[Samba] Samba on CentOS 8 with sssd and AD users/groups and local users/groups

Thu Jan 13 18:30:32 UTC 2022

While we wait for RedHat to get their stuff in order wrt Winbind, here's 
my '/etc/krb5.conf' and '/etc/sssd/sssd.conf' if it can help someone:

########/etc/krb5.conf ##############

[logging]
default = SYSLOG:INFO:DAEMON
kdc = SYSLOG:INFO:DAEMON
admin_server = SYSLOG:INFO:DAEMON

[libdefaults]
default_realm = example.com
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 10h
renew_lifetime = 7d
forwardable = true
allow_weak_crypto = true

[realms]
example.com = {
   default_domain = example.com
   kdc=dc1.example.com
   kdc=dc2.example.com
   admin_server=dc1.example.com
}

[domain_realm]
example.com = example.com
.dgi.polymtl.ca = example.com
dgi.polymtl.ca = example.com
.example.com = example.com

[appdefaults]
pam = {
   debug = false
   ticket_lifetime = 10h
   renew_lifetime = 7d
   forwardable = true
   krb4_convert = false
   validate = true
}
####################################

########/etc/sssd/sssd.conf#########

[sssd]
services = nss, pam
config_file_version = 2
domains = example.com
debug_level = 9

[nss]
filter_groups = root
filter_users = root

[pam]

[sudo]

[autofs]

[ssh]

[domain/example.com]
ldap_referrals = false
enumerate = false
cache_credentials = true

id_provider = ldap
access_provider = ldap
ldap_uri = ldap://dc1.example.com,ldap://dc2.example.com
ldap_search_base = dc=example,dc=com
ldap_tls_reqcert = never
ldap_default_authtok_type = password
ldap_sasl_mech = GSSAPI

ldap_user_search_base = dc=example,dc=com
ldap_user_object_class = user
ldap_user_home_directory = unixHomeDirectory
ldap_user_principal = userPrincipalName
ldap_schema = rfc2307bis
ldap_user_fullname = displayName
ldap_user_name = sAMAccountName
ldap_group_object_class = group

ldap_group_search_base = ou=Groups,dc=example,dc=com
ldap_group_object_class = group

ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = true

auth_provider = krb5
chpass_provider = krb5
krb5_realm = example.com
krb5_server = dc1.example.com,dc2.example.com
krb5_auth_timeout = 15
krb5_canonicalize = false
krb5_lifetime = 10h
krb5_renewable_lifetime = 7d
krb5_renew_interval = 15

cache_credentials = True
####################################

On 1/13/22 13:05, Luc Lalonde via samba wrote:
> No I read that!
>
> To me it says:
>
> 1. We know that there are issues with using SSSD and we're working on it
> 2. We'll continue to support you if you choose this configuration
> 3. We're not ready to offer a working supported alternative yet, again,
>    we're working on it
>
> In my experience, RHEL7 works well with standalone Winbind.
>
> Unfortunately, I can't get it to work properly on RHEL8 without SSSD.
>
> Perhaps I'm missing something, but the latest Redhat documentation 
> continues to push SSSD + Winbind ad the way to go:
>
> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_authentication_and_authorization_in_rhel/configuring-a-rhel-host-to-use-ad-as-an-authentication-provider_configuring-authentication-and-authorization-in-rhel 
>
>
> I would love to dump SSSD on my RedHat/CentOS/Fedora systems... but 
> we're not quite there yet!
>
> On 1/13/22 10:47, Rowland Penny via samba wrote:
>> On Thu, 2022-01-13 at 10:22 -0500, Luc Lalonde via samba wrote:
>>> Hello Rowland,
>>>
>>> I've read the article mentionned below...  and I don't see how it
>>> could
>>> be interpreted as a 'non-recomendation'.
>> Did you miss this under 'Support status':
>>
>> [quote]
>> Therefore Red Hat currently does not recommend using the idmap_sss
>> module for Samba file server enrolled into an IdM or AD domain.
>> [/quote]
>>
>> They only provide limited support if you use sssd with Samba and only
>> then if it is an existing setup.
>>
>> I cannot see any other definition of 'does not recommend' other than
>> 'do not use it'
>>
>> Rowland
>>
>>
-- 
Luc Lalonde, analyste
-----------------------------
Département de génie informatique et génie logiciel:
École polytechnique de MTL
(514) 340-4711 x5049
Luc.Lalonde at polymtl.ca