[Samba] Replacing SSSD with just WINBIND for NFSv4

Luc Lalonde Luc.Lalonde at polymtl.ca
Wed Sep 8 16:55:27 UTC 2021


Hello Louis,

I have a new problem...  My kerberos tickets are not getting renewed.   
So the user is not able to mount his home directory at login.

I saw similar discussions in the SAMBA archives that mentions that 
pam_krb5 is no longer supported in RHEL8...

At Redhat, the documentation for RHEL8 is telling you to use SSSD:

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/integrating_rhel_systems_directly_with_windows_active_directory/connecting-rhel-systems-directly-to-ad-using-sssd_integrating-rhel-systems-directly-with-active-directory

https://access.redhat.com/solutions/4256011

Am I wasting my time trying to get authentification working via WINBIND 
only on RHEL8 systems?

Thank You!

On 2021-09-03 3:28 a.m., L.P.H. van Belle via samba wrote:
> Hai Luck,
>
> Great to hear it works now.
> Small note.. This,
>
>> msktutil --delegation --dont-expire-password --no-pac --computer-name centos8-test -b "OU=Services" -k /etc/krb5.keytab -h centos8-test.example.com -s nfs/centos8-test.example.com --upn nfs/centos8-test.example.com --verbose
> Is not really needed if you just joined and added the SPN.
>
> net ads keytab add_update_ads nfs/$(hostname -f) -U Administrator
> This adds the NFS SPN to /etc/krb5.keytab and in AD
>
> Do note, above, how you did it, isnt wrong also.
>
>>  From what I read, I now need WINBINDD, SMBD, and NMBD started?   Or can I just have WINBIND?
> Depends how you use this server, if its only for auth, winbind is sufficient, fileshare + start smbd.
> You dont need NMDB, unless you want network browsing.
> None of my servers have NMBD enabled, but i've also network browsingin disabled in the windows pc's.
>
>
> Greetz,
>
> Louis
>   
>
>
> ________________________________
>
> 	Van: Luc Lalonde [mailto:Luc.Lalonde at polymtl.ca]
> 	Verzonden: donderdag 2 september 2021 22:22
> 	Aan: L.P.H. van Belle; samba at lists.samba.org
> 	Onderwerp: Re: [Samba] Replacing SSSD with just WINBIND for NFSv4
> 	
> 	
>
> 	Ok, figured it out...  There was something missing in the 'join'.
>
> 	If I did a 'kinit username' and typed in my password, I no longer had permission problems.
>
> 	This time I did it using my trusty MSKTUTIL:
> 	
>
> 	msktutil --delegation --dont-expire-password --no-pac --computer-name centos8-test -b "OU=Services" -k /etc/krb5.keytab -h centos8-test.example.com -s nfs/centos8-test.example.com --upn nfs/centos8-test.example.com --verbose
>
> 	Then I did a 'net ads join'... Everything works now ;-)
>
> 	From what I read, I now need WINBINDD, SMBD, and NMBD started?   Or can I just have WINBIND?
> 	
>
> 	Also, with SSSD, I just needed the keytab file.   I didn't need to run the 'net ads join'.   Is there a way to automate this for multiple machines via a script?
>
> 	
> 	
>
> 	On 2021-09-02 2:06 p.m., Luc Lalonde via samba wrote:
> 	
>
> 		Hello again,
> 		
> 		My mounts are working as described in my earlier posts...
> 		
> 		However, I get 'permission denied' when I try to access my home directory.
> 		
> 		Here's my config file:
> 		
> 		[global]
> 		    workgroup = EXAMPLE
> 		    realm = EXAMPLE.COM
> 		    security = ADS
> 		    kerberos method = secrets and keytab
> 		
> 		    dedicated keytab file = /etc/krb5.keytab
> 		    kerberos method = secrets and keytab
> 		    winbind use default domain = yes
> 		    winbind expand groups = 2
> 		    winbind refresh tickets = Yes
> 		    winbind enum groups = Yes
> 		    winbind enum users = Yes
> 		
> 		    idmap config *:backend = tdb
> 		    idmap config *:range = 200-999
> 		    idmap config EXAMPLE:backend = ad
> 		    idmap config EXAMPLE:schema_mode = rfc2307
> 		    idmap config EXAMPLE:unix_nss_info = yes
> 		    idmap config EXAMPLE:range = 1100-999999
> 		    idmap config EXAMPLE:unix_primary_group = yes
> 		
> 		    username map = /etc/samba/user.map
> 		
> 		I think I'm almost there... Is there something missing with my ID mapping?   Do you need to see my /etc/krb5.conf?
> 		
> 		Thanks!
> 		
> 		On 2021-09-02 10:51 a.m., L.P.H. van Belle via samba wrote:
> 		
>
> 				-----Oorspronkelijk bericht-----
> 				Van: samba [ MailScanner heeft een e-mail met mogelijk een poging tot fraude gevonden van "lists.samba.org" mailto:samba-bounces at lists.samba.org <mailto:samba-bounces at lists.samba.org> ] Namens
> 				Rowland Penny via samba
> 				Verzonden: donderdag 2 september 2021 16:40
> 				Aan: samba at lists.samba.org
> 				Onderwerp: Re: [Samba] Replacing SSSD with just WINBIND for NFSv4
> 				
> 				On Thu, 2021-09-02 at 09:53 -0400, Luc Lalonde via samba wrote:
> 				
>
> 					Hello Louis,
> 					
> 					I'm still getting all the info together but I think that you're
> 					right.
> 					
> 					This directive on the client's configuration should make sure that
> 					unixHomeDirectory is properly passed along to AutoFS:
> 					
> 					
>
> 					idmap config DOMAIN : unix_nss_info|
> 					
>
> 					I'm going to do some tests and get back to you!
> 					
> 					Thank You!.
> 					
> 					
>
> 				I am getting lost here, I thought that autofs, when using NFS, could
> 				only mount what the NFS server is exporting and that is fixed i.e. all
> 				users will use /path/to/usersdir from the NFS server. This means that
> 				you cannot use different paths for different users, or am I missing
> 				something ?
> 				
>
>
> 			If i read it correctly what Luc showed.
> 			
> 			Let say i have as homedir : /usagers1/username
> 			/usagers1/username  Mounts on fs1.example.com:/&
> 			
> 			If i change it to /usagers2/username i move to server2
> 			/usagers2/username   Mounts on fs2.example.com:/&
> 			
> 			I never used automount like that, but if it works, i'll document it.
> 			So i wait for Luc his success message :-))
> 			
> 			Where if often goes wrong is the missing SPNs, then a user can mount his homedir
> 			The quick/dirty fix is root/SPN, but better is nfs/FQ.DN.TLD (@Realm)
> 			
> 			
> 			
>
> 				I can think of one way around this, but it doesn't involve
> 				unixhomedirectory or NFS
> 				
>
> 			Always ears and open for new ideas :-)
> 			How would you do this?
> 			
> 			
> 			Greetz,
> 			
> 			Louis
> 			
> 			
> 			
> 			
>
> 	--
> 	Luc Lalonde, analyste
> 	-----------------------------
> 	Département de génie informatique:
> 	École polytechnique de MTL
> 	(514) 340-4711 x5049
> 	Luc.Lalonde at polymtl.ca
> 	-----------------------------
>
>
>
-- 
Luc Lalonde, analyste
-----------------------------
Département de génie informatique:
École polytechnique de MTL
(514) 340-4711 x5049
Luc.Lalonde at polymtl.ca
-----------------------------


-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20210908/f7a52076/OpenPGP_signature.sig>


More information about the samba mailing list