[Samba] Samba on CentOS 8 with sssd and AD users/groups and local users/groups
Luc Lalonde
luc.lalonde at polymtl.ca
Thu Jan 13 18:53:03 UTC 2022
Also forgot to mention, for this configuration to work, your client
needs to be joined to the domain (net ads join...) :
########/etc/samba/smb.conf ###
[global]
workgroup = Example
realm = example.com
netbios name = clientname
security = ADS
password server = dc1.example.com, dc2.example.com
client signing = yes
client use spnego = yes
kerberos method = secrets and keytab
log file = /var/log/samba/%m.log
dedicated keytab file = /etc/krb5.keytab
##############################
########/etc/idmapd.conf ###
[General]
Domain = GIGL.POLYMTL.CA
[Mapping]
Nobody-User = rpcuser
Nobody-Group = rpcuser
##############################
This will give you a 'supported' single-domain configuration by Redhat
(https://access.redhat.com/articles/4355391). In the 'There are a few
exceptions though':
* In cases where Red Hat Enterprise Linux 7.x or 8.0 is used and where
Samba/Winbind has already been configured to use the |idmap_sss|
module and where the setup works as expected, Red Hat would still
provide support for a single domain (e.g, Samba file server machine
is enrolled in AD.COM and all users who want to access the Samba
share are managed in this domain).
* In a later release, Red Hat will also provide support for Samba file
server on directly enrolled Active Directory member systems.
They're really, really not ready yet ;-) That document was updated on
June 1st, 2021.
If you want to use only Winbind, use Debian... That's my conclusion
unfortunately!
On 1/13/22 13:30, Luc Lalonde via samba wrote:
> While we wait for RedHat to get their stuff in order wrt Winbind,
> here's my '/etc/krb5.conf' and '/etc/sssd/sssd.conf' if it can help
> someone:
>
>
> ########/etc/krb5.conf ##############
>
> [logging]
> default = SYSLOG:INFO:DAEMON
> kdc = SYSLOG:INFO:DAEMON
> admin_server = SYSLOG:INFO:DAEMON
>
> [libdefaults]
> default_realm = example.com
> dns_lookup_realm = false
> dns_lookup_kdc = false
> ticket_lifetime = 10h
> renew_lifetime = 7d
> forwardable = true
> allow_weak_crypto = true
>
> [realms]
> example.com = {
> default_domain = example.com
> kdc=dc1.example.com
> kdc=dc2.example.com
> admin_server=dc1.example.com
> }
>
> [domain_realm]
> example.com = example.com
> .dgi.polymtl.ca = example.com
> dgi.polymtl.ca = example.com
> .example.com = example.com
>
> [appdefaults]
> pam = {
> debug = false
> ticket_lifetime = 10h
> renew_lifetime = 7d
> forwardable = true
> krb4_convert = false
> validate = true
> }
> ####################################
>
>
> ########/etc/sssd/sssd.conf#########
>
> [sssd]
> services = nss, pam
> config_file_version = 2
> domains = example.com
> debug_level = 9
>
> [nss]
> filter_groups = root
> filter_users = root
>
> [pam]
>
> [sudo]
>
> [autofs]
>
> [ssh]
>
> [domain/example.com]
> ldap_referrals = false
> enumerate = false
> cache_credentials = true
>
> id_provider = ldap
> access_provider = ldap
> ldap_uri = ldap://dc1.example.com,ldap://dc2.example.com
> ldap_search_base = dc=example,dc=com
> ldap_tls_reqcert = never
> ldap_default_authtok_type = password
> ldap_sasl_mech = GSSAPI
>
> ldap_user_search_base = dc=example,dc=com
> ldap_user_object_class = user
> ldap_user_home_directory = unixHomeDirectory
> ldap_user_principal = userPrincipalName
> ldap_schema = rfc2307bis
> ldap_user_fullname = displayName
> ldap_user_name = sAMAccountName
> ldap_group_object_class = group
>
> ldap_group_search_base = ou=Groups,dc=example,dc=com
> ldap_group_object_class = group
>
> ldap_access_order = expire
> ldap_account_expire_policy = ad
> ldap_force_upper_case_realm = true
>
> auth_provider = krb5
> chpass_provider = krb5
> krb5_realm = example.com
> krb5_server = dc1.example.com,dc2.example.com
> krb5_auth_timeout = 15
> krb5_canonicalize = false
> krb5_lifetime = 10h
> krb5_renewable_lifetime = 7d
> krb5_renew_interval = 15
>
> cache_credentials = True
> ####################################
>
> On 1/13/22 13:05, Luc Lalonde via samba wrote:
>> No I read that!
>>
>> To me it says:
>>
>> 1. We know that there are issues with using SSSD and we're working on it
>> 2. We'll continue to support you if you choose this configuration
>> 3. We're not ready to offer a working supported alternative yet, again,
>> we're working on it
>>
>> In my experience, RHEL7 works well with standalone Winbind.
>>
>> Unfortunately, I can't get it to work properly on RHEL8 without SSSD.
>>
>> Perhaps I'm missing something, but the latest Redhat documentation
>> continues to push SSSD + Winbind ad the way to go:
>>
>> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_authentication_and_authorization_in_rhel/configuring-a-rhel-host-to-use-ad-as-an-authentication-provider_configuring-authentication-and-authorization-in-rhel
>>
>>
>> I would love to dump SSSD on my RedHat/CentOS/Fedora systems... but
>> we're not quite there yet!
>>
>> On 1/13/22 10:47, Rowland Penny via samba wrote:
>>> On Thu, 2022-01-13 at 10:22 -0500, Luc Lalonde via samba wrote:
>>>> Hello Rowland,
>>>>
>>>> I've read the article mentionned below... and I don't see how it
>>>> could
>>>> be interpreted as a 'non-recomendation'.
>>> Did you miss this under 'Support status':
>>>
>>> [quote]
>>> Therefore Red Hat currently does not recommend using the idmap_sss
>>> module for Samba file server enrolled into an IdM or AD domain.
>>> [/quote]
>>>
>>> They only provide limited support if you use sssd with Samba and only
>>> then if it is an existing setup.
>>>
>>> I cannot see any other definition of 'does not recommend' other than
>>> 'do not use it'
>>>
>>> Rowland
>>>
>>>
--
Luc Lalonde, analyste
-----------------------------
Département de génie informatique et génie logiciel:
École polytechnique de MTL
(514) 340-4711 x5049
Luc.Lalonde at polymtl.ca
More information about the samba
mailing list