[Samba] samba4 kerberized nfs4 with sssd ad client

Robert Marcano robert at marcanoonline.com
Fri Jul 24 15:56:00 UTC 2020 

On 7/24/20 11:49 AM, Rowland penny via samba wrote:
> On 24/07/2020 16:44, Robert Marcano via samba wrote:
>> On 7/24/20 11:33 AM, Rowland penny via samba wrote:
>>> On 24/07/2020 16:08, Robert Marcano via samba wrote:
>>>> On 7/24/20 10:53 AM, Rowland penny via samba wrote:
>>>>> On 24/07/2020 15:45, Jason Keltz via samba wrote:
>>>>>>
>>>>>> On 7/24/2020 7:25 AM, Peter Milesson via samba wrote:
>>>>>>>
>>>>>>> On 2020-07-24 12:57, Jason Keltz via samba wrote:
>>>>>>>> Hi Rowland,
>>>>>>>>
>>>>>>>> In effect, I'm still using Samba on the DC, which is why I still 
>>>>>>>> thought this was relevant on the mailing list. :)
>>>>>>>>
>>>>>>>> The reason in particular that I was looking at sssd client as 
>>>>>>>> opposed to winbind was that  we are running CentOS 7. I know if 
>>>>>>>> I want to use the latest Samba 4.12 on the clients, I'll have 
>>>>>>>> problems with gnutls because it's outdated in CentOS 7. Yes, 
>>>>>>>> someone has figured out a way around that by compiling a 
>>>>>>>> separate gnutls, but I'm just not 100% comfortable with that. 
>>>>>>>> It's still an option.  The problem is that if I spend my days 
>>>>>>>> figuring out how to upgrade hundreds of custom CentOS machines 
>>>>>>>> from 7 to 8 (which I will no doubt eventually do) then I won't 
>>>>>>>> have time to figure out integration of this domain into AD. If I 
>>>>>>>> start with AD then I can't really use the latest  4.12. maybe 
>>>>>>>> that's fine because eventually we will move to CentOS 8. 
>>>>>>>> However, what if a later Samba version requires an even later 
>>>>>>>> version of  gnutls that CentOS 8 doesn't run with in the 
>>>>>>>> future!  Then I'll again be stuck in this position and may have 
>>>>>>>> to upgrade the OS clients to use the later Samba. There's al
>>>>>>>>   ways going to be this chicken and egg problem of course. 
>>>>>>>> That's just the environment we work in. That's why I was hoping 
>>>>>>>> that if I used SSSD then I could somewhat punt the problem . As 
>>>>>>>> long as the main DC was running the latest OS and could run the 
>>>>>>>> latest Samba then the clients could use their SSSD to connect. 
>>>>>>>> In addition, the SSSD configuration for AD is so trivial.  The 
>>>>>>>> winbind configuration, I have tested and it works but it's 
>>>>>>>> definately more complex. I have to see whether it handles token 
>>>>>>>> groups because the SSSD configuration without token groups was 
>>>>>>>> very slow using SSSD because of the number of groups.  I'm not 
>>>>>>>> fixed at using sssd but just thinking about all the options. 
>>>>>>>> There are always many ways to solve the same problem. :)
>>>>>>>>
>>>>>>>> Jason.
>>>>>>>>
>>>>>>>> On Jul. 24, 2020, 2:22 a.m., at 2:22 a.m., Rowland penny via 
>>>>>>>> samba <samba at lists.samba.org> wrote:
>>>>>>>>> On 24/07/2020 03:42, Jason Keltz via samba wrote:
>>>>>>>>>> Hi everyone,
>>>>>>>>>>
>>>>>>>>>> I have a samba DC, let's call it dc1.ad.example.com.
>>>>>>>>>>
>>>>>>>>>> I have two members of the domain - server1.ad.example.com and
>>>>>>>>>> server2.ad.example.com.   They are not running smbd and winbind.
>>>>>>>>>> Instead, they are running SSSD with AD backend.
>>>>>>>>> Sorry Jason, wrong mailing list, we do not produce sssd, so cannot
>>>>>>>>> support it, because we know very little about it. I suggest you 
>>>>>>>>> try the
>>>>>>>>>
>>>>>>>>> sssd-users mailing list.
>>>>>>>>>
>>>>>>>>> If you want to use Samba instead, I am more than willing to 
>>>>>>>>> help you
>>>>>>>>> with this, it is very easy and there is the bonus of being able to
>>>>>>>>> share
>>>>>>>>> files.
>>>>>>>>>
>>>>>>>>> Rowland
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> -- 
>>>>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>>> Hi Jason,
>>>>>>>
>>>>>>> I have got a few CentOS servers as Samba AD members. I found out 
>>>>>>> that upgrading them to CentOS 8 isn't worth the hazzle, a 
>>>>>>> completely different paradigm, and lots of migration issues to 
>>>>>>> solve. As you have got lots of machines, it could probably pay 
>>>>>>> off to create your own solution, but in your place, I would get 
>>>>>>> nervous that every new update would break something.
>>>>>>>
>>>>>>> I'm going to migrate my few servers to Debian Buster instead. It 
>>>>>>> seems to be a much less painful way. Up until recently, I have 
