[Samba] Replacing SSSD with just WINBIND for NFSv4
L.P.H. van Belle
belle at bazuin.nl
Fri Sep 3 07:28:03 UTC 2021
Hai Luck,
Great to hear it works now.
Small note.. This,
> msktutil --delegation --dont-expire-password --no-pac --computer-name centos8-test -b "OU=Services" -k /etc/krb5.keytab -h centos8-test.example.com -s nfs/centos8-test.example.com --upn nfs/centos8-test.example.com --verbose
Is not really needed if you just joined and added the SPN.
net ads keytab add_update_ads nfs/$(hostname -f) -U Administrator
This adds the NFS SPN to /etc/krb5.keytab and in AD
Do note, above, how you did it, isnt wrong also.
> From what I read, I now need WINBINDD, SMBD, and NMBD started? Or can I just have WINBIND?
Depends how you use this server, if its only for auth, winbind is sufficient, fileshare + start smbd.
You dont need NMDB, unless you want network browsing.
None of my servers have NMBD enabled, but i've also network browsingin disabled in the windows pc's.
Greetz,
Louis
________________________________
Van: Luc Lalonde [mailto:Luc.Lalonde at polymtl.ca]
Verzonden: donderdag 2 september 2021 22:22
Aan: L.P.H. van Belle; samba at lists.samba.org
Onderwerp: Re: [Samba] Replacing SSSD with just WINBIND for NFSv4
Ok, figured it out... There was something missing in the 'join'.
If I did a 'kinit username' and typed in my password, I no longer had permission problems.
This time I did it using my trusty MSKTUTIL:
msktutil --delegation --dont-expire-password --no-pac --computer-name centos8-test -b "OU=Services" -k /etc/krb5.keytab -h centos8-test.example.com -s nfs/centos8-test.example.com --upn nfs/centos8-test.example.com --verbose
Then I did a 'net ads join'... Everything works now ;-)
From what I read, I now need WINBINDD, SMBD, and NMBD started? Or can I just have WINBIND?
Also, with SSSD, I just needed the keytab file. I didn't need to run the 'net ads join'. Is there a way to automate this for multiple machines via a script?
On 2021-09-02 2:06 p.m., Luc Lalonde via samba wrote:
Hello again,
My mounts are working as described in my earlier posts...
However, I get 'permission denied' when I try to access my home directory.
Here's my config file:
[global]
workgroup = EXAMPLE
realm = EXAMPLE.COM
security = ADS
kerberos method = secrets and keytab
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind use default domain = yes
winbind expand groups = 2
winbind refresh tickets = Yes
winbind enum groups = Yes
winbind enum users = Yes
idmap config *:backend = tdb
idmap config *:range = 200-999
idmap config EXAMPLE:backend = ad
idmap config EXAMPLE:schema_mode = rfc2307
idmap config EXAMPLE:unix_nss_info = yes
idmap config EXAMPLE:range = 1100-999999
idmap config EXAMPLE:unix_primary_group = yes
username map = /etc/samba/user.map
I think I'm almost there... Is there something missing with my ID mapping? Do you need to see my /etc/krb5.conf?
Thanks!
On 2021-09-02 10:51 a.m., L.P.H. van Belle via samba wrote:
-----Oorspronkelijk bericht-----
Van: samba [ MailScanner heeft een e-mail met mogelijk een poging tot fraude gevonden van "lists.samba.org" mailto:samba-bounces at lists.samba.org <mailto:samba-bounces at lists.samba.org> ] Namens
Rowland Penny via samba
Verzonden: donderdag 2 september 2021 16:40
Aan: samba at lists.samba.org
Onderwerp: Re: [Samba] Replacing SSSD with just WINBIND for NFSv4
On Thu, 2021-09-02 at 09:53 -0400, Luc Lalonde via samba wrote:
Hello Louis,
I'm still getting all the info together but I think that you're
right.
This directive on the client's configuration should make sure that
unixHomeDirectory is properly passed along to AutoFS:
idmap config DOMAIN : unix_nss_info|
I'm going to do some tests and get back to you!
Thank You!.
I am getting lost here, I thought that autofs, when using NFS, could
only mount what the NFS server is exporting and that is fixed i.e. all
users will use /path/to/usersdir from the NFS server. This means that
you cannot use different paths for different users, or am I missing
something ?
If i read it correctly what Luc showed.
Let say i have as homedir : /usagers1/username
/usagers1/username Mounts on fs1.example.com:/&
If i change it to /usagers2/username i move to server2
/usagers2/username Mounts on fs2.example.com:/&
I never used automount like that, but if it works, i'll document it.
So i wait for Luc his success message :-))
Where if often goes wrong is the missing SPNs, then a user can mount his homedir
The quick/dirty fix is root/SPN, but better is nfs/FQ.DN.TLD (@Realm)
I can think of one way around this, but it doesn't involve
unixhomedirectory or NFS
Always ears and open for new ideas :-)
How would you do this?
Greetz,
Louis
--
Luc Lalonde, analyste
-----------------------------
Département de génie informatique:
École polytechnique de MTL
(514) 340-4711 x5049
Luc.Lalonde at polymtl.ca
-----------------------------
More information about the samba
mailing list