[Samba] Replacing SSSD with just WINBIND for NFSv4

L.P.H. van Belle belle at bazuin.nl
Fri Sep 3 07:28:03 UTC 2021 

Hai Luck, 

Great to hear it works now. 
Small note.. This,

> msktutil --delegation --dont-expire-password --no-pac --computer-name centos8-test -b "OU=Services" -k /etc/krb5.keytab -h centos8-test.example.com -s nfs/centos8-test.example.com --upn nfs/centos8-test.example.com --verbose

Is not really needed if you just joined and added the SPN.

net ads keytab add_update_ads nfs/$(hostname -f) -U Administrator
This adds the NFS SPN to /etc/krb5.keytab and in AD

Do note, above, how you did it, isnt wrong also. 

> From what I read, I now need WINBINDD, SMBD, and NMBD started?   Or can I just have WINBIND?
Depends how you use this server, if its only for auth, winbind is sufficient, fileshare + start smbd.
You dont need NMDB, unless you want network browsing. 
None of my servers have NMBD enabled, but i've also network browsingin disabled in the windows pc's. 


Greetz,

Louis
 


________________________________

	Van: Luc Lalonde [mailto:Luc.Lalonde at polymtl.ca] 
	Verzonden: donderdag 2 september 2021 22:22
	Aan: L.P.H. van Belle; samba at lists.samba.org
	Onderwerp: Re: [Samba] Replacing SSSD with just WINBIND for NFSv4
	
	

	Ok, figured it out...  There was something missing in the 'join'.

	If I did a 'kinit username' and typed in my password, I no longer had permission problems.

	This time I did it using my trusty MSKTUTIL:
	

	msktutil --delegation --dont-expire-password --no-pac --computer-name centos8-test -b "OU=Services" -k /etc/krb5.keytab -h centos8-test.example.com -s nfs/centos8-test.example.com --upn nfs/centos8-test.example.com --verbose

	Then I did a 'net ads join'... Everything works now ;-)

	From what I read, I now need WINBINDD, SMBD, and NMBD started?   Or can I just have WINBIND?
	

	Also, with SSSD, I just needed the keytab file.   I didn't need to run the 'net ads join'.   Is there a way to automate this for multiple machines via a script?

	
	

	On 2021-09-02 2:06 p.m., Luc Lalonde via samba wrote:
	

		Hello again, 
		
		My mounts are working as described in my earlier posts... 
		
		However, I get 'permission denied' when I try to access my home directory. 
		
		Here's my config file: 
		
		[global] 
		    workgroup = EXAMPLE 
		    realm = EXAMPLE.COM 
		    security = ADS 
		    kerberos method = secrets and keytab 
		
		    dedicated keytab file = /etc/krb5.keytab 
		    kerberos method = secrets and keytab 
		    winbind use default domain = yes 
		    winbind expand groups = 2 
		    winbind refresh tickets = Yes 
		    winbind enum groups = Yes 
		    winbind enum users = Yes 
		
		    idmap config *:backend = tdb 
		    idmap config *:range = 200-999 
		    idmap config EXAMPLE:backend = ad 
		    idmap config EXAMPLE:schema_mode = rfc2307 
		    idmap config EXAMPLE:unix_nss_info = yes 
		    idmap config EXAMPLE:range = 1100-999999 
		    idmap config EXAMPLE:unix_primary_group = yes 
		
		    username map = /etc/samba/user.map 
		
		I think I'm almost there... Is there something missing with my ID mapping?   Do you need to see my /etc/krb5.conf? 
		
		Thanks! 
		
		On 2021-09-02 10:51 a.m., L.P.H. van Belle via samba wrote: 
		

				-----Oorspronkelijk bericht----- 
				Van: samba [ MailScanner heeft een e-mail met mogelijk een poging tot fraude gevonden van "lists.samba.org" mailto:samba-bounces at lists.samba.org <mailto:samba-bounces at lists.samba.org> ] Namens 
				Rowland Penny via samba 
				Verzonden: donderdag 2 september 2021 16:40 
				Aan: samba at lists.samba.org 
				Onderwerp: Re: [Samba] Replacing SSSD with just WINBIND for NFSv4 
				
				On Thu, 2021-09-02 at 09:53 -0400, Luc Lalonde via samba wrote: 
				

					Hello Louis, 
					
					I'm still getting all the info together but I think that you're 
					right. 
					
					This directive on the client's configuration should make sure that 
					unixHomeDirectory is properly passed along to AutoFS: 
					
					

					idmap config DOMAIN : unix_nss_info| 
					

					I'm going to do some tests and get back to you! 
					
					Thank You!. 
					
					

				I am getting lost here, I thought that autofs, when using NFS, could 
				only mount what the NFS server is exporting and that is fixed i.e. all 
				users will use /path/to/usersdir from the NFS server. This means that 
				you cannot use different paths for different users, or am I missing 
				something ? 
				


			If i read it correctly what Luc showed. 
			
			Let say i have as homedir : /usagers1/username 
			/usagers1/username  Mounts on fs1.example.com:/& 
			
			If i change it to /usagers2/username i move to server2 
			/usagers2/username   Mounts on fs2.example.com:/& 
			
			I never used automount like that, but if it works, i'll document it. 
			So i wait for Luc his success message :-)) 
			
			Where if often goes wrong is the missing SPNs, then a user can mount his homedir 
			The quick/dirty fix is root/SPN, but better is nfs/FQ.DN.TLD (@Realm) 
			
			
			

				I can think of one way around this, but it doesn't involve 
				unixhomedirectory or NFS 
				

			Always ears and open for new ideas :-) 
			How would you do this? 
			
			
			Greetz, 
			
			Louis 
			
			
			
			 

	-- 
	Luc Lalonde, analyste
	-----------------------------
	Département de génie informatique:
	École polytechnique de MTL
	(514) 340-4711 x5049
	Luc.Lalonde at polymtl.ca
	-----------------------------

More information about the samba mailing list