[Samba] Replacing SSSD with just WINBIND for NFSv4

Luc Lalonde Luc.Lalonde at polymtl.ca
Thu Sep 2 20:22:02 UTC 2021


Ok, figured it out...  There was something missing in the 'join'.

If I did a 'kinit username' and typed in my password, I no longer had 
permission problems.

This time I did it using my trusty MSKTUTIL:

msktutil --delegation --dont-expire-password --no-pac --computer-name 
centos8-test -b "OU=Services" -k /etc/krb5.keytab -h 
centos8-test.example.com -s nfs/centos8-test.example.com --upn 
nfs/centos8-test.example.com --verbose

Then I did a 'net ads join'... Everything works now ;-)

 From what I read, I now need WINBINDD, SMBD, and NMBD started? Or can I 
just have WINBIND?

Also, with SSSD, I just needed the keytab file.   I didn't need to run 
the 'net ads join'.   Is there a way to automate this for multiple 
machines via a script?


On 2021-09-02 2:06 p.m., Luc Lalonde via samba wrote:
> Hello again,
>
> My mounts are working as described in my earlier posts...
>
> However, I get 'permission denied' when I try to access my home 
> directory.
>
> Here's my config file:
>
> [global]
>     workgroup = EXAMPLE
>     realm = EXAMPLE.COM
>     security = ADS
>     kerberos method = secrets and keytab
>
>     dedicated keytab file = /etc/krb5.keytab
>     kerberos method = secrets and keytab
>     winbind use default domain = yes
>     winbind expand groups = 2
>     winbind refresh tickets = Yes
>     winbind enum groups = Yes
>     winbind enum users = Yes
>
>     idmap config *:backend = tdb
>     idmap config *:range = 200-999
>     idmap config EXAMPLE:backend = ad
>     idmap config EXAMPLE:schema_mode = rfc2307
>     idmap config EXAMPLE:unix_nss_info = yes
>     idmap config EXAMPLE:range = 1100-999999
>     idmap config EXAMPLE:unix_primary_group = yes
>
>     username map = /etc/samba/user.map
>
> I think I'm almost there... Is there something missing with my ID 
> mapping?   Do you need to see my /etc/krb5.conf?
>
> Thanks!
>
> On 2021-09-02 10:51 a.m., L.P.H. van Belle via samba wrote:
>>> -----Oorspronkelijk bericht-----
>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>>> Rowland Penny via samba
>>> Verzonden: donderdag 2 september 2021 16:40
>>> Aan: samba at lists.samba.org
>>> Onderwerp: Re: [Samba] Replacing SSSD with just WINBIND for NFSv4
>>>
>>> On Thu, 2021-09-02 at 09:53 -0400, Luc Lalonde via samba wrote:
>>>> Hello Louis,
>>>>
>>>> I'm still getting all the info together but I think that you're
>>>> right.
>>>>
>>>> This directive on the client's configuration should make sure that
>>>> unixHomeDirectory is properly passed along to AutoFS:
>>>>
>>>>> idmap config DOMAIN : unix_nss_info|
>>>> I'm going to do some tests and get back to you!
>>>>
>>>> Thank You!.
>>>>
>>> I am getting lost here, I thought that autofs, when using NFS, could
>>> only mount what the NFS server is exporting and that is fixed i.e. all
>>> users will use /path/to/usersdir from the NFS server. This means that
>>> you cannot use different paths for different users, or am I missing
>>> something ?
>>
>> If i read it correctly what Luc showed.
>>
>> Let say i have as homedir : /usagers1/username
>> /usagers1/username  Mounts on fs1.example.com:/&
>>
>> If i change it to /usagers2/username i move to server2
>> /usagers2/username   Mounts on fs2.example.com:/&
>>
>> I never used automount like that, but if it works, i'll document it.
>> So i wait for Luc his success message :-))
>>
>> Where if often goes wrong is the missing SPNs, then a user can mount 
>> his homedir
>> The quick/dirty fix is root/SPN, but better is nfs/FQ.DN.TLD (@Realm)
>>
>>
>>> I can think of one way around this, but it doesn't involve
>>> unixhomedirectory or NFS
>> Always ears and open for new ideas :-)
>> How would you do this?
>>
>>
>> Greetz,
>>
>> Louis
>>
>>
>>
-- 
Luc Lalonde, analyste
-----------------------------
Département de génie informatique:
École polytechnique de MTL
(514) 340-4711 x5049
Luc.Lalonde at polymtl.ca
-----------------------------

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20210902/0393344a/OpenPGP_signature.sig>


More information about the samba mailing list