[Samba] Replacing SSSD with just WINBIND for NFSv4

Luc Lalonde Luc.Lalonde at polymtl.ca
Wed Sep 1 14:47:49 UTC 2021


Hey Louis,

Again, thanks for your message!

Could you please show me how you resolve different automount directories 
for users without SSSD?

Presently, I use this line with SSSD:

ldap_user_home_directory = unixHomeDirectory

This value is stored in ActiveDirectory and is not the same for all users.

AutoFs maps the users home directory accordingly (auto.master, 
auto.home[1-4]):

### /etc/auto.master  ##############
/usagers1          /etc/auto.home1 --timeout=60
/usagers2          /etc/auto.home2 --timeout=60
/usagers3          /etc/auto.home3 --timeout=60
/usagers4          /etc/auto.home4 --timeout=60
############################

### /etc/auto.home1 ###################
*    -fstype=nfs4,rw,sec=krb5      fs1.example.com:/&
################################

### /etc/auto.home2 ##################
*    -fstype=nfs4,rw,sec=krb5      fs2.example.com:/&
################################

### /etc/auto.home3 ##################
*    -fstype=nfs4,rw,sec=krb5      fs3.example.com:/&
################################

### /etc/auto.home4 ##################
*    -fstype=nfs4,rw,sec=krb5      fs4.example.com:/&
################################

Thank You!

On 2021-08-31 4:47 a.m., L.P.H. van Belle via samba wrote:
> I can show you my config for automounted homedirs with kerverised NFSv4.
>
> I saw the AD-DC smb.conf in the other post.
> Great, you use unix id's.
>
> So my setup, setup any "MEMBER" as you would do normaly for with RFC2307.
>
> Make sure you have this in smb.conf:
>
>      kerberos method = secrets and keytab
>      dedicated keytab file = /etc/krb5.keytab
>
>      # renew the kerberos ticket
>      winbind refresh tickets = yes
>
>      # Gives username and not DOM\username
>      winbind use default domain = yes
>
> I've added nfs/name.internal.dom.tld to the keytab file with with net ads
> ( you might want to add cifs/ also to it, can be handy )
>
> In the list "samba4 kerberized nfs4 with sssd ad client"
> https://lists.samba.org/archive/samba/2020-July/231149.html
>
> Thats how i run it with a systemd automounter.
> with winbind offcourse.
>
> If you use it on a AD-DC, i suggest read this and use the parts you need.
> https://wiki.samba.org/index.php/OpenSSH_Single_sign-on
> This is what its all about.
> Recommended: Make a custom auth_to_local mapping in your krb5.conf.
> Integrate the following into your configuration krb5.conf
>
> [realms]
>      SAMDOM.EXAMPLE.COM = {
>          auth_to_local = RULE:[1:SAMDOM\$1]
>      }
>
> But read the page before you implement it.
>
>
> Greetz,
>
> Louis
>
>
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Luc
>> Lalonde via samba
>> Verzonden: maandag 30 augustus 2021 19:27
>> Aan: samba at lists.samba.org
>> Onderwerp: [Samba] Replacing SSSD with just WINBIND for NFSv4
>>
>> Hello Foks,
>>
>> I would like to remove SSSD from the equation for NFSv4 +
>> AutoFS mounts.
>>
>> Presently we use SSSD + Winbind for LDAP-KRB5 authentication
>> and AutoFS-NFSv4 for home directories.
>>
>> We have 4 NFS servers that split the load for our Linux
>> clients.   We use this option in SSSD.CONF to get the users
>> home directory:
>>
>> ldap_user_home_directory = unixHomeDirectory
>>
>> Here are other options that we use:
>>
>> ldap_user_search_base = dc=example,dc=com
>> ldap_user_object_class = user
>> ldap_user_principal = userPrincipalName
>> ldap_schema = rfc2307bis
>> ldap_user_fullname = displayName
>> ldap_user_name = sAMAccountName
>> ldap_group_object_class = group
>>
>> Upon account creation, UID and GID are stored in AD, and
>> everything works great.  We also do not use DOMAIN\USERNAME
>> logins, just USERNAME.
>>
>> Is there a way to achieve this with just WINBIND?
>>
>> Thank You!
>>
>> -- 
>> Luc Lalonde, analyste
>> -----------------------------
>> Département de génie informatique:
>> École polytechnique de MTL
>> (514) 340-4711 x5049
>> Luc.Lalonde at polymtl.ca
>> -----------------------------
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>
-- 
Luc Lalonde, analyste
-----------------------------
Département de génie informatique:
École polytechnique de MTL
(514) 340-4711 x5049
Luc.Lalonde at polymtl.ca
-----------------------------


-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20210901/029864c9/OpenPGP_signature.sig>


More information about the samba mailing list