[Samba] samba4 kerberized nfs4 with sssd ad client

Rowland penny rpenny at samba.org
Fri Jul 24 16:11:50 UTC 2020

On 24/07/2020 16:56, Robert Marcano via samba wrote:
> On 7/24/20 11:49 AM, Rowland penny via samba wrote:
>> On 24/07/2020 16:44, Robert Marcano via samba wrote:
>>> On 7/24/20 11:33 AM, Rowland penny via samba wrote:
>>>> On 24/07/2020 16:08, Robert Marcano via samba wrote:
>>>>> On 7/24/20 10:53 AM, Rowland penny via samba wrote:
>>>>>> On 24/07/2020 15:45, Jason Keltz via samba wrote:
>>>>>>> On 7/24/2020 7:25 AM, Peter Milesson via samba wrote:
>>>>>>>> On 2020-07-24 12:57, Jason Keltz via samba wrote:
>>>>>>>>> Hi Rowland,
>>>>>>>>> In effect, I'm still using Samba on the DC, which is why I 
>>>>>>>>> still thought this was relevant on the mailing list. :)
>>>>>>>>> The reason in particular that I was looking at sssd client as 
>>>>>>>>> opposed to winbind was that  we are running CentOS 7. I know 
>>>>>>>>> if I want to use the latest Samba 4.12 on the clients, I'll 
>>>>>>>>> have problems with gnutls because it's outdated in CentOS 7. 
>>>>>>>>> Yes, someone has figured out a way around that by compiling a 
>>>>>>>>> separate gnutls, but I'm just not 100% comfortable with that. 
>>>>>>>>> It's still an option.  The problem is that if I spend my days 
>>>>>>>>> figuring out how to upgrade hundreds of custom CentOS machines 
>>>>>>>>> from 7 to 8 (which I will no doubt eventually do) then I won't 
>>>>>>>>> have time to figure out integration of this domain into AD. If 
>>>>>>>>> I start with AD then I can't really use the latest  4.12. 
>>>>>>>>> maybe that's fine because eventually we will move to CentOS 8. 
>>>>>>>>> However, what if a later Samba version requires an even later 
>>>>>>>>> version of gnutls that CentOS 8 doesn't run with in the 
>>>>>>>>> future!  Then I'll again be stuck in this position and may 
>>>>>>>>> have to upgrade the OS clients to use the later Samba. There's al
>>>>>>>>>   ways going to be this chicken and egg problem of course. 
>>>>>>>>> That's just the environment we work in. That's why I was 
>>>>>>>>> hoping that if I used SSSD then I could somewhat punt the 
>>>>>>>>> problem . As long as the main DC was running the latest OS and 
>>>>>>>>> could run the latest Samba then the clients could use their 
>>>>>>>>> SSSD to connect. In addition, the SSSD configuration for AD is 
>>>>>>>>> so trivial.  The winbind configuration, I have tested and it 
>>>>>>>>> works but it's definately more complex. I have to see whether 
>>>>>>>>> it handles token groups because the SSSD configuration without 
>>>>>>>>> token groups was very slow using SSSD because of the number of 
>>>>>>>>> groups.  I'm not fixed at using sssd but just thinking about 
>>>>>>>>> all the options. There are always many ways to solve the same 
>>>>>>>>> problem. :)
>>>>>>>>> Jason.
>>>>>>>>> On Jul. 24, 2020, 2:22 a.m., at 2:22 a.m., Rowland penny via 
>>>>>>>>> samba <samba at lists.samba.org> wrote:
>>>>>>>>>> On 24/07/2020 03:42, Jason Keltz via samba wrote:
>>>>>>>>>>> Hi everyone,
>>>>>>>>>>> I have a samba DC, let's call it dc1.ad.example.com.
>>>>>>>>>>> I have two members of the domain - server1.ad.example.com and
>>>>>>>>>>> server2.ad.example.com.   They are not running smbd and 
>>>>>>>>>>> winbind.
>>>>>>>>>>> Instead, they are running SSSD with AD backend.
>>>>>>>>>> Sorry Jason, wrong mailing list, we do not produce sssd, so 
>>>>>>>>>> cannot
>>>>>>>>>> support it, because we know very little about it. I suggest 
>>>>>>>>>> you try the
>>>>>>>>>> sssd-users mailing list.
>>>>>>>>>> If you want to use Samba instead, I am more than willing to 
>>>>>>>>>> help you
>>>>>>>>>> with this, it is very easy and there is the bonus of being 
>>>>>>>>>> able to
>>>>>>>>>> share
>>>>>>>>>> files.
>>>>>>>>>> Rowland
>>>>>>>>>> -- 
>>>>>>>>>> To unsubscribe from this list go to the following URL and 
>>>>>>>>>> read the
>>>>>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>>>> Hi Jason,
>>>>>>>> I have got a few CentOS servers as Samba AD members. I found 
>>>>>>>> out that upgrading them to CentOS 8 isn't worth the hazzle, a 
>>>>>>>> completely different paradigm, and lots of migration issues to 
>>>>>>>> solve. As you have got lots of machines, it could probably pay 
>>>>>>>> off to create your own solution, but in your place, I would get 
>>>>>>>> nervous that every new update would break something.
>>>>>>>> I'm going to migrate my few servers to Debian Buster instead. 
>>>>>>>> It seems to be a much less painful way. Up until recently, I 
>>>>>>>> have exclusively used CentOS, but I have found Debian very 
>>>>>>>> capable, and not very different to work with, compared to 
>>>>>>>> CentOS 7. The updaMIR te policy is also fairly conservative.
>>>>>>>> Just my five cents...
>>>>>>>> Best regards,
