[Samba] Replacing SSSD with just WINBIND for NFSv4

L.P.H. van Belle belle at bazuin.nl
Tue Aug 31 08:47:43 UTC 2021


I can show you my config for automounted homedirs with kerverised NFSv4. 

I saw the AD-DC smb.conf in the other post. 
Great, you use unix id's. 

So my setup, setup any "MEMBER" as you would do normaly for with RFC2307. 

Make sure you have this in smb.conf: 

    kerberos method = secrets and keytab
    dedicated keytab file = /etc/krb5.keytab

    # renew the kerberos ticket
    winbind refresh tickets = yes

    # Gives username and not DOM\username
    winbind use default domain = yes

I've added nfs/name.internal.dom.tld to the keytab file with with net ads
( you might want to add cifs/ also to it, can be handy ) 

In the list "samba4 kerberized nfs4 with sssd ad client"
https://lists.samba.org/archive/samba/2020-July/231149.html

Thats how i run it with a systemd automounter. 
with winbind offcourse. 

If you use it on a AD-DC, i suggest read this and use the parts you need.
https://wiki.samba.org/index.php/OpenSSH_Single_sign-on
This is what its all about. 
Recommended: Make a custom auth_to_local mapping in your krb5.conf. 
Integrate the following into your configuration krb5.conf 

[realms]
    SAMDOM.EXAMPLE.COM = {
        auth_to_local = RULE:[1:SAMDOM\$1]
    }

But read the page before you implement it. 


Greetz, 

Louis




> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Luc 
> Lalonde via samba
> Verzonden: maandag 30 augustus 2021 19:27
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Replacing SSSD with just WINBIND for NFSv4
> 
> Hello Foks,
> 
> I would like to remove SSSD from the equation for NFSv4 + 
> AutoFS mounts.
> 
> Presently we use SSSD + Winbind for LDAP-KRB5 authentication 
> and AutoFS-NFSv4 for home directories.
> 
> We have 4 NFS servers that split the load for our Linux 
> clients.   We use this option in SSSD.CONF to get the users 
> home directory:
> 
> ldap_user_home_directory = unixHomeDirectory
> 
> Here are other options that we use:
> 
> ldap_user_search_base = dc=example,dc=com
> ldap_user_object_class = user
> ldap_user_principal = userPrincipalName
> ldap_schema = rfc2307bis
> ldap_user_fullname = displayName
> ldap_user_name = sAMAccountName
> ldap_group_object_class = group
> 
> Upon account creation, UID and GID are stored in AD, and 
> everything works great.  We also do not use DOMAIN\USERNAME 
> logins, just USERNAME.
> 
> Is there a way to achieve this with just WINBIND?
> 
> Thank You!
> 
> -- 
> Luc Lalonde, analyste
> -----------------------------
> Département de génie informatique:
> École polytechnique de MTL
> (514) 340-4711 x5049
> Luc.Lalonde at polymtl.ca
> -----------------------------
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 




More information about the samba mailing list