Hi everyone, I have a samba DC, let's call it dc1.ad.example.com. I have two members of the domain - server1.ad.example.com and server2.ad.example.com.?? They are not running smbd and winbind. Instead, they are running SSSD with AD backend. I want to create an NFSv4 export on server1.ad.example.com and mount it on server2.ad.example.com (say, sec=krb5). I found some instructions online from 2015 that said: -> on the server I create an nfs principal and export it to the keytab $ samba-tool user add nfs-myserver --random-password $ samba-tool spn add nfs/myserver.samdom.com nfs-myserver $ samba-tool domain exportkeytab --principal=nfs/myserver.samdom.com /etc/krb5.keytab -> on the client I use the machine keytab. $ samba-tool domain exportkeytab --principal=MYCLIENT$ /etc/krb5.keytab It's not clear to me why the nfs-myserver" user is created. Doesn't the spn apply to a host, and not a user? Since I'm not running smbd/winbind on the two servers, would I still create the keytab entries for nfs/server1.ad.example.com and SERVER2$ using the above instructions with samba-tool on DC1? (because it looks like I can't use the -H ldap://dc1.ad.example.com syntax to export the keytab from the server (-H is not a recognized option). As far as I understand, Samba is running its own Kerberos implementation.? Will the OS Kerberos on server1 and server2 (CentOS 7.8) be compatible with the Samba Kerberos? I like the simplicity of SSSD on the client.? Can I somehow use a combination of Samba Kerberos on the client *with* SSSD and not use winbind? If anyone has done this before using SSSD, and can pass along the proper syntax, that would be greatly appreciated. Thanks! Jason.
On 24/07/2020 03:42, Jason Keltz via samba wrote:> Hi everyone, > > I have a samba DC, let's call it dc1.ad.example.com. > > I have two members of the domain - server1.ad.example.com and > server2.ad.example.com.?? They are not running smbd and winbind. > Instead, they are running SSSD with AD backend.Sorry Jason, wrong mailing list, we do not produce sssd, so cannot support it, because we know very little about it. I suggest you try the sssd-users mailing list. If you want to use Samba instead, I am more than willing to help you with this, it is very easy and there is the bonus of being able to share files. Rowland
Depending on the OS. Below is tested/in production since samba 4.9.x and debian stretch Currently running buster with samba 4.12.5 with samba and AD-Backends. All users have UID assigned, and "Domain Users". This is really easy on any setup with systemd systems with samba and winbind. I'll show how easy this is for any debian/ubuntu related system but using systemd, maybe you can use it. Only, i'll show you the option with winbind, not sssd, and automounting the user homedir at logon. # You need this if you want the same setup/Homedir for all server, AD-DC and Members. # (! incl the server share-ing the nfs export ) # # This is the running setup in my production network. # The real (samba) folder user=/home/samba/users = samba shared as \\server.fqdn\users # ADUC creates the users folders with : \\server.fqdn\users\%username% set in ADUC. # Samba users folder = /home/samba/users # Needed for NFS exports, a mount bind to = /exports/user # Needed for linux logins on the other servers then where NFS server runs # And # mount bind to = /home/users # Only needed for linux logins on the same server where NFS server runs # so all servers most probely. # # Automounter enabled for /home/users on all servers # Now, you can login everywhere and have /home/users available on all server. # Same all servers. Whats needed, i installeded: NFS Server: apt install samba winbind acl xattr nfs-common nfs-kernel-server nfs4-acl-tools krb5-user NFS client: apt install winbind acl xattr nfs-common nfs4-acl-tools krb5-user Example Setup NFS SERVER on server1. ### Example /etc/exports /exports 192.168.0.0/24(rw,sync,fsid=0,no_subtree_check,crossmnt,sec=sys:krb5:krb5i:krb5p) /exports/users 192.168.0.0/24(rw,sync,no_subtree_check,sec=sys:krb5:krb5i:krb5p) With these options sec=sys:krb5:krb5i:krb5p You can setup with any other server with or without kerberos, if it didnt work, try sec=sys in a client, if that works, well, then you setup needs fixing somewhere. DNS/resolvings/SPN's ##### Below are the client and server configs. # Samba/winbind joined, and you need to add the NFS spn to the keytab file and AD. ### Server1 (NFS SERVER SPN setup) net ads keytab add_update_ads nfs/$(hostname -f) -U Administrator ### Server1 (NFS exports setup) # /etc/default/nfs-kernel-server NEED_SVCGSSD="yes" ### Server1 and 2 (NFS Server and client) ! only need if you setup as shown on server 1. /etc/default/nfs-common NEED_STATD="yes" STATDOPTS="no" NEED_IDMAPD="yes" NEED_GSSD="yes" ### Server 1 (NFS