>>>>>>>> Peter 
>>>>>>> Hi Peter,
>>>>>>> Our client systems need to continue to run CentOS because a 
>>>>>>> variety of software that we use requires CentOS/RHEL. Some of 
>>>>>>> the software is very version specific.  I can't even upgrade to 
>>>>>>> CentOS 8 until certain software is compatible with 8. Running a 
>>>>>>> separate Linux distribution on the servers and the clients is 
>>>>>>> possible, of course, but in a small team, just a headache to 
>>>>>>> handle multiple OS paths. If we were a bigger team, this is 
>>>>>>> definately something I would consider though.
>>>>>>> Jason.
>>>>>> Rule one: Never run software that is tied to a specific OS, you 
>>>>>> get trapped, as you have found. If some entity tries selling you 
>>>>>> software that requires a specific OS (and worse a specific 
>>>>>> version), tell them to **** off.
>>>>>> Just what are these 'softwares' that require Centos ?
>>>>>> Rowland
>>>>> I usually avoid threads where someone mentions SSSD because they 
>>>>> always end the same way. The original poster is asking a question 
>>>>> about using a Samba DC server using winbind at the server and his 
>>>>> problems our doubts about the using the Kerberos part of Samba AD, 
>>>>> and the discussion goes down to SSSD no no no, change OS, etc. A 
>>>>> user asking with problems with a Mac or Windows client doesn't get 
>>>>> that kind of responses, clients more closed that anything Red Hat 
>>>>> produces.
>>>>> The initial response that asking on the SSSD mailing list would be 
>>>>> a better idea was probably the good end of it if no other person 
>>>>> was able to help.
>>>>> I personally can't help, because I use FreeIPA for my Linux 
>>>>> clients and Samba AD for Windows clients, establishing a trust 
>>>>> between domains. I have done long ago the other way of the 
>>>>> original poster problem, NFS Kerberized NFS shares from a domain 
>>>>> using MIT Kerberos (via FreeIPA), shares to Windows clients with 
>>>>> Samba, but Samba standalone shares, doing LDPA integration with 
>>>>> FreeIPA 389 server, but I would not recommend that now that the AD 
>>>>> implementation of Samba is robust enough.
>>>>> Note: Now that CentOS 8 where mentioned early on the list, CentOS 
>>>>> 8 clients joined to a Samba domain using SSSD works pretty well. 
>>>>> Some tips at 
>>>>> https://lists.samba.org/archive/samba/2020-March/228875.html
>>>> Robert, I have said numerous times that I personally have nothing 
>>>> against sssd, just that I do not see the point in using it with 
>>>> Samba. This forum cannot support sssd because we do not produce it 
>>>> and know little about it, but it has its own mailing list, 
>>>> sssd-users, that is undoubtedly the correct place to ask questions 
>>>> about sssd.
>>>> Also, you can use sssd on centos clients to access Samba shares on 
>>>> another Unix domain member (this much I do know), but you cannot 
>>>> use sssd on a Samba fileserver.
>>>> Rowland
>>> And the original mail said SSSD on client not on server, even the 
>>> Subjects says it, It is just like someona asking problems using 
>>> Samba Ad Kerberos problems from a Mac, the client on a Mac isn't 
>>> even based on Samba. Web SSSDers should probably create a mailing 
>>> list named "SSSD on Samba AD clients" :-P. If anyone comes an ask 
>>> about winbind on clients, will get a lecture, again :-P
>> I replied:
>> Sorry Jason, wrong mailing list, we do not produce sssd, so cannot 
>> support it, because we know very little about it. I suggest you try 
>> the sssd-users mailing list.
>> If you want to use Samba instead, I am more than willing to help you 
>> with this, it is very easy and there is the bonus of being able to 
>> share files.
>> Just where is the lecture in that ?
> Nothing in that, but it are the later responses with: change OS, don't 
> use software that requires an OS, etc, etc, no one says that to people 
> asking with problems with a Mac o Windows clients here.
> I will end my participation in this thread because as I didn't 
> intended it will extend more.
Well, it is nigh on impossible to change the OS on MAC computers, but if 
you are having problems with your OS, then it is wise to consider using 
a different OS, but no one is going to force anyone to do this.

If anyone wishes to use sssd, then that is their prerogative and I am 
not going to attempt to stop them, I just cannot try to support sssd, 
mainly because my knowledge of it is about 6 years out of date.

If any one wants to use RHEL/Centos, then again, that is their decision, 
but I am sure they would get a similar response if they asked questions 
about it on a Debian mailing, 'go and ask on red-hat mailing list'. It 
is known as 'horses for courses', where I come from.


More information about the samba mailing list