[Samba] samba4 kerberized nfs4 with sssd ad client
Rowland penny
rpenny at samba.org
Fri Jul 24 16:11:50 UTC 2020
On 24/07/2020 16:56, Robert Marcano via samba wrote:
> On 7/24/20 11:49 AM, Rowland penny via samba wrote:
>> On 24/07/2020 16:44, Robert Marcano via samba wrote:
>>> On 7/24/20 11:33 AM, Rowland penny via samba wrote:
>>>> On 24/07/2020 16:08, Robert Marcano via samba wrote:
>>>>> On 7/24/20 10:53 AM, Rowland penny via samba wrote:
>>>>>> On 24/07/2020 15:45, Jason Keltz via samba wrote:
>>>>>>>
>>>>>>> On 7/24/2020 7:25 AM, Peter Milesson via samba wrote:
>>>>>>>>
>>>>>>>> On 2020-07-24 12:57, Jason Keltz via samba wrote:
>>>>>>>>> Hi Rowland,
>>>>>>>>>
>>>>>>>>> In effect, I'm still using Samba on the DC, which is why I
>>>>>>>>> still thought this was relevant on the mailing list. :)
>>>>>>>>>
>>>>>>>>> The reason in particular that I was looking at sssd client as
>>>>>>>>> opposed to winbind was that we are running CentOS 7. I know
>>>>>>>>> if I want to use the latest Samba 4.12 on the clients, I'll
>>>>>>>>> have problems with gnutls because it's outdated in CentOS 7.
>>>>>>>>> Yes, someone has figured out a way around that by compiling a
>>>>>>>>> separate gnutls, but I'm just not 100% comfortable with that.
>>>>>>>>> It's still an option. The problem is that if I spend my days
>>>>>>>>> figuring out how to upgrade hundreds of custom CentOS machines
>>>>>>>>> from 7 to 8 (which I will no doubt eventually do) then I won't
>>>>>>>>> have time to figure out integration of this domain into AD. If
>>>>>>>>> I start with AD then I can't really use the latest 4.12.
>>>>>>>>> maybe that's fine because eventually we will move to CentOS 8.
>>>>>>>>> However, what if a later Samba version requires an even later
>>>>>>>>> version of gnutls that CentOS 8 doesn't run with in the
>>>>>>>>> future! Then I'll again be stuck in this position and may
>>>>>>>>> have to upgrade the OS clients to use the later Samba. There's al
>>>>>>>>> ways going to be this chicken and egg problem of course.
>>>>>>>>> That's just the environment we work in. That's why I was
>>>>>>>>> hoping that if I used SSSD then I could somewhat punt the
>>>>>>>>> problem . As long as the main DC was running the latest OS and
>>>>>>>>> could run the latest Samba then the clients could use their
>>>>>>>>> SSSD to connect. In addition, the SSSD configuration for AD is
>>>>>>>>> so trivial. The winbind configuration, I have tested and it
>>>>>>>>> works but it's definately more complex. I have to see whether
>>>>>>>>> it handles token groups because the SSSD configuration without
>>>>>>>>> token groups was very slow using SSSD because of the number of
>>>>>>>>> groups. I'm not fixed at using sssd but just thinking about
>>>>>>>>> all the options. There are always many ways to solve the same
>>>>>>>>> problem. :)
>>>>>>>>>
>>>>>>>>> Jason.
>>>>>>>>>
>>>>>>>>> On Jul. 24, 2020, 2:22 a.m., at 2:22 a.m., Rowland penny via
>>>>>>>>> samba <samba at lists.samba.org> wrote:
>>>>>>>>>> On 24/07/2020 03:42, Jason Keltz via samba wrote:
>>>>>>>>>>> Hi everyone,
>>>>>>>>>>>
>>>>>>>>>>> I have a samba DC, let's call it dc1.ad.example.com.
>>>>>>>>>>>
>>>>>>>>>>> I have two members of the domain - server1.ad.example.com and
>>>>>>>>>>> server2.ad.example.com. They are not running smbd and
>>>>>>>>>>> winbind.
>>>>>>>>>>> Instead, they are running SSSD with AD backend.
>>>>>>>>>> Sorry Jason, wrong mailing list, we do not produce sssd, so
>>>>>>>>>> cannot
>>>>>>>>>> support it, because we know very little about it. I suggest
>>>>>>>>>> you try the
>>>>>>>>>>
>>>>>>>>>> sssd-users mailing list.
>>>>>>>>>>
>>>>>>>>>> If you want to use Samba instead, I am more than willing to
>>>>>>>>>> help you
>>>>>>>>>> with this, it is very easy and there is the bonus of being
>>>>>>>>>> able to
>>>>>>>>>> share
>>>>>>>>>> files.
>>>>>>>>>>
>>>>>>>>>> Rowland
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> To unsubscribe from this list go to the following URL and
>>>>>>>>>> read the
>>>>>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>>>> Hi Jason,
>>>>>>>>
>>>>>>>> I have got a few CentOS servers as Samba AD members. I found
>>>>>>>> out that upgrading them to CentOS 8 isn't worth the hazzle, a
>>>>>>>> completely different paradigm, and lots of migration issues to
>>>>>>>> solve. As you have got lots of machines, it could probably pay
>>>>>>>> off to create your own solution, but in your place, I would get
>>>>>>>> nervous that every new update would break something.
