Hi Rowland, In effect, I'm still using Samba on the DC, which is why I still thought this was relevant on the mailing list. :) The reason in particular that I was looking at sssd client as opposed to winbind was that? we are running CentOS 7. I know if I want to use the latest Samba 4.12 on the clients, I'll have problems with gnutls because it's outdated in CentOS 7.? Yes, someone has figured out a way around that by compiling a separate gnutls, but I'm just not 100% comfortable with that.? It's still an option.? The problem is that if I spend my days figuring out how to upgrade hundreds of custom CentOS machines from 7 to 8 (which I will no doubt eventually do) then I won't have time to figure out integration of this domain into AD. If I start with AD then I can't really use the latest? 4.12. maybe that's fine because eventually we will move to CentOS 8.? However, what if a later Samba version requires? an even later version of? gnutls that CentOS 8 doesn't run with in the future!? Then I'll again be stuck in this position and may have to upgrade the OS clients to use the later Samba.? There's always going to be this chicken and egg problem of course. That's just the environment we work in. That's why I was hoping that if I used SSSD then I could somewhat punt the problem . As long as the main DC was running the latest OS and could run the latest Samba then the clients could use their SSSD to connect.? In addition, the SSSD configuration for AD is so trivial.? The winbind configuration, I have tested and it works but it's definately more complex. I have to see whether it handles token groups because the SSSD configuration without token groups was very slow using SSSD because of the number of groups.? I'm not fixed at using sssd but just thinking about all the options. There are always many ways to solve the same problem. :) Jason. On Jul. 24, 2020, 2:22 a.m., at 2:22 a.m., Rowland penny via samba <samba at lists.samba.org> wrote:>On 24/07/2020 03:42, Jason Keltz via samba wrote: >> Hi everyone, >> >> I have a samba DC, let's call it dc1.ad.example.com. >> >> I have two members of the domain - server1.ad.example.com and >> server2.ad.example.com.?? They are not running smbd and winbind. >> Instead, they are running SSSD with AD backend. > >Sorry Jason, wrong mailing list, we do not produce sssd, so cannot >support it, because we know very little about it. I suggest you try the > >sssd-users mailing list. > >If you want to use Samba instead, I am more than willing to help you >with this, it is very easy and there is the bonus of being able to >share >files. > >Rowland > > > >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba
On 2020-07-24 12:57, Jason Keltz via samba wrote:> Hi Rowland, > > In effect, I'm still using Samba on the DC, which is why I still thought this was relevant on the mailing list. :) > > The reason in particular that I was looking at sssd client as opposed to winbind was that? we are running CentOS 7. I know if I want to use the latest Samba 4.12 on the clients, I'll have problems with gnutls because it's outdated in CentOS 7.? Yes, someone has figured out a way around that by compiling a separate gnutls, but I'm just not 100% comfortable with that.? It's still an option.? The problem is that if I spend my days figuring out how to upgrade hundreds of custom CentOS machines from 7 to 8 (which I will no doubt eventually do) then I won't have time to figure out integration of this domain into AD. If I start with AD then I can't really use the latest? 4.12. maybe that's fine because eventually we will move to CentOS 8.? However, what if a later Samba version requires? an even later version of? gnutls that CentOS 8 doesn't run with in the future!? Then I'll again be stuck in this position and may have to upgrade the OS clients to use the later Samba.? There's al > ways going to be this chicken and egg problem of course. That's just the environment we work in. That's why I was hoping that if I used SSSD then I could somewhat punt the problem . As long as the main DC was running the latest OS and could run the latest Samba then the clients could use their SSSD to connect.? In addition, the SSSD configuration for AD is so trivial.? The winbind configuration, I have tested and it works but it's definately more complex. I have to see whether it handles token groups because the SSSD configuration without token groups was very slow using SSSD because of the number of groups.? I'm not fixed at using sssd but just