>>>>>>> exclusively used CentOS, but I have found Debian very capable, 
>>>>>>> and not very different to work with, compared to CentOS 7. The 
>>>>>>> updaMIR te policy is also fairly conservative.
>>>>>>>
>>>>>>> Just my five cents...
>>>>>>>
>>>>>>> Best regards,
>>>>>>>
>>>>>>> Peter 
>>>>>>
>>>>>>
>>>>>> Hi Peter,
>>>>>>
>>>>>> Our client systems need to continue to run CentOS because a 
>>>>>> variety of software that we use requires CentOS/RHEL. Some of the 
>>>>>> software is very version specific.  I can't even upgrade to CentOS 
>>>>>> 8 until certain software is compatible with 8. Running a separate 
>>>>>> Linux distribution on the servers and the clients is possible, of 
>>>>>> course, but in a small team, just a headache to handle multiple OS 
>>>>>> paths. If we were a bigger team, this is definately something I 
>>>>>> would consider though.
>>>>>>
>>>>>> Jason.
>>>>>>
>>>>>>
>>>>> Rule one: Never run software that is tied to a specific OS, you get 
>>>>> trapped, as you have found. If some entity tries selling you 
>>>>> software that requires a specific OS (and worse a specific 
>>>>> version), tell them to **** off.
>>>>>
>>>>> Just what are these 'softwares' that require Centos ?
>>>>>
>>>>> Rowland
>>>>>
>>>>
>>>> I usually avoid threads where someone mentions SSSD because they 
>>>> always end the same way. The original poster is asking a question 
>>>> about using a Samba DC server using winbind at the server and his 
>>>> problems our doubts about the using the Kerberos part of Samba AD, 
>>>> and the discussion goes down to SSSD no no no, change OS, etc. A 
>>>> user asking with problems with a Mac or Windows client doesn't get 
>>>> that kind of responses, clients more closed that anything Red Hat 
>>>> produces.
>>>>
>>>> The initial response that asking on the SSSD mailing list would be a 
>>>> better idea was probably the good end of it if no other person was 
>>>> able to help.
>>>>
>>>> I personally can't help, because I use FreeIPA for my Linux clients 
>>>> and Samba AD for Windows clients, establishing a trust between 
>>>> domains. I have done long ago the other way of the original poster 
>>>> problem, NFS Kerberized NFS shares from a domain using MIT Kerberos 
>>>> (via FreeIPA), shares to Windows clients with Samba, but Samba 
>>>> standalone shares, doing LDPA integration with FreeIPA 389 server, 
>>>> but I would not recommend that now that the AD implementation of 
>>>> Samba is robust enough.
>>>>
>>>> Note: Now that CentOS 8 where mentioned early on the list, CentOS 8 
>>>> clients joined to a Samba domain using SSSD works pretty well. Some 
>>>> tips at https://lists.samba.org/archive/samba/2020-March/228875.html
>>>>
>>>>
>>>>
>>> Robert, I have said numerous times that I personally have nothing 
>>> against sssd, just that I do not see the point in using it with 
>>> Samba. This forum cannot support sssd because we do not produce it 
>>> and know little about it, but it has its own mailing list, 
>>> sssd-users, that is undoubtedly the correct place to ask questions 
>>> about sssd.
>>>
>>> Also, you can use sssd on centos clients to access Samba shares on 
>>> another Unix domain member (this much I do know), but you cannot use 
>>> sssd on a Samba fileserver.
>>>
>>> Rowland
>>>
>>
>> And the original mail said SSSD on client not on server, even the 
>> Subjects says it, It is just like someona asking problems using Samba 
>> Ad Kerberos problems from a Mac, the client on a Mac isn't even based 
>> on Samba. Web SSSDers should probably create a mailing list named 
>> "SSSD on Samba AD clients" :-P. If anyone comes an ask about winbind 
>> on clients, will get a lecture, again :-P
>>
>>
> I replied:
> 
> Sorry Jason, wrong mailing list, we do not produce sssd, so cannot 
> support it, because we know very little about it. I suggest you try the 
> sssd-users mailing list.
> 
> If you want to use Samba instead, I am more than willing to help you 
> with this, it is very easy and there is the bonus of being able to share 
> files.
> 
> 
> Just where is the lecture in that ?

Nothing in that, but it are the later responses with: change OS, don't 
use software that requires an OS, etc, etc, no one says that to people 
asking with problems with a Mac o Windows clients here.

I will end my participation in this thread because as I didn't intended 
it will extend more.

More information about the samba mailing list