[Samba] Replacing SSSD with just WINBIND for NFSv4

Tue Aug 31 17:55:26 UTC 2021

Ok, thanks.   Right, now I'm in the 'taking notes' stage and waiting for 
Rowland to weigh in his opinion.

On 8/31/21 4:47 AM, L.P.H. van Belle via samba wrote:
> I can show you my config for automounted homedirs with kerverised NFSv4.
>
> I saw the AD-DC smb.conf in the other post.
> Great, you use unix id's.
>
> So my setup, setup any "MEMBER" as you would do normaly for with RFC2307.
>
> Make sure you have this in smb.conf:
>
>      kerberos method = secrets and keytab
>      dedicated keytab file = /etc/krb5.keytab
>
>      # renew the kerberos ticket
>      winbind refresh tickets = yes
>
>      # Gives username and not DOM\username
>      winbind use default domain = yes
>
> I've added nfs/name.internal.dom.tld to the keytab file with with net ads
> ( you might want to add cifs/ also to it, can be handy )
>
> In the list "samba4 kerberized nfs4 with sssd ad client"
> https://lists.samba.org/archive/samba/2020-July/231149.html
>
> Thats how i run it with a systemd automounter.
> with winbind offcourse.
>
> If you use it on a AD-DC, i suggest read this and use the parts you need.
> https://wiki.samba.org/index.php/OpenSSH_Single_sign-on
> This is what its all about.
> Recommended: Make a custom auth_to_local mapping in your krb5.conf.
> Integrate the following into your configuration krb5.conf
>
> [realms]
>      SAMDOM.EXAMPLE.COM = {
>          auth_to_local = RULE:[1:SAMDOM\$1]
>      }
>
> But read the page before you implement it.
>
>
> Greetz,
>
> Louis
>
>
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Luc
>> Lalonde via samba
>> Verzonden: maandag 30 augustus 2021 19:27
>> Aan: samba at lists.samba.org
>> Onderwerp: [Samba] Replacing SSSD with just WINBIND for NFSv4
>>
>> Hello Foks,
>>
>> I would like to remove SSSD from the equation for NFSv4 +
>> AutoFS mounts.
>>
>> Presently we use SSSD + Winbind for LDAP-KRB5 authentication
>> and AutoFS-NFSv4 for home directories.
>>
>> We have 4 NFS servers that split the load for our Linux
>> clients.   We use this option in SSSD.CONF to get the users
>> home directory:
>>
>> ldap_user_home_directory = unixHomeDirectory
>>
>> Here are other options that we use:
>>
>> ldap_user_search_base = dc=example,dc=com
>> ldap_user_object_class = user
>> ldap_user_principal = userPrincipalName
>> ldap_schema = rfc2307bis
>> ldap_user_fullname = displayName
>> ldap_user_name = sAMAccountName
>> ldap_group_object_class = group
>>
>> Upon account creation, UID and GID are stored in AD, and
>> everything works great.  We also do not use DOMAIN\USERNAME
>> logins, just USERNAME.
>>
>> Is there a way to achieve this with just WINBIND?
>>
>> Thank You!
>>
>> -- 
>> Luc Lalonde, analyste
>> -----------------------------
>> Département de génie informatique:
>> École polytechnique de MTL
>> (514) 340-4711 x5049
>> Luc.Lalonde at polymtl.ca
>> -----------------------------
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>
-- 
Luc Lalonde, analyste
-----------------------------
Département de génie informatique et génie logiciel:
École polytechnique de MTL
(514) 340-4711 x5049
Luc.Lalonde at polymtl.ca