export setup) # create the nfs shared folder. install -o root -g root -d -m 1777 /exports/users # and load the exports. exportfs -rav systemctl restart nfs-server nfs-client ### Server1 and 2. mkdir /home/users # ( the linux homedir ) You see/noticed that : home-users.mount reflex /home/users.. This is a must, or automounting wont work. The path must be the same as the file-name.mount/automount for systemd config and any mounts/automounts # Server1 for NFS export (mount-bind) # /etc/systemd/system/exports-users.mount [Unit] Description=SambaUsers Mount-bind (to /exports/users ) Wants=network-online.target [Mount] What=/home/samba/users Where=/exports/users Type=none Options=bind [Install] WantedBy=multi-user.target #### NFS server is ready to serve # For a client HOME-USERS. # The mounter ( mount --bind ) and for the NFS export. ( server 1 only) # /etc/systemd/system/home-users.mount [Unit] Description=SambaUsers Mount-bind (to /home/users) Wants=network-online.target [Mount] What=/home/samba/users Where=/home/users Type=none Options=bind [Install] WantedBy=multi-user.target ### enable it systemctl enable home-users.mount # test it : systemctl start home-users.mount # test it : systemctl stop home-users.mount ### # For a client HOME-USERS. # The mounter server2+ # /etc/systemd/system/home-users.mount [Unit] Description=Samba UsersHomeDir (/home/users) Wants=network-online.target nfs-common.service After=network-online.target nfs-common.service [Mount] What=sername.fqdn.of.server1:/users Where=/home/users Type=nfs4 Options=sec=krb5p [Install] WantedBy=multi-user.target ### The automounter (HOME-USERS) ( server 1 and 2 ) # /etc/systemd/system/home-users.automount [Unit] Description=Automount Samba UsersHomeDir [Automount] Where=/home/users [Install] WantedBy=multi-user.target systemctl enable home-users.automount systemctl start home-users.automount # test it : ls /home/users I might have forgoten something// Above is shown for NFS and for CIFS. (almost the same) This is the most important : net ads keytab add_update_ads nfs/$(hostname -f) -U Administrator net ads keytab add_update_ads cifs/$(hostname -f) -U Administrator And all servers must have an A and PTR record. If you have mulitiple hostnames, use CNAME. Enjoy, questions, just ask. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Jason Keltz via samba > Verzonden: vrijdag 24 juli 2020 4:42 > Aan: samba at lists.samba.org > Onderwerp: [Samba] samba4 kerberized nfs4 with sssd ad client > > Hi everyone, > > I have a samba DC, let's call it dc1.ad.example.com. > > I have two members of the domain - server1.ad.example.com and > server2.ad.example.com.?? They are not running smbd and winbind. > Instead, they are running SSSD with AD backend. > > I want to create an NFSv4 export on server1.ad.example.com > and mount it > on server2.ad.example.com (say, sec=krb5). > > I found some instructions online from 2015 that said: > > -> on the server I create an nfs principal and export it to the keytab > $ samba-tool user add nfs-myserver --random-password > $ samba-tool spn add nfs/myserver.samdom.com nfs-myserver > $ samba-tool domain exportkeytab --principal=nfs/myserver.samdom.com > /etc/krb5.keytab > > -> on the client I use the machine keytab. > $ samba-tool domain exportkeytab --principal=MYCLIENT$/etc/krb5.keytab> > It's not clear to me why the nfs-myserver" user is created. > Doesn't the > spn apply to a host, and not a user? > > Since I'm not running smbd/winbind on the two servers, would I still > create the keytab entries for nfs/server1.ad.example.com and SERVER2$ > using the above instructions with samba-tool on DC1? (because > it looks > like I can't use the -H ldap://dc1.ad.example.com syntax to > export the > keytab from the server (-H is not a recognized option). > > As far as I understand, Samba is running its own Kerberos > implementation.? Will the OS Kerberos on server1 and server2 (CentOS > 7.8) be compatible with the Samba Kerberos? > > I like the simplicity of SSSD on the client.? Can I somehow use a > combination of Samba Kerberos on the client *with* SSSD and > not use winbind? > > If anyone has done this before using SSSD, and can pass along > the proper > syntax, that would be greatly appreciated. > > Thanks! > > Jason. > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Hi Rowland, In effect, I'm still using Samba on the DC, which is why I still thought this was relevant on the mailing list. :) The reason in particular that I was looking at sssd client as opposed to winbind was that? we are running CentOS 7. I know if I want to use the latest Samba 4.12 on the clients, I'll have problems with gnutls because it's outdated in CentOS 7.? Yes, someone has figured out a way around that by compiling a separate gnutls, but I'm just not 100% comfortable with that.? It's still an option.? The problem is that if I spend my days figuring out how to upgrade hundreds of custom CentOS machines from 7 to 8 (which I will no doubt eventually do) then I won't have time to figure out integration of this domain into AD. If I start with AD then I can't really use the latest? 