thinking about all the options. There are always many ways to solve the same problem. :) > > Jason. > > On Jul. 24, 2020, 2:22 a.m., at 2:22 a.m., Rowland penny via samba <samba at lists.samba.org> wrote: >> On 24/07/2020 03:42, Jason Keltz via samba wrote: >>> Hi everyone, >>> >>> I have a samba DC, let's call it dc1.ad.example.com. >>> >>> I have two members of the domain - server1.ad.example.com and >>> server2.ad.example.com.?? They are not running smbd and winbind. >>> Instead, they are running SSSD with AD backend. >> Sorry Jason, wrong mailing list, we do not produce sssd, so cannot >> support it, because we know very little about it. I suggest you try the >> >> sssd-users mailing list. >> >> If you want to use Samba instead, I am more than willing to help you >> with this, it is very easy and there is the bonus of being able to >> share >> files. >> >> Rowland >> >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/sambaHi Jason, I have got a few CentOS servers as Samba AD members. I found out that upgrading them to CentOS 8 isn't worth the hazzle, a completely different paradigm, and lots of migration issues to solve. As you have got lots of machines, it could probably pay off to create your own solution, but in your place, I would get nervous that every new update would break something. I'm going to migrate my few servers to Debian Buster instead. It seems to be a much less painful way. Up until recently, I have exclusively used CentOS, but I have found Debian very capable, and not very different to work with, compared to CentOS 7. The update policy is also fairly conservative. Just my five cents... Best regards, Peter
Am 24.07.20 um 12:57 schrieb Jason Keltz via samba:> > The reason in particular that I was looking at sssd client as opposed to winbind was that? we are running CentOS 7. I know if I want to use the latest Samba 4.12 on the clients, I'll have problems with gnutls because it's outdated in CentOS 7.? Yes, someone has figured out a way around that by compiling a separate gnutls, but I'm just not 100% comfortable with that.? It's still an option.? The problem is that if I spend my days figuring out how to upgrade hundreds of custom CentOS machines from 7 to 8 (which I will no doubt eventually do) then I won't have time to figure out integration of this domain into AD. If I start with AD then I can't really use the latest? 4.12. maybe that's fine because eventually we will move to CentOS 8.? However, what if a later Samba version requires? an even later version of? gnutls that CentOS 8 doesn't run with in the future!? Then I'll again be stuck in this position and may have to upgrade the OS clients to use the later Samba.? There's al > ways going to be this chicken and egg problem of course. That's just the environment we work in. That's why I was hoping that if I used SSSD then I could somewhat punt the problem . As long as the main DC was running the latest OS and could run the latest Samba then the clients could use their SSSD to connect.? In addition, the SSSD configuration for AD is so trivial.? The winbind configuration, I have tested and it works but it's definately more complex. I have to see whether it handles token groups because the SSSD configuration without token groups was very slow using SSSD because of the number of groups.? I'm not fixed at using sssd but just thinking about all the options. There are always many ways to solve the same problem. :) >I can't say much about the NFS part here. However, my laptop uses SSSD as client software and I mount our Samba shares via pam_mount and kerberos. This all works fine. So I suspect that this should also work with NFS. The IDs of your users need to be the same as on the server otherwise I haven't found a restriction. Regards Christian -- Dr. Christian Naumer Unit Head Bioprocess Development B.R.A.I.N Aktiengesellschaft Darmstaedter Str. 34-36, D-64673 Zwingenberg e-mail cn at brain-biotech.com, homepage www.brain-biotech.com fon +49-6251-9331-30 / fax +49-6251-9331-11 Sitz der Gesellschaft: Zwingenberg/Bergstrasse Registergericht AG Darmstadt, HRB 24758 Vorstand: Adriaan Moelker (Vorstandsvorsitzender), Manfred Bender Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen
