[Samba] Replacing SSSD with just WINBIND for NFSv4
Luc Lalonde
Luc.Lalonde at polymtl.ca
Wed Sep 1 14:47:49 UTC 2021
Hey Louis,
Again, thanks for your message!
Could you please show me how you resolve different automount directories
for users without SSSD?
Presently, I use this line with SSSD:
ldap_user_home_directory = unixHomeDirectory
This value is stored in ActiveDirectory and is not the same for all users.
AutoFs maps the users home directory accordingly (auto.master,
auto.home[1-4]):
### /etc/auto.master ##############
/usagers1 /etc/auto.home1 --timeout=60
/usagers2 /etc/auto.home2 --timeout=60
/usagers3 /etc/auto.home3 --timeout=60
/usagers4 /etc/auto.home4 --timeout=60
############################
### /etc/auto.home1 ###################
* -fstype=nfs4,rw,sec=krb5 fs1.example.com:/&
################################
### /etc/auto.home2 ##################
* -fstype=nfs4,rw,sec=krb5 fs2.example.com:/&
################################
### /etc/auto.home3 ##################
* -fstype=nfs4,rw,sec=krb5 fs3.example.com:/&
################################
### /etc/auto.home4 ##################
* -fstype=nfs4,rw,sec=krb5 fs4.example.com:/&
################################
Thank You!
On 2021-08-31 4:47 a.m., L.P.H. van Belle via samba wrote:
> I can show you my config for automounted homedirs with kerverised NFSv4.
>
> I saw the AD-DC smb.conf in the other post.
> Great, you use unix id's.
>
> So my setup, setup any "MEMBER" as you would do normaly for with RFC2307.
>
> Make sure you have this in smb.conf:
>
> kerberos method = secrets and keytab
> dedicated keytab file = /etc/krb5.keytab
>
> # renew the kerberos ticket
> winbind refresh tickets = yes
>
> # Gives username and not DOM\username
> winbind use default domain = yes
>
> I've added nfs/name.internal.dom.tld to the keytab file with with net ads
> ( you might want to add cifs/ also to it, can be handy )
>
> In the list "samba4 kerberized nfs4 with sssd ad client"
> https://lists.samba.org/archive/samba/2020-July/231149.html
>
> Thats how i run it with a systemd automounter.
> with winbind offcourse.
>
> If you use it on a AD-DC, i suggest read this and use the parts you need.
> https://wiki.samba.org/index.php/OpenSSH_Single_sign-on
> This is what its all about.
> Recommended: Make a custom auth_to_local mapping in your krb5.conf.
> Integrate the following into your configuration krb5.conf
>
> [realms]
> SAMDOM.EXAMPLE.COM = {
> auth_to_local = RULE:[1:SAMDOM\$1]
> }
>
> But read the page before you implement it.
>
>
> Greetz,
>
> Louis
>
>
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Luc
>> Lalonde via samba
>> Verzonden: maandag 30 augustus 2021 19:27
>> Aan: samba at lists.samba.org
>> Onderwerp: [Samba] Replacing SSSD with just WINBIND for NFSv4
>>
>> Hello Foks,
>>
>> I would like to remove SSSD from the equation for NFSv4 +
>> AutoFS mounts.
>>
>> Presently we use SSSD + Winbind for LDAP-KRB5 authentication
>> and AutoFS-NFSv4 for home directories.
>>
>> We have 4 NFS servers that split the load for our Linux
>> clients. We use this option in SSSD.CONF to get the users
>> home directory:
>>
>> ldap_user_home_directory = unixHomeDirectory
>>
>> Here are other options that we use:
>>
>> ldap_user_search_base = dc=example,dc=com
>> ldap_user_object_class = user
>> ldap_user_principal = userPrincipalName
>> ldap_schema = rfc2307bis
>> ldap_user_fullname = displayName
>> ldap_user_name = sAMAccountName
>> ldap_group_object_class = group
>>
>> Upon account creation, UID and GID are stored in AD, and
>> everything works great. We also do not use DOMAIN\USERNAME
>> logins, just USERNAME.
>>
>> Is there a way to achieve this with just WINBIND?
>>
>> Thank You!
>>
>> --
>> Luc Lalonde, analyste
>> -----------------------------
>> Département de génie informatique:
>> École polytechnique de MTL
>> (514) 340-4711 x5049
>> Luc.Lalonde at polymtl.ca
>> -----------------------------
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>
--
Luc Lalonde, analyste
-----------------------------
Département de génie informatique:
École polytechnique de MTL
(514) 340-4711 x5049
Luc.Lalonde at polymtl.ca
-----------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20210901/029864c9/OpenPGP_signature.sig>
More information about the samba
mailing list