[Samba] Replacing SSSD with just WINBIND for NFSv4

L.P.H. van Belle belle at bazuin.nl
Thu Sep 2 07:35:43 UTC 2021 

Hi Luc, 

Lets me start with 2 things. 
1) i never used SSSD
2) i only have 1 server for for all home directories here.  
   But its also uses unixHomeDirectory

So that said. 

On below, thats a good one, the different homedirs is not the problem,
Im wondering how i would point userhomedirs to an other server..

And so far i cant think of one for my current setup. 
In my setup there is only 1 server holding all homedirs.

But im also thinking, why should this not work without sssd. 
unixHomeDirectory still is unixHomeDirectory 
When samba/winbind i setup 

Run : 
id username
getent passwd username

Is the output correct, then below should work in my opinion. 
Now, if you "users" cant trigger the mount, then your most probley 
missing SPN nfs/ or root/ 

Whats the Os running this? 
You already tried something and hitted errors, then show me the errors. 

So far, 

Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: Luc Lalonde [mailto:Luc.Lalonde at polymtl.ca] 
> Verzonden: woensdag 1 september 2021 16:48
> Aan: L.P.H. van Belle; samba at lists.samba.org
> Onderwerp: Re: [Samba] Replacing SSSD with just WINBIND for NFSv4
> 
> Hey Louis,
> 
> Again, thanks for your message!
> 
> Could you please show me how you resolve different automount 
> directories 
> for users without SSSD?
> 
> Presently, I use this line with SSSD:
> 
> ldap_user_home_directory = unixHomeDirectory
> 
> This value is stored in ActiveDirectory and is not the same 
> for all users.
> 
> AutoFs maps the users home directory accordingly (auto.master, 
> auto.home[1-4]):
> 
> ### /etc/auto.master  ##############
> /usagers1          /etc/auto.home1 --timeout=60
> /usagers2          /etc/auto.home2 --timeout=60
> /usagers3          /etc/auto.home3 --timeout=60
> /usagers4          /etc/auto.home4 --timeout=60
> ############################
> 
> ### /etc/auto.home1 ###################
> *    -fstype=nfs4,rw,sec=krb5      fs1.example.com:/&
> ################################
> 
> ### /etc/auto.home2 ##################
> *    -fstype=nfs4,rw,sec=krb5      fs2.example.com:/&
> ################################
> 
> ### /etc/auto.home3 ##################
> *    -fstype=nfs4,rw,sec=krb5      fs3.example.com:/&
> ################################
> 
> ### /etc/auto.home4 ##################
> *    -fstype=nfs4,rw,sec=krb5      fs4.example.com:/&
> ################################
> 
> Thank You!
> 
> On 2021-08-31 4:47 a.m., L.P.H. van Belle via samba wrote:
> > I can show you my config for automounted homedirs with 
> kerverised NFSv4.
> >
> > I saw the AD-DC smb.conf in the other post.
> > Great, you use unix id's.
> >
> > So my setup, setup any "MEMBER" as you would do normaly for 
> with RFC2307.
> >
> > Make sure you have this in smb.conf:
> >
> >      kerberos method = secrets and keytab
> >      dedicated keytab file = /etc/krb5.keytab
> >
> >      # renew the kerberos ticket
> >      winbind refresh tickets = yes
> >
> >      # Gives username and not DOM\username
> >      winbind use default domain = yes
> >
> > I've added nfs/name.internal.dom.tld to the keytab file 
> with with net ads
> > ( you might want to add cifs/ also to it, can be handy )
> >
> > In the list "samba4 kerberized nfs4 with sssd ad client"
> > https://lists.samba.org/archive/samba/2020-July/231149.html
> >
> > Thats how i run it with a systemd automounter.
> > with winbind offcourse.
> >
> > If you use it on a AD-DC, i suggest read this and use the 
> parts you need.
> > https://wiki.samba.org/index.php/OpenSSH_Single_sign-on
> > This is what its all about.
> > Recommended: Make a custom auth_to_local mapping in your krb5.conf.
> > Integrate the following into your configuration krb5.conf
> >
> > [realms]
> >      SAMDOM.EXAMPLE.COM = {
> >          auth_to_local = RULE:[1:SAMDOM\$1]
> >      }
> >
> > But read the page before you implement it.
> >
> >
> > Greetz,
> >
> > Louis
> >
> >
> >
> >
> >> -----Oorspronkelijk bericht-----
> >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Luc
> >> Lalonde via samba
> >> Verzonden: maandag 30 augustus 2021 19:27
> >> Aan: samba at lists.samba.org
> >> Onderwerp: [Samba] Replacing SSSD with just WINBIND for NFSv4
> >>
> >> Hello Foks,
> >>
> >> I would like to remove SSSD from the equation for NFSv4 +
> >> AutoFS mounts.
> >>
> >> Presently we use SSSD + Winbind for LDAP-KRB5 authentication
> >> and AutoFS-NFSv4 for home directories.
> >>
> >> We have 4 NFS servers that split the load for our Linux
> >> clients.   We use this option in SSSD.CONF to get the users
> >> home directory:
> >>
> >> ldap_user_home_directory = unixHomeDirectory
> >>
> >> Here are other options that we use:
> >>
> >> ldap_user_search_base = dc=example,dc=com
> >> ldap_user_object_class = user
> >> ldap_user_principal = userPrincipalName
> >> ldap_schema = rfc2307bis
> >> ldap_user_fullname = displayName
> >> ldap_user_name = sAMAccountName
> >> ldap_group_object_class = group
> >>
> >> Upon account creation, UID and GID are stored in AD, and
> >> everything works great.  We also do not use DOMAIN\USERNAME
> >> logins, just USERNAME.
> >>
> >> Is there a way to achieve this with just WINBIND?
> >>
> >> Thank You!
> >>
> >> -- 
> >> Luc Lalonde, analyste
> >> -----------------------------
> >> Département de génie informatique:
> >> École polytechnique de MTL
> >> (514) 340-4711 x5049
> >> Luc.Lalonde at polymtl.ca
> >> -----------------------------
> >>
> >> -- 
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/options/samba
> >>
> >
> -- 
> Luc Lalonde, analyste
> -----------------------------
> Département de génie informatique:
> École polytechnique de MTL
> (514) 340-4711 x5049
> Luc.Lalonde at polymtl.ca
> -----------------------------
> 
> 
>

More information about the samba mailing list