[Samba] samba4 kerberized nfs4 with sssd ad client

Rowland penny rpenny at samba.org
Fri Jul 24 16:11:50 UTC 2020 

On 24/07/2020 16:56, Robert Marcano via samba wrote:
> On 7/24/20 11:49 AM, Rowland penny via samba wrote:
>> On 24/07/2020 16:44, Robert Marcano via samba wrote:
>>> On 7/24/20 11:33 AM, Rowland penny via samba wrote:
>>>> On 24/07/2020 16:08, Robert Marcano via samba wrote:
>>>>> On 7/24/20 10:53 AM, Rowland penny via samba wrote:
>>>>>> On 24/07/2020 15:45, Jason Keltz via samba wrote:
>>>>>>>
>>>>>>> On 7/24/2020 7:25 AM, Peter Milesson via samba wrote:
>>>>>>>>
>>>>>>>> On 2020-07-24 12:57, Jason Keltz via samba wrote:
>>>>>>>>> Hi Rowland,
>>>>>>>>>
>>>>>>>>> In effect, I'm still using Samba on the DC, which is why I 
>>>>>>>>> still thought this was relevant on the mailing list. :)
>>>>>>>>>
>>>>>>>>> The reason in particular that I was looking at sssd client as 
>>>>>>>>> opposed to winbind was that  we are running CentOS 7. I know 
>>>>>>>>> if I want to use the latest Samba 4.12 on the clients, I'll 
>>>>>>>>> have problems with gnutls because it's outdated in CentOS 7. 
>>>>>>>>> Yes, someone has figured out a way around that by compiling a 
>>>>>>>>> separate gnutls, but I'm just not 100% comfortable with that. 
>>>>>>>>> It's still an option.  The problem is that if I spend my days 
>>>>>>>>> figuring out how to upgrade hundreds of custom CentOS machines 
>>>>>>>>> from 7 to 8 (which I will no doubt eventually do) then I won't 
>>>>>>>>> have time to figure out integration of this domain into AD. If 
>>>>>>>>> I start with AD then I can't really use the latest  4.12. 
>>>>>>>>> maybe that's fine because eventually we will move to CentOS 8. 
>>>>>>>>> However, what if a later Samba version requires an even later 
>>>>>>>>> version of gnutls that CentOS 8 doesn't run with in the 
>>>>>>>>> future!  Then I'll again be stuck in this position and may 
>>>>>>>>> have to upgrade the OS clients to use the later Samba. There's al
>>>>>>>>>   ways going to be this chicken and egg problem of course. 
>>>>>>>>> That's just the environment we work in. That's why I was 
>>>>>>>>> hoping that if I used SSSD then I could somewhat punt the 
>>>>>>>>> problem . As long as the main DC was running the latest OS and 
>>>>>>>>> could run the latest Samba then the clients could use their 
>>>>>>>>> SSSD to connect. In addition, the SSSD configuration for AD is 
>>>>>>>>> so trivial.  The winbind configuration, I have tested and it 
>>>>>>>>> works but it's definately more complex. I have to see whether 
>>>>>>>>> it handles token groups because the SSSD configuration without 
>>>>>>>>> token groups was very slow using SSSD because of the number of 
>>>>>>>>> groups.  I'm not fixed at using sssd but just thinking about 
>>>>>>>>> all the options. There are always many ways to solve the same 
>>>>>>>>> problem. :)
>>>>>>>>>
>>>>>>>>> Jason.
>>>>>>>>>
>>>>>>>>> On Jul. 24, 2020, 2:22 a.m., at 2:22 a.m., Rowland penny via 
>>>>>>>>> samba <samba at lists.samba.org> wrote:
>>>>>>>>>> On 24/07/2020 03:42, Jason Keltz via samba wrote:
>>>>>>>>>>> Hi everyone,
>>>>>>>>>>>
>>>>>>>>>>> I have a samba DC, let's call it dc1.ad.example.com.
>>>>>>>>>>>
>>>>>>>>>>> I have two members of the domain - server1.ad.example.com and
>>>>>>>>>>> server2.ad.example.com.   They are not running smbd and 
>>>>>>>>>>> winbind.
>>>>>>>>>>> Instead, they are running SSSD with AD backend.
>>>>>>>>>> Sorry Jason, wrong mailing list, we do not produce sssd, so 
>>>>>>>>>> cannot
>>>>>>>>>> support it, because we know very little about it. I suggest 
>>>>>>>>>> you try the
>>>>>>>>>>
>>>>>>>>>> sssd-users mailing list.
>>>>>>>>>>
>>>>>>>>>> If you want to use Samba instead, I am more than willing to 
>>>>>>>>>> help you
>>>>>>>>>> with this, it is very easy and there is the bonus of being 
>>>>>>>>>> able to
>>>>>>>>>> share
>>>>>>>>>> files.
>>>>>>>>>>
>>>>>>>>>> Rowland
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> -- 
>>>>>>>>>> To unsubscribe from this list go to the following URL and 
>>>>>>>>>> read the
>>>>>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>>>> Hi Jason,
>>>>>>>>
>>>>>>>> I have got a few CentOS servers as Samba AD members. I found 
>>>>>>>> out that upgrading them to CentOS 8 isn't worth the hazzle, a 
>>>>>>>> completely different paradigm, and lots of migration issues to 
>>>>>>>> solve. As you have got lots of machines, it could probably pay 
>>>>>>>> off to create your own solution, but in your place, I would get 
>>>>>>>> nervous that every new update would break something.
>>>>>>>>
>>>>>>>> I'm going to migrate my few servers to Debian Buster instead. 
>>>>>>>> It seems to be a much less painful way. Up until recently, I 
>>>>>>>> have exclusively used CentOS, but I have found Debian very 
>>>>>>>> capable, and not very different to work with, compared to 
>>>>>>>> CentOS 7. The updaMIR te policy is also fairly conservative.
>>>>>>>>
>>>>>>>> Just my five cents...
>>>>>>>>
