[Samba] Replacing SSSD with just WINBIND for NFSv4

Luc Lalonde Luc.Lalonde at polymtl.ca
Thu Sep 2 13:53:43 UTC 2021 

Hello Louis,

I'm still getting all the info together but I think that you're right.

This directive on the client's configuration should make sure that 
unixHomeDirectory is properly passed along to AutoFS:

|idmap config DOMAIN : unix_nss_info|

||

I'm going to do some tests and get back to you!

Thank You!.


On 2021-09-02 3:35 a.m., L.P.H. van Belle via samba wrote:
> Hi Luc,
>
> Lets me start with 2 things.
> 1) i never used SSSD
> 2) i only have 1 server for for all home directories here.
>     But its also uses unixHomeDirectory
>
> So that said.
>
> On below, thats a good one, the different homedirs is not the problem,
> Im wondering how i would point userhomedirs to an other server..
>
> And so far i cant think of one for my current setup.
> In my setup there is only 1 server holding all homedirs.
>
> But im also thinking, why should this not work without sssd.
> unixHomeDirectory still is unixHomeDirectory
> When samba/winbind i setup
>
> Run :
> id username
> getent passwd username
>
> Is the output correct, then below should work in my opinion.
> Now, if you "users" cant trigger the mount, then your most probley
> missing SPN nfs/ or root/
>
> Whats the Os running this?
> You already tried something and hitted errors, then show me the errors.
>
> So far,
>
> Greetz,
>
> Louis
>
>
>> -----Oorspronkelijk bericht-----
>> Van: Luc Lalonde [mailto:Luc.Lalonde at polymtl.ca]
>> Verzonden: woensdag 1 september 2021 16:48
>> Aan: L.P.H. van Belle; samba at lists.samba.org
>> Onderwerp: Re: [Samba] Replacing SSSD with just WINBIND for NFSv4
>>
>> Hey Louis,
>>
>> Again, thanks for your message!
>>
>> Could you please show me how you resolve different automount
>> directories
>> for users without SSSD?
>>
>> Presently, I use this line with SSSD:
>>
>> ldap_user_home_directory = unixHomeDirectory
>>
>> This value is stored in ActiveDirectory and is not the same
>> for all users.
>>
>> AutoFs maps the users home directory accordingly (auto.master,
>> auto.home[1-4]):
>>
>> ### /etc/auto.master  ##############
>> /usagers1          /etc/auto.home1 --timeout=60
>> /usagers2          /etc/auto.home2 --timeout=60
>> /usagers3          /etc/auto.home3 --timeout=60
>> /usagers4          /etc/auto.home4 --timeout=60
>> ############################
>>
>> ### /etc/auto.home1 ###################
>> *    -fstype=nfs4,rw,sec=krb5      fs1.example.com:/&
>> ################################
>>
>> ### /etc/auto.home2 ##################
>> *    -fstype=nfs4,rw,sec=krb5      fs2.example.com:/&
>> ################################
>>
>> ### /etc/auto.home3 ##################
>> *    -fstype=nfs4,rw,sec=krb5      fs3.example.com:/&
>> ################################
>>
>> ### /etc/auto.home4 ##################
>> *    -fstype=nfs4,rw,sec=krb5      fs4.example.com:/&
>> ################################
>>
>> Thank You!
>>
>> On 2021-08-31 4:47 a.m., L.P.H. van Belle via samba wrote:
>>> I can show you my config for automounted homedirs with
>> kerverised NFSv4.
>>> I saw the AD-DC smb.conf in the other post.
>>> Great, you use unix id's.
>>>
>>> So my setup, setup any "MEMBER" as you would do normaly for
>> with RFC2307.
>>> Make sure you have this in smb.conf:
>>>
>>>       kerberos method = secrets and keytab
>>>       dedicated keytab file = /etc/krb5.keytab
>>>
>>>       # renew the kerberos ticket
>>>       winbind refresh tickets = yes
>>>
>>>       # Gives username and not DOM\username
>>>       winbind use default domain = yes
>>>
>>> I've added nfs/name.internal.dom.tld to the keytab file
>> with with net ads
>>> ( you might want to add cifs/ also to it, can be handy )
>>>
>>> In the list "samba4 kerberized nfs4 with sssd ad client"
>>> https://lists.samba.org/archive/samba/2020-July/231149.html
>>>
>>> Thats how i run it with a systemd automounter.
>>> with winbind offcourse.
>>>
>>> If you use it on a AD-DC, i suggest read this and use the
>> parts you need.
>>> https://wiki.samba.org/index.php/OpenSSH_Single_sign-on
>>> This is what its all about.
>>> Recommended: Make a custom auth_to_local mapping in your krb5.conf.
>>> Integrate the following into your configuration krb5.conf
>>>
>>> [realms]
>>>       SAMDOM.EXAMPLE.COM = {
>>>           auth_to_local = RULE:[1:SAMDOM\$1]
>>>       }
>>>
>>> But read the page before you implement it.
>>>
>>>
>>> Greetz,
>>>
>>> Louis
>>>
>>>
>>>
>>>
>>>> -----Oorspronkelijk bericht-----
>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Luc
>>>> Lalonde via samba
>>>> Verzonden: maandag 30 augustus 2021 19:27
>>>> Aan: samba at lists.samba.org
>>>> Onderwerp: [Samba] Replacing SSSD with just WINBIND for NFSv4
>>>>
>>>> Hello Foks,
>>>>
>>>> I would like to remove SSSD from the equation for NFSv4 +
>>>> AutoFS mounts.
>>>>
>>>> Presently we use SSSD + Winbind for LDAP-KRB5 authentication
>>>> and AutoFS-NFSv4 for home directories.
>>>>
>>>> We have 4 NFS servers that split the load for our Linux
>>>> clients.   We use this option in SSSD.CONF to get the users
>>>> home directory:
>>>>
>>>> ldap_user_home_directory = unixHomeDirectory
>>>>
>>>> Here are other options that we use:
>>>>
>>>> ldap_user_search_base = dc=example,dc=com
>>>> ldap_user_object_class = user
>>>> ldap_user_principal = userPrincipalName
>>>> ldap_schema = rfc2307bis
>>>> ldap_user_fullname = displayName
>>>> ldap_user_name = sAMAccountName
>>>> ldap_group_object_class = group
>>>>
>>>> Upon account creation, UID and GID are stored in AD, and
>>>> everything works great.  We also do not use DOMAIN\USERNAME
>>>> logins, just USERNAME.
>>>>
>>>> Is there a way to achieve this with just WINBIND?
>>>>
>>>> Thank You!
>>>>
>>>> -- 
>>>> Luc Lalonde, analyste
>>>> -----------------------------
>>>> Département de génie informatique:
>>>> École polytechnique de MTL
>>>> (514) 340-4711 x5049
>>>> Luc.Lalonde at polymtl.ca
>>>> -----------------------------
>>>>
>>>> -- 
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>
>> -- 
>> Luc Lalonde, analyste
>> -----------------------------
>> Département de génie informatique:
>> École polytechnique de MTL
>> (514) 340-4711 x5049
>> Luc.Lalonde at polymtl.ca
>> -----------------------------
>>
>>
>>
>
-- 
Luc Lalonde, analyste
-----------------------------
Département de génie informatique:
École polytechnique de MTL
(514) 340-4711 x5049
Luc.Lalonde at polymtl.ca
-----------------------------

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20210902/233210e2/OpenPGP_signature.sig>

More information about the samba mailing list