4.12. maybe that's fine because eventually we will move to CentOS 8.? However, what if a later Samba version requires? an even later version of? gnutls that CentOS 8 doesn't run with in the future!? Then I'll again be stuck in this position and may have to upgrade the OS clients to use the later Samba.? There's always going to be this chicken and egg problem of course. That's just the environment we work in. That's why I was hoping that if I used SSSD then I could somewhat punt the problem . As long as the main DC was running the latest OS and could run the latest Samba then the clients could use their SSSD to connect.? In addition, the SSSD configuration for AD is so trivial.? The winbind configuration, I have tested and it works but it's definately more complex. I have to see whether it handles token groups because the SSSD configuration without token groups was very slow using SSSD because of the number of groups.? I'm not fixed at using sssd but just thinking about all the options. There are always many ways to solve the same problem. :) Jason. On Jul. 24, 2020, 2:22 a.m., at 2:22 a.m., Rowland penny via samba <samba at lists.samba.org> wrote:>On 24/07/2020 03:42, Jason Keltz via samba wrote: >> Hi everyone, >> >> I have a samba DC, let's call it dc1.ad.example.com. >> >> I have two members of the domain - server1.ad.example.com and >> server2.ad.example.com.?? They are not running smbd and winbind. >> Instead, they are running SSSD with AD backend. > >Sorry Jason, wrong mailing list, we do not produce sssd, so cannot >support it, because we know very little about it. I suggest you try the > >sssd-users mailing list. > >If you want to use Samba instead, I am more than willing to help you >with this, it is very easy and there is the bonus of being able to >share >files. > >Rowland > > > >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba
Thanks a lot for all the details, Louis!? I will experiment with this on the 'winbind stream' of my project. Jason. On Jul. 24, 2020, 4:30 a.m., at 4:30 a.m., "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:>Depending on the OS. > >Below is tested/in production since samba 4.9.x and debian stretch >Currently running buster with samba 4.12.5 with samba and AD-Backends. >All users have UID assigned, and "Domain Users". > >This is really easy on any setup with systemd systems with samba and >winbind. > >I'll show how easy this is for any debian/ubuntu related system but >using systemd, maybe you can use it. >Only, i'll show you the option with winbind, not sssd, and automounting >the user homedir at logon. > ># You need this if you want the same setup/Homedir for all server, >AD-DC and Members. ># (! incl the server share-ing the nfs export ) ># ># This is the running setup in my production network. ># The real (samba) folder user=/home/samba/users = samba shared as >\\server.fqdn\users ># ADUC creates the users folders with : \\server.fqdn\users\%username% >set in ADUC. > ># Samba users folder = /home/samba/users ># Needed for NFS exports, a mount bind to = /exports/user ># Needed for linux logins on the other servers then where NFS server >runs ># And ># mount bind to = /home/users ># Only needed for linux logins on the same server where NFS server runs ># so all servers most probely. ># ># Automounter enabled for /home/users on all servers ># Now, you can login everywhere and have /home/users available on all >server. ># Same all servers. > > >Whats needed, i installeded: >NFS Server: apt install samba winbind acl xattr nfs-common >nfs-kernel-server nfs4-acl-tools krb5-user >NFS client: apt install winbind acl xattr nfs-common nfs4-acl-tools >krb5-user > >Example Setup NFS SERVER on server1. > >### Example /etc/exports >/exports >192.168.0.0/24(rw,sync,fsid=0,no_subtree_check,crossmnt,sec=sys:krb5:krb5i:krb5p) >/exports/users >192.168.0.0/24(rw,sync,no_subtree_check,sec=sys:krb5:krb5i:krb5p) > >With these options sec=sys:krb5:krb5i:krb5p > >You can setup with any other server with or without kerberos, >if it didnt work, try sec=sys in a client, if that works, well, >then you setup needs fixing somewhere. DNS/resolvings/SPN's > >##### Below are the client and server configs. > ># Samba/winbind joined, and you need to add the NFS spn to the keytab >file and AD. >### Server1 (NFS SERVER SPN setup) >net ads keytab add_update_ads nfs/$(hostname -f) -U Administrator > >### Server1 (NFS exports setup) ># /etc/default/nfs-kernel-server >NEED_SVCGSSD="yes" > >### Server1 