help you
>>>>>>>>> with this, it is very easy and there is the bonus of being able to
>>>>>>>>> share
>>>>>>>>> files.
>>>>>>>>>
>>>>>>>>> Rowland
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>>> Hi Jason,
>>>>>>>
>>>>>>> I have got a few CentOS servers as Samba AD members. I found out
>>>>>>> that upgrading them to CentOS 8 isn't worth the hazzle, a
>>>>>>> completely different paradigm, and lots of migration issues to
>>>>>>> solve. As you have got lots of machines, it could probably pay
>>>>>>> off to create your own solution, but in your place, I would get
>>>>>>> nervous that every new update would break something.
>>>>>>>
>>>>>>> I'm going to migrate my few servers to Debian Buster instead. It
>>>>>>> seems to be a much less painful way. Up until recently, I have
>>>>>>> exclusively used CentOS, but I have found Debian very capable,
>>>>>>> and not very different to work with, compared to CentOS 7. The
>>>>>>> updaMIR te policy is also fairly conservative.
>>>>>>>
>>>>>>> Just my five cents...
>>>>>>>
>>>>>>> Best regards,
>>>>>>>
>>>>>>> Peter
>>>>>>
>>>>>>
>>>>>> Hi Peter,
>>>>>>
>>>>>> Our client systems need to continue to run CentOS because a
>>>>>> variety of software that we use requires CentOS/RHEL. Some of the
>>>>>> software is very version specific. I can't even upgrade to CentOS
>>>>>> 8 until certain software is compatible with 8. Running a separate
>>>>>> Linux distribution on the servers and the clients is possible, of
>>>>>> course, but in a small team, just a headache to handle multiple OS
>>>>>> paths. If we were a bigger team, this is definately something I
>>>>>> would consider though.
>>>>>>
>>>>>> Jason.
>>>>>>
>>>>>>
>>>>> Rule one: Never run software that is tied to a specific OS, you get
>>>>> trapped, as you have found. If some entity tries selling you
>>>>> software that requires a specific OS (and worse a specific
>>>>> version), tell them to **** off.
>>>>>
>>>>> Just what are these 'softwares' that require Centos ?
>>>>>
>>>>> Rowland
>>>>>
>>>>
>>>> I usually avoid threads where someone mentions SSSD because they
>>>> always end the same way. The original poster is asking a question
>>>> about using a Samba DC server using winbind at the server and his
>>>> problems our doubts about the using the Kerberos part of Samba AD,
>>>> and the discussion goes down to SSSD no no no, change OS, etc. A
>>>> user asking with problems with a Mac or Windows client doesn't get
>>>> that kind of responses, clients more closed that anything Red Hat
>>>> produces.
>>>>
>>>> The initial response that asking on the SSSD mailing list would be a
>>>> better idea was probably the good end of it if no other person was
>>>> able to help.
>>>>
>>>> I personally can't help, because I use FreeIPA for my Linux clients
>>>> and Samba AD for Windows clients, establishing a trust between
>>>> domains. I have done long ago the other way of the original poster
>>>> problem, NFS Kerberized NFS shares from a domain using MIT Kerberos
>>>> (via FreeIPA), shares to Windows clients with Samba, but Samba
>>>> standalone shares, doing LDPA integration with FreeIPA 389 server,
>>>> but I would not recommend that now that the AD implementation of
>>>> Samba is robust enough.
>>>>
>>>> Note: Now that CentOS 8 where mentioned early on the list, CentOS 8
>>>> clients joined to a Samba domain using SSSD works pretty well. Some
>>>> tips at https://lists.samba.org/archive/samba/2020-March/228875.html
>>>>
>>>>
>>>>
>>> Robert, I have said numerous times that I personally have nothing
>>> against sssd, just that I do not see the point in using it with
>>> Samba. This forum cannot support sssd because we do not produce it
>>> and know little about it, but it has its own mailing list,
>>> sssd-users, that is undoubtedly the correct place to ask questions
>>> about sssd.
>>>
>>> Also, you can use sssd on centos clients to access Samba shares on
>>> another Unix domain member (this much I do know), but you cannot use
>>> sssd on a Samba fileserver.
>>>
>>> Rowland
>>>
>>
>> And the original mail said SSSD on client not on server, even the
>> Subjects says it, It is just like someona asking problems using Samba
>> Ad Kerberos problems from a Mac, the client on a Mac isn't even based
>> on Samba. Web SSSDers should probably create a mailing list named
>> "SSSD on Samba AD clients" :-P. If anyone comes an ask about winbind
>> on clients, will get a lecture, again :-P
>>
>>
> I replied:
>
> Sorry Jason, wrong mailing list, we do not produce sssd, so cannot
> support it, because we know very little about it. I suggest you try the
> sssd-users mailing list.
>
> If you want to use Samba instead, I am more than willing to help you
> with this, it is very easy and there is the bonus of being able to share
> files.
>
>
> Just where is the lecture in that ?
Nothing in that, but it are the later responses with: change OS, don't
use software that requires an OS, etc, etc, no one says that to people
asking with problems with a Mac o Windows clients here.
I will end my participation in this thread because as I didn't intended
it will extend more.
More information about the samba
mailing list