[Samba] Replacing SSSD with just WINBIND for NFSv4
Luc Lalonde
Luc.Lalonde at polymtl.ca
Wed Sep 8 16:55:27 UTC 2021
Hello Louis,
I have a new problem... My kerberos tickets are not getting renewed.
So the user is not able to mount his home directory at login.
I saw similar discussions in the SAMBA archives that mentions that
pam_krb5 is no longer supported in RHEL8...
At Redhat, the documentation for RHEL8 is telling you to use SSSD:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/integrating_rhel_systems_directly_with_windows_active_directory/connecting-rhel-systems-directly-to-ad-using-sssd_integrating-rhel-systems-directly-with-active-directory
https://access.redhat.com/solutions/4256011
Am I wasting my time trying to get authentification working via WINBIND
only on RHEL8 systems?
Thank You!
On 2021-09-03 3:28 a.m., L.P.H. van Belle via samba wrote:
> Hai Luck,
>
> Great to hear it works now.
> Small note.. This,
>
>> msktutil --delegation --dont-expire-password --no-pac --computer-name centos8-test -b "OU=Services" -k /etc/krb5.keytab -h centos8-test.example.com -s nfs/centos8-test.example.com --upn nfs/centos8-test.example.com --verbose
> Is not really needed if you just joined and added the SPN.
>
> net ads keytab add_update_ads nfs/$(hostname -f) -U Administrator
> This adds the NFS SPN to /etc/krb5.keytab and in AD
>
> Do note, above, how you did it, isnt wrong also.
>
>> From what I read, I now need WINBINDD, SMBD, and NMBD started? Or can I just have WINBIND?
> Depends how you use this server, if its only for auth, winbind is sufficient, fileshare + start smbd.
> You dont need NMDB, unless you want network browsing.
> None of my servers have NMBD enabled, but i've also network browsingin disabled in the windows pc's.
>
>
> Greetz,
>
> Louis
>
>
>
> ________________________________
>
> Van: Luc Lalonde [mailto:Luc.Lalonde at polymtl.ca]
> Verzonden: donderdag 2 september 2021 22:22
> Aan: L.P.H. van Belle; samba at lists.samba.org
> Onderwerp: Re: [Samba] Replacing SSSD with just WINBIND for NFSv4
>
>
>
> Ok, figured it out... There was something missing in the 'join'.
>
> If I did a 'kinit username' and typed in my password, I no longer had permission problems.
>
> This time I did it using my trusty MSKTUTIL:
>
>
> msktutil --delegation --dont-expire-password --no-pac --computer-name centos8-test -b "OU=Services" -k /etc/krb5.keytab -h centos8-test.example.com -s nfs/centos8-test.example.com --upn nfs/centos8-test.example.com --verbose
>
> Then I did a 'net ads join'... Everything works now ;-)
>
> From what I read, I now need WINBINDD, SMBD, and NMBD started? Or can I just have WINBIND?
>
>
> Also, with SSSD, I just needed the keytab file. I didn't need to run the 'net ads join'. Is there a way to automate this for multiple machines via a script?
>
>
>
>
> On 2021-09-02 2:06 p.m., Luc Lalonde via samba wrote:
>
>
> Hello again,
>
> My mounts are working as described in my earlier posts...
>
> However, I get 'permission denied' when I try to access my home directory.
>
> Here's my config file:
>
> [global]
> workgroup = EXAMPLE
> realm = EXAMPLE.COM
> security = ADS
> kerberos method = secrets and keytab
>
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> winbind use default domain = yes
> winbind expand groups = 2
> winbind refresh tickets = Yes
> winbind enum groups = Yes
> winbind enum users = Yes
>
> idmap config *:backend = tdb
> idmap config *:range = 200-999
> idmap config EXAMPLE:backend = ad
> idmap config EXAMPLE:schema_mode = rfc2307
> idmap config EXAMPLE:unix_nss_info = yes
> idmap config EXAMPLE:range = 1100-999999
> idmap config EXAMPLE:unix_primary_group = yes
>
> username map = /etc/samba/user.map
>
> I think I'm almost there... Is there something missing with my ID mapping? Do you need to see my /etc/krb5.conf?
>
> Thanks!
>
> On 2021-09-02 10:51 a.m., L.P.H. van Belle via samba wrote:
>
>
> -----Oorspronkelijk bericht-----
> Van: samba [ MailScanner heeft een e-mail met mogelijk een poging tot fraude gevonden van "lists.samba.org" mailto:samba-bounces at lists.samba.org <mailto:samba-bounces at lists.samba.org> ] Namens
> Rowland Penny via samba
> Verzonden: donderdag 2 september 2021 16:40
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Replacing SSSD with just WINBIND for NFSv4
>
> On Thu, 2021-09-02 at 09:53 -0400, Luc Lalonde via samba wrote:
>
>
> Hello Louis,
>
> I'm still getting all the info together but I think that you're
> right.
>
> This directive on the client's configuration should make sure that
> unixHomeDirectory is properly passed along to AutoFS:
>
>
>
> idmap config DOMAIN : unix_nss_info|
>
>
> I'm going to do some tests and get back to you!
>
> Thank You!.
>
>
>
> I am getting lost here, I thought that autofs, when using NFS, could
> only mount what the NFS server is exporting and that is fixed i.e. all
> users will use /path/to/usersdir from the NFS server. This means that
> you cannot use different paths for different users, or am I missing
> something ?
>
>
>
> If i read it correctly what Luc showed.
>
> Let say i have as homedir : /usagers1/username
> /usagers1/username Mounts on fs1.example.com:/&
>
> If i change it to /usagers2/username i move to server2
> /usagers2/username Mounts on fs2.example.com:/&
>
> I never used automount like that, but if it works, i'll document it.
> So i wait for Luc his success message :-))
>
> Where if often goes wrong is the missing SPNs, then a user can mount his homedir
> The quick/dirty fix is root/SPN, but better is nfs/FQ.DN.TLD (@Realm)
>
>
>
>
> I can think of one way around this, but it doesn't involve
> unixhomedirectory or NFS
>
>
> Always ears and open for new ideas :-)
> How would you do this?
>
>
> Greetz,
>
> Louis
>
>
>
>
>
> --
> Luc Lalonde, analyste
> -----------------------------
> Département de génie informatique:
> École polytechnique de MTL
> (514) 340-4711 x5049
> Luc.Lalonde at polymtl.ca
> -----------------------------
>
>
>
--
Luc Lalonde, analyste
-----------------------------
Département de génie informatique:
École polytechnique de MTL
(514) 340-4711 x5049
Luc.Lalonde at polymtl.ca
-----------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20210908/f7a52076/OpenPGP_signature.sig>
More information about the samba
mailing list