>>>>>>>> Best regards,
>>>>>>>>
>>>>>>>> Peter 
>>>>>>>
>>>>>>>
>>>>>>> Hi Peter,
>>>>>>>
>>>>>>> Our client systems need to continue to run CentOS because a 
>>>>>>> variety of software that we use requires CentOS/RHEL. Some of 
>>>>>>> the software is very version specific.  I can't even upgrade to 
>>>>>>> CentOS 8 until certain software is compatible with 8. Running a 
>>>>>>> separate Linux distribution on the servers and the clients is 
>>>>>>> possible, of course, but in a small team, just a headache to 
>>>>>>> handle multiple OS paths. If we were a bigger team, this is 
>>>>>>> definately something I would consider though.
>>>>>>>
>>>>>>> Jason.
>>>>>>>
>>>>>>>
>>>>>> Rule one: Never run software that is tied to a specific OS, you 
>>>>>> get trapped, as you have found. If some entity tries selling you 
>>>>>> software that requires a specific OS (and worse a specific 
>>>>>> version), tell them to **** off.
>>>>>>
>>>>>> Just what are these 'softwares' that require Centos ?
>>>>>>
>>>>>> Rowland
>>>>>>
>>>>>
>>>>> I usually avoid threads where someone mentions SSSD because they 
>>>>> always end the same way. The original poster is asking a question 
>>>>> about using a Samba DC server using winbind at the server and his 
>>>>> problems our doubts about the using the Kerberos part of Samba AD, 
>>>>> and the discussion goes down to SSSD no no no, change OS, etc. A 
>>>>> user asking with problems with a Mac or Windows client doesn't get 
>>>>> that kind of responses, clients more closed that anything Red Hat 
>>>>> produces.
>>>>>
>>>>> The initial response that asking on the SSSD mailing list would be 
>>>>> a better idea was probably the good end of it if no other person 
>>>>> was able to help.
>>>>>
>>>>> I personally can't help, because I use FreeIPA for my Linux 
>>>>> clients and Samba AD for Windows clients, establishing a trust 
>>>>> between domains. I have done long ago the other way of the 
>>>>> original poster problem, NFS Kerberized NFS shares from a domain 
>>>>> using MIT Kerberos (via FreeIPA), shares to Windows clients with 
>>>>> Samba, but Samba standalone shares, doing LDPA integration with 
>>>>> FreeIPA 389 server, but I would not recommend that now that the AD 
>>>>> implementation of Samba is robust enough.
>>>>>
>>>>> Note: Now that CentOS 8 where mentioned early on the list, CentOS 
>>>>> 8 clients joined to a Samba domain using SSSD works pretty well. 
>>>>> Some tips at 
>>>>> https://lists.samba.org/archive/samba/2020-March/228875.html
>>>>>
>>>>>
>>>>>
>>>> Robert, I have said numerous times that I personally have nothing 
>>>> against sssd, just that I do not see the point in using it with 
>>>> Samba. This forum cannot support sssd because we do not produce it 
>>>> and know little about it, but it has its own mailing list, 
>>>> sssd-users, that is undoubtedly the correct place to ask questions 
>>>> about sssd.
>>>>
>>>> Also, you can use sssd on centos clients to access Samba shares on 
>>>> another Unix domain member (this much I do know), but you cannot 
>>>> use sssd on a Samba fileserver.
>>>>
>>>> Rowland
>>>>
>>>
>>> And the original mail said SSSD on client not on server, even the 
>>> Subjects says it, It is just like someona asking problems using 
>>> Samba Ad Kerberos problems from a Mac, the client on a Mac isn't 
>>> even based on Samba. Web SSSDers should probably create a mailing 
>>> list named "SSSD on Samba AD clients" :-P. If anyone comes an ask 
>>> about winbind on clients, will get a lecture, again :-P
>>>
>>>
>> I replied:
>>
>> Sorry Jason, wrong mailing list, we do not produce sssd, so cannot 
>> support it, because we know very little about it. I suggest you try 
>> the sssd-users mailing list.
>>
>> If you want to use Samba instead, I am more than willing to help you 
>> with this, it is very easy and there is the bonus of being able to 
>> share files.
>>
>>
>> Just where is the lecture in that ?
>
> Nothing in that, but it are the later responses with: change OS, don't 
> use software that requires an OS, etc, etc, no one says that to people 
> asking with problems with a Mac o Windows clients here.
>
> I will end my participation in this thread because as I didn't 
> intended it will extend more.
>
Well, it is nigh on impossible to change the OS on MAC computers, but if 
you are having problems with your OS, then it is wise to consider using 
a different OS, but no one is going to force anyone to do this.

If anyone wishes to use sssd, then that is their prerogative and I am 
not going to attempt to stop them, I just cannot try to support sssd, 
mainly because my knowledge of it is about 6 years out of date.

If any one wants to use RHEL/Centos, then again, that is their decision, 
but I am sure they would get a similar response if they asked questions 
about it on a Debian mailing, 'go and ask on red-hat mailing list'. It 
is known as 'horses for courses', where I come from.

Rowland

More information about the samba mailing list