[Samba] Replacing SSSD with just WINBIND for NFSv4
Luc Lalonde
Luc.Lalonde at polymtl.ca
Thu Sep 2 20:22:02 UTC 2021
Ok, figured it out... There was something missing in the 'join'.
If I did a 'kinit username' and typed in my password, I no longer had
permission problems.
This time I did it using my trusty MSKTUTIL:
msktutil --delegation --dont-expire-password --no-pac --computer-name
centos8-test -b "OU=Services" -k /etc/krb5.keytab -h
centos8-test.example.com -s nfs/centos8-test.example.com --upn
nfs/centos8-test.example.com --verbose
Then I did a 'net ads join'... Everything works now ;-)
From what I read, I now need WINBINDD, SMBD, and NMBD started? Or can I
just have WINBIND?
Also, with SSSD, I just needed the keytab file. I didn't need to run
the 'net ads join'. Is there a way to automate this for multiple
machines via a script?
On 2021-09-02 2:06 p.m., Luc Lalonde via samba wrote:
> Hello again,
>
> My mounts are working as described in my earlier posts...
>
> However, I get 'permission denied' when I try to access my home
> directory.
>
> Here's my config file:
>
> [global]
> workgroup = EXAMPLE
> realm = EXAMPLE.COM
> security = ADS
> kerberos method = secrets and keytab
>
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> winbind use default domain = yes
> winbind expand groups = 2
> winbind refresh tickets = Yes
> winbind enum groups = Yes
> winbind enum users = Yes
>
> idmap config *:backend = tdb
> idmap config *:range = 200-999
> idmap config EXAMPLE:backend = ad
> idmap config EXAMPLE:schema_mode = rfc2307
> idmap config EXAMPLE:unix_nss_info = yes
> idmap config EXAMPLE:range = 1100-999999
> idmap config EXAMPLE:unix_primary_group = yes
>
> username map = /etc/samba/user.map
>
> I think I'm almost there... Is there something missing with my ID
> mapping? Do you need to see my /etc/krb5.conf?
>
> Thanks!
>
> On 2021-09-02 10:51 a.m., L.P.H. van Belle via samba wrote:
>>> -----Oorspronkelijk bericht-----
>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>>> Rowland Penny via samba
>>> Verzonden: donderdag 2 september 2021 16:40
>>> Aan: samba at lists.samba.org
>>> Onderwerp: Re: [Samba] Replacing SSSD with just WINBIND for NFSv4
>>>
>>> On Thu, 2021-09-02 at 09:53 -0400, Luc Lalonde via samba wrote:
>>>> Hello Louis,
>>>>
>>>> I'm still getting all the info together but I think that you're
>>>> right.
>>>>
>>>> This directive on the client's configuration should make sure that
>>>> unixHomeDirectory is properly passed along to AutoFS:
>>>>
>>>>> idmap config DOMAIN : unix_nss_info|
>>>> I'm going to do some tests and get back to you!
>>>>
>>>> Thank You!.
>>>>
>>> I am getting lost here, I thought that autofs, when using NFS, could
>>> only mount what the NFS server is exporting and that is fixed i.e. all
>>> users will use /path/to/usersdir from the NFS server. This means that
>>> you cannot use different paths for different users, or am I missing
>>> something ?
>>
>> If i read it correctly what Luc showed.
>>
>> Let say i have as homedir : /usagers1/username
>> /usagers1/username Mounts on fs1.example.com:/&
>>
>> If i change it to /usagers2/username i move to server2
>> /usagers2/username Mounts on fs2.example.com:/&
>>
>> I never used automount like that, but if it works, i'll document it.
>> So i wait for Luc his success message :-))
>>
>> Where if often goes wrong is the missing SPNs, then a user can mount
>> his homedir
>> The quick/dirty fix is root/SPN, but better is nfs/FQ.DN.TLD (@Realm)
>>
>>
>>> I can think of one way around this, but it doesn't involve
>>> unixhomedirectory or NFS
>> Always ears and open for new ideas :-)
>> How would you do this?
>>
>>
>> Greetz,
>>
>> Louis
>>
>>
>>
--
Luc Lalonde, analyste
-----------------------------
Département de génie informatique:
École polytechnique de MTL
(514) 340-4711 x5049
Luc.Lalonde at polymtl.ca
-----------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20210902/0393344a/OpenPGP_signature.sig>
More information about the samba
mailing list