On 24/07/2020 11:57, Jason Keltz wrote:> Hi Rowland, > > In effect, I'm still using Samba on the DC, which is why I still > thought this was relevant on the mailing list. :) > > The reason in particular that I was looking at sssd client as opposed > to winbind was that? we are running CentOS 7. I know if I want to use > the latest Samba 4.12 on the clients, I'll have problems with gnutls > because it's outdated in CentOS 7.? Yes, someone has figured out a way > around that by compiling a separate gnutls, but I'm just not 100% > comfortable with that.? It's still an option.? The problem is that if > I spend my days figuring out how to upgrade hundreds of custom CentOS > machines from 7 to 8 (which I will no doubt eventually do) then I > won't have time to figure out integration of this domain into AD. If I > start with AD then I can't really use the latest? 4.12. maybe that's > fine because eventually we will move to CentOS 8.? However, what if a > later Samba version requires an even later version of? gnutls that > CentOS 8 doesn't run with in the future!? Then I'll again be stuck in > this position and may have to upgrade the OS clients to use the later > Samba. There's always going to be this chicken and egg problem of > course. That's just the environment we work in. That's why I was > hoping that if I used SSSD then I could somewhat punt the problem . As > long as the main DC was running the latest OS and could run the latest > Samba then the clients could use their SSSD to connect.? In addition, > the SSSD configuration for AD is so trivial.? The winbind > configuration, I have tested and it works but it's definately more > complex. I have to see whether it handles token groups because the > SSSD configuration without token groups was very slow using SSSD > because of the number of groups.? I'm not fixed at using sssd but just > thinking about all the options. There are always many ways to solve > the same problem. :) >Hi, I am not saying you cannot use sssd, I am just saying that we do not support it, because we do not produce it and have little knowledge of it. We do produce winbind, so we can support it and I cannot understand why anyone thinks setting up sssd is easier than Samba. If you require shares and are using Samba >= 4.8.0, then you cannot use sssd. If you don't require shares and do want to use Samba, then you can, but you will need to set up two conf files, smb.conf and sssd's. ?Rowland
On 24/07/2020 12:25, Peter Milesson via samba wrote:> > > On 2020-07-24 12:57, Jason Keltz via samba wrote: >> Hi Rowland, >> >> In effect, I'm still using Samba on the DC, which is why I still >> thought this was relevant on the mailing list. :) >> >> The reason in particular that I was looking at sssd client as opposed >> to winbind was that? we are running CentOS 7. I know if I want to use >> the latest Samba 4.12 on the clients, I'll have problems with gnutls >> because it's outdated in CentOS 7.? Yes, someone has figured out a >> way around that by compiling a separate gnutls, but I'm just not 100% >> comfortable with that. It's still an option.? The problem is that if >> I spend my days figuring out how to upgrade hundreds of custom CentOS >> machines from 7 to 8 (which I will no doubt eventually do) then I >> won't have time to figure out integration of this domain into AD. If >> I start with AD then I can't really use the latest? 4.12. maybe >> that's fine because eventually we will move to CentOS 8. However, >> what if a later Samba version requires? an even later version of? >> gnutls that CentOS 8 doesn't run with in the future!? Then I'll again >> be stuck in this position and may have to upgrade the OS clients to >> use the later Samba.? There's al >> ? ways going to be this chicken and egg problem of course. That's >> just the environment we work in. That's why I was hoping that if I >> used SSSD then I could somewhat punt the problem . As long as the >> main DC was running the latest OS and could run the latest Samba then >> the clients could use their SSSD to connect. In addition, the SSSD >> configuration for AD is so trivial.? The winbind configuration, I >> have tested and it works but it's definately more complex. I have to >> see whether it handles token groups because the SSSD configuration >> without token groups was very slow using SSSD because of the number >> of groups.? I'm not fixed at using sssd but just thinking about all >> the options. There are always many ways to solve the same problem. :) >> >> Jason. >> >> On Jul. 24, 2020, 2:22 a.m., at 2:22 a.m., Rowland penny via samba >> <samba at lists.samba.org> wrote: >>> On 24/07/2020 03:42, Jason Keltz via samba wrote: >>>> Hi everyone, >>>> >>>> I have a samba DC, let's call it dc1.ad.example.com. >>>> >>>> I have two