and 2 (NFS Server and client) ! only need if you setup as >shown on server 1. >/etc/default/nfs-common >NEED_STATD="yes" >STATDOPTS="no" >NEED_IDMAPD="yes" >NEED_GSSD="yes" > >### Server 1 (NFS export setup) ># create the nfs shared folder. >install -o root -g root -d -m 1777 /exports/users > ># and load the exports. >exportfs -rav >systemctl restart nfs-server nfs-client > >### Server1 and 2. >mkdir /home/users # ( the linux homedir ) > >You see/noticed that : home-users.mount reflex /home/users.. >This is a must, or automounting wont work. > >The path must be the same as the file-name.mount/automount >for systemd config and any mounts/automounts > ># Server1 for NFS export (mount-bind) ># /etc/systemd/system/exports-users.mount >[Unit] >Description=SambaUsers Mount-bind (to /exports/users ) >Wants=network-online.target > >[Mount] >What=/home/samba/users >Where=/exports/users >Type=none >Options=bind > >[Install] >WantedBy=multi-user.target > >#### NFS server is ready to serve > > ># For a client HOME-USERS. ># The mounter ( mount --bind ) and for the NFS export. ( server 1 only) > > ># /etc/systemd/system/home-users.mount >[Unit] >Description=SambaUsers Mount-bind (to /home/users) >Wants=network-online.target > >[Mount] >What=/home/samba/users >Where=/home/users >Type=none >Options=bind > >[Install] >WantedBy=multi-user.target > >### enable it >systemctl enable home-users.mount ># test it : systemctl start home-users.mount ># test it : systemctl stop home-users.mount >### > > ># For a client HOME-USERS. ># The mounter server2+ > ># /etc/systemd/system/home-users.mount >[Unit] >Description=Samba UsersHomeDir (/home/users) >Wants=network-online.target nfs-common.service >After=network-online.target nfs-common.service > >[Mount] >What=sername.fqdn.of.server1:/users >Where=/home/users >Type=nfs4 >Options=sec=krb5p > >[Install] >WantedBy=multi-user.target > > >### The automounter (HOME-USERS) ( server 1 and 2 ) ># /etc/systemd/system/home-users.automount >[Unit] >Description=Automount Samba UsersHomeDir > >[Automount] >Where=/home/users > >[Install] >WantedBy=multi-user.target > >systemctl enable home-users.automount >systemctl start home-users.automount ># test it : ls /home/users > >I might have forgoten something// > >Above is shown for NFS and for CIFS. (almost the same) >This is the most important : >net ads keytab add_update_ads nfs/$(hostname -f) -U Administrator >net ads keytab add_update_ads cifs/$(hostname -f) -U Administrator > >And all servers must have an A and PTR record. >If you have mulitiple hostnames, use CNAME. > >Enjoy, questions, just ask. > >Greetz, > >Louis > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >> Jason Keltz via samba >> Verzonden: vrijdag 24 juli 2020 4:42 >> Aan: samba at lists.samba.org >> Onderwerp: [Samba] samba4 kerberized nfs4 with sssd ad client >> >> Hi everyone, >> >> I have a samba DC, let's call it dc1.ad.example.com. >> >> I have two members of the domain - server1.ad.example.com and >> server2.ad.example.com.?? They are not running smbd and winbind. >> Instead, they are running SSSD with AD backend. >> >> I want to create an NFSv4 export on server1.ad.example.com >> and mount it >> on server2.ad.example.com (say, sec=krb5). >> >> I found some instructions online from 2015 that said: >> >> -> on the server I create an nfs principal and export it to the >keytab >> $ samba-tool user add nfs-myserver --random-password >> $ samba-tool spn add nfs/myserver.samdom.com nfs-myserver >> $ samba-tool domain exportkeytab --principal=nfs/myserver.samdom.com >> /etc/krb5.keytab >> >> -> on the client I use the machine keytab. >> $ samba-tool domain exportkeytab --principal=MYCLIENT$ >/etc/krb5.keytab >> >> It's not clear to me why the nfs-myserver" user is created. >> Doesn't the >> spn apply to a host, and not a user? >> >> Since I'm not running smbd/winbind on the two servers, would I still >> create the keytab entries for nfs/server1.ad.example.com and SERVER2$ > >> using the above instructions with samba-tool on DC1? (because >> it looks >> like I can't use the -H ldap://dc1.ad.example.com syntax to >> export the >> keytab from the server (-H is not a recognized option). >> >> As far as I understand, Samba is running its own Kerberos >> implementation.? Will the OS Kerberos on server1 and server2 (CentOS >> 7.8) be compatible with the Samba Kerberos? >> >> I like the simplicity of SSSD on the client.? Can I somehow use a >> combination of Samba Kerberos on the client *with* SSSD and >> not use winbind? >> >> If anyone has done this before using SSSD, and can pass along >> the proper >> syntax, that would be greatly appreciated. >> >> Thanks! >> >> Jason. >> >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> > > >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba