[Samba] Samba on CentOS 8 with sssd and AD users/groups and local users/groups
Luc Lalonde
luc.lalonde at polymtl.ca
Thu Jan 13 19:19:17 UTC 2022
Oops, forgot to sanitize the second configuration file:
########/etc/idmapd.conf ###
[General]
Domain = example.com
[Mapping]
Nobody-User = nobody
Nobody-Group = nobody
##############################
On 1/13/22 13:53, Luc Lalonde via samba wrote:
> Also forgot to mention, for this configuration to work, your client
> needs to be joined to the domain (net ads join...) :
>
>
> ########/etc/samba/smb.conf ###
>
> [global]
> workgroup = Example
> realm = example.com
> netbios name = clientname
> security = ADS
> password server = dc1.example.com, dc2.example.com
> client signing = yes
> client use spnego = yes
> kerberos method = secrets and keytab
> log file = /var/log/samba/%m.log
> dedicated keytab file = /etc/krb5.keytab
>
> ##############################
>
> ########/etc/idmapd.conf ###
> [General]
> Domain = GIGL.POLYMTL.CA
>
> [Mapping]
> Nobody-User = rpcuser
> Nobody-Group = rpcuser
>
> ##############################
>
>
> This will give you a 'supported' single-domain configuration by Redhat
> (https://access.redhat.com/articles/4355391). In the 'There are a
> few exceptions though':
>
> * In cases where Red Hat Enterprise Linux 7.x or 8.0 is used and where
> Samba/Winbind has already been configured to use the |idmap_sss|
> module and where the setup works as expected, Red Hat would still
> provide support for a single domain (e.g, Samba file server machine
> is enrolled in AD.COM and all users who want to access the Samba
> share are managed in this domain).
> * In a later release, Red Hat will also provide support for Samba file
> server on directly enrolled Active Directory member systems.
>
> They're really, really not ready yet ;-) That document was updated
> on June 1st, 2021.
>
> If you want to use only Winbind, use Debian... That's my conclusion
> unfortunately!
>
> On 1/13/22 13:30, Luc Lalonde via samba wrote:
>> While we wait for RedHat to get their stuff in order wrt Winbind,
>> here's my '/etc/krb5.conf' and '/etc/sssd/sssd.conf' if it can help
>> someone:
>>
>>
>> ########/etc/krb5.conf ##############
>>
>> [logging]
>> default = SYSLOG:INFO:DAEMON
>> kdc = SYSLOG:INFO:DAEMON
>> admin_server = SYSLOG:INFO:DAEMON
>>
>> [libdefaults]
>> default_realm = example.com
>> dns_lookup_realm = false
>> dns_lookup_kdc = false
>> ticket_lifetime = 10h
>> renew_lifetime = 7d
>> forwardable = true
>> allow_weak_crypto = true
>>
>> [realms]
>> example.com = {
>> default_domain = example.com
>> kdc=dc1.example.com
>> kdc=dc2.example.com
>> admin_server=dc1.example.com
>> }
>>
>> [domain_realm]
>> example.com = example.com
>> .dgi.polymtl.ca = example.com
>> dgi.polymtl.ca = example.com
>> .example.com = example.com
>>
>> [appdefaults]
>> pam = {
>> debug = false
>> ticket_lifetime = 10h
>> renew_lifetime = 7d
>> forwardable = true
>> krb4_convert = false
>> validate = true
>> }
>> ####################################
>>
>>
>> ########/etc/sssd/sssd.conf#########
>>
>> [sssd]
>> services = nss, pam
>> config_file_version = 2
>> domains = example.com
>> debug_level = 9
>>
>> [nss]
>> filter_groups = root
>> filter_users = root
>>
>> [pam]
>>
>> [sudo]
>>
>> [autofs]
>>
>> [ssh]
>>
>> [domain/example.com]
>> ldap_referrals = false
>> enumerate = false
>> cache_credentials = true
>>
>> id_provider = ldap
>> access_provider = ldap
>> ldap_uri = ldap://dc1.example.com,ldap://dc2.example.com
>> ldap_search_base = dc=example,dc=com
>> ldap_tls_reqcert = never
>> ldap_default_authtok_type = password
>> ldap_sasl_mech = GSSAPI
>>
>> ldap_user_search_base = dc=example,dc=com
>> ldap_user_object_class = user
>> ldap_user_home_directory = unixHomeDirectory
>> ldap_user_principal = userPrincipalName
>> ldap_schema = rfc2307bis
>> ldap_user_fullname = displayName
>> ldap_user_name = sAMAccountName
>> ldap_group_object_class = group
>>
>> ldap_group_search_base = ou=Groups,dc=example,dc=com
>> ldap_group_object_class = group
>>
>> ldap_access_order = expire
>> ldap_account_expire_policy = ad
>> ldap_force_upper_case_realm = true
>>
>> auth_provider = krb5
>> chpass_provider = krb5
>> krb5_realm = example.com
>> krb5_server = dc1.example.com,dc2.example.com
>> krb5_auth_timeout = 15
>> krb5_canonicalize = false
>> krb5_lifetime = 10h
>> krb5_renewable_lifetime = 7d
>> krb5_renew_interval = 15
>>
>> cache_credentials = True
>> ####################################
>>
>> On 1/13/22 13:05, Luc Lalonde via samba wrote:
>>> No I read that!
>>>
>>> To me it says:
>>>
>>> 1. We know that there are issues with using SSSD and we're working
>>> on it
>>> 2. We'll continue to support you if you choose this configuration
>>> 3. We're not ready to offer a working supported alternative yet, again,
>>> we're working on it
>>>
>>> In my experience, RHEL7 works well with standalone Winbind.
>>>
>>> Unfortunately, I can't get it to work properly on RHEL8 without SSSD.
>>>
>>> Perhaps I'm missing something, but the latest Redhat documentation
>>> continues to push SSSD + Winbind ad the way to go:
>>>
>>> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_authentication_and_authorization_in_rhel/configuring-a-rhel-host-to-use-ad-as-an-authentication-provider_configuring-authentication-and-authorization-in-rhel
>>>
>>>
>>> I would love to dump SSSD on my RedHat/CentOS/Fedora systems... but
>>> we're not quite there yet!
>>>
>>> On 1/13/22 10:47, Rowland Penny via samba wrote:
>>>> On Thu, 2022-01-13 at 10:22 -0500, Luc Lalonde via samba wrote:
>>>>> Hello Rowland,
>>>>>
>>>>> I've read the article mentionned below... and I don't see how it
>>>>> could
>>>>> be interpreted as a 'non-recomendation'.
>>>> Did you miss this under 'Support status':
>>>>
>>>> [quote]
>>>> Therefore Red Hat currently does not recommend using the idmap_sss
>>>> module for Samba file server enrolled into an IdM or AD domain.
>>>> [/quote]
>>>>
>>>> They only provide limited support if you use sssd with Samba and only
>>>> then if it is an existing setup.
>>>>
>>>> I cannot see any other definition of 'does not recommend' other than
>>>> 'do not use it'
>>>>
>>>> Rowland
>>>>
>>>>
--
Luc Lalonde, analyste
-----------------------------
Département de génie informatique et génie logiciel:
École polytechnique de MTL
(514) 340-4711 x5049
Luc.Lalonde at polymtl.ca
More information about the samba
mailing list