>>>>>>>>
>>>>>>>> I'm going to migrate my few servers to Debian Buster instead.
>>>>>>>> It seems to be a much less painful way. Up until recently, I
>>>>>>>> have exclusively used CentOS, but I have found Debian very
>>>>>>>> capable, and not very different to work with, compared to
>>>>>>>> CentOS 7. The updaMIR te policy is also fairly conservative.
>>>>>>>>
>>>>>>>> Just my five cents...
>>>>>>>>
>>>>>>>> Best regards,
>>>>>>>>
>>>>>>>> Peter
>>>>>>>
>>>>>>>
>>>>>>> Hi Peter,
>>>>>>>
>>>>>>> Our client systems need to continue to run CentOS because a
>>>>>>> variety of software that we use requires CentOS/RHEL. Some of
>>>>>>> the software is very version specific. I can't even upgrade to
>>>>>>> CentOS 8 until certain software is compatible with 8. Running a
>>>>>>> separate Linux distribution on the servers and the clients is
>>>>>>> possible, of course, but in a small team, just a headache to
>>>>>>> handle multiple OS paths. If we were a bigger team, this is
>>>>>>> definately something I would consider though.
>>>>>>>
>>>>>>> Jason.
>>>>>>>
>>>>>>>
>>>>>> Rule one: Never run software that is tied to a specific OS, you
>>>>>> get trapped, as you have found. If some entity tries selling you
>>>>>> software that requires a specific OS (and worse a specific
>>>>>> version), tell them to **** off.
>>>>>>
>>>>>> Just what are these 'softwares' that require Centos ?
>>>>>>
>>>>>> Rowland
>>>>>>
>>>>>
>>>>> I usually avoid threads where someone mentions SSSD because they
>>>>> always end the same way. The original poster is asking a question
>>>>> about using a Samba DC server using winbind at the server and his
>>>>> problems our doubts about the using the Kerberos part of Samba AD,
>>>>> and the discussion goes down to SSSD no no no, change OS, etc. A
>>>>> user asking with problems with a Mac or Windows client doesn't get
>>>>> that kind of responses, clients more closed that anything Red Hat
>>>>> produces.
>>>>>
>>>>> The initial response that asking on the SSSD mailing list would be
>>>>> a better idea was probably the good end of it if no other person
>>>>> was able to help.
>>>>>
>>>>> I personally can't help, because I use FreeIPA for my Linux
>>>>> clients and Samba AD for Windows clients, establishing a trust
>>>>> between domains. I have done long ago the other way of the
>>>>> original poster problem, NFS Kerberized NFS shares from a domain
>>>>> using MIT Kerberos (via FreeIPA), shares to Windows clients with
>>>>> Samba, but Samba standalone shares, doing LDPA integration with
>>>>> FreeIPA 389 server, but I would not recommend that now that the AD
>>>>> implementation of Samba is robust enough.
>>>>>
>>>>> Note: Now that CentOS 8 where mentioned early on the list, CentOS
>>>>> 8 clients joined to a Samba domain using SSSD works pretty well.
>>>>> Some tips at
>>>>> https://lists.samba.org/archive/samba/2020-March/228875.html
>>>>>
>>>>>
>>>>>
>>>> Robert, I have said numerous times that I personally have nothing
>>>> against sssd, just that I do not see the point in using it with
>>>> Samba. This forum cannot support sssd because we do not produce it
>>>> and know little about it, but it has its own mailing list,
>>>> sssd-users, that is undoubtedly the correct place to ask questions
>>>> about sssd.
>>>>
>>>> Also, you can use sssd on centos clients to access Samba shares on
>>>> another Unix domain member (this much I do know), but you cannot
>>>> use sssd on a Samba fileserver.
>>>>
>>>> Rowland
>>>>
>>>
>>> And the original mail said SSSD on client not on server, even the
>>> Subjects says it, It is just like someona asking problems using
>>> Samba Ad Kerberos problems from a Mac, the client on a Mac isn't
>>> even based on Samba. Web SSSDers should probably create a mailing
>>> list named "SSSD on Samba AD clients" :-P. If anyone comes an ask
>>> about winbind on clients, will get a lecture, again :-P
>>>
>>>
>> I replied:
>>
>> Sorry Jason, wrong mailing list, we do not produce sssd, so cannot
>> support it, because we know very little about it. I suggest you try
>> the sssd-users mailing list.
>>
>> If you want to use Samba instead, I am more than willing to help you
>> with this, it is very easy and there is the bonus of being able to
>> share files.
>>
>>
>> Just where is the lecture in that ?
>
> Nothing in that, but it are the later responses with: change OS, don't
> use software that requires an OS, etc, etc, no one says that to people
> asking with problems with a Mac o Windows clients here.
>
> I will end my participation in this thread because as I didn't
> intended it will extend more.
>
Well, it is nigh on impossible to change the OS on MAC computers, but if
you are having problems with your OS, then it is wise to consider using
a different OS, but no one is going to force anyone to do this.
If anyone wishes to use sssd, then that is their prerogative and I am
not going to attempt to stop them, I just cannot try to support sssd,
mainly because my knowledge of it is about 6 years out of date.
If any one wants to use RHEL/Centos, then again, that is their decision,
but I am sure they would get a similar response if they asked questions
about it on a Debian mailing, 'go and ask on red-hat mailing list'. It
is known as 'horses for courses', where I come from.
Rowland
More information about the samba
mailing list