members of the domain - server1.ad.example.com and >>>> server2.ad.example.com.?? They are not running smbd and winbind. >>>> Instead, they are running SSSD with AD backend. >>> Sorry Jason, wrong mailing list, we do not produce sssd, so cannot >>> support it, because we know very little about it. I suggest you try the >>> >>> sssd-users mailing list. >>> >>> If you want to use Samba instead, I am more than willing to help you >>> with this, it is very easy and there is the bonus of being able to >>> share >>> files. >>> >>> Rowland >>> >>> >>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions:? https://lists.samba.org/mailman/options/samba > Hi Jason, > > I have got a few CentOS servers as Samba AD members. I found out that > upgrading them to CentOS 8 isn't worth the hazzle, a completely > different paradigm, and lots of migration issues to solve. As you have > got lots of machines, it could probably pay off to create your own > solution, but in your place, I would get nervous that every new update > would break something.Upgrading to Centos 8 will definitely break things if you use openldap and/or run a Samba NT4-style PDC with smbldap-tools, both have been removed by red-hat.> > I'm going to migrate my few servers to Debian Buster instead. It seems > to be a much less painful way. Up until recently, I have exclusively > used CentOS, but I have found Debian very capable, and not very > different to work with, compared to CentOS 7. The update policy is > also fairly conservative.You can also make use of Louis's repo, which is a very big bonus ;-) Rowland
On 24/07/2020 12:35, Christian Naumer via samba wrote:> I can't say much about the NFS part here. However, my laptop uses SSSD > as client software and I mount our Samba shares via pam_mount and > kerberos. This all works fine. So I suspect that this should also work > with NFS. The IDs of your users need to be the same as on the server > otherwise I haven't found a restriction.NFS shares != Samba shares and 'mounting' != hosting Samba shares ;-) Up until Samba 4.8.0, 'smbd' (the fileserver component on a Unix domain member) could contact AD directly, but after 4.8.0 , smbd must now go through winbind, sssd uses some of the winbind code, so it is incompatible with winbind. As I said, you can use sssd for authentication, but if you want to server files, you will have to use Samba with winbind. Rowland
On 7/24/2020 7:25 AM, Peter Milesson via samba wrote:> > On 2020-07-24 12:57, Jason Keltz via samba wrote: >> Hi Rowland, >> >> In effect, I'm still using Samba on the DC, which is why I still >> thought this was relevant on the mailing list. :) >> >> The reason in particular that I was looking at sssd client as opposed >> to winbind was that? we are running CentOS 7. I know if I want to use >> the latest Samba 4.12 on the clients, I'll have problems with gnutls >> because it's outdated in CentOS 7.? Yes, someone has figured out a >> way around that by compiling a separate gnutls, but I'm just not 100% >> comfortable with that. It's still an option.? The problem is that if >> I spend my days figuring out how to upgrade hundreds of custom CentOS >> machines from 7 to 8 (which I will no doubt eventually do) then I >> won't have time to figure out integration of this domain into AD. If >> I start with AD then I can't really use the latest? 4.12. maybe >> that's fine because eventually we will move to CentOS 8. However, >> what if a later Samba version requires? an even later version of? >> gnutls that CentOS 8 doesn't run with in the future!? Then I'll again >> be stuck in this position and may have to upgrade the OS clients to >> use the later Samba.? There's al >> ? ways going to be this chicken and egg problem of course. That's >> just the environment we work in. That's why I was hoping that if I >> used SSSD then I could somewhat punt the problem . As long as the >> main DC was running the latest OS and could run the latest Samba then >> the clients could use their SSSD to connect. In addition, the SSSD >> configuration for AD is so trivial.? The winbind configuration, I >> have tested and it works but it's definately more complex. I have to >> see whether it handles token groups because the SSSD configuration >> without token groups was very slow using SSSD because of the number >> of groups.? I'm not fixed at using sssd but just thinking about all >> the options. There are always many ways to solve the same problem. :) >> >> Jason. >> >> On Jul. 24, 2020, 2:22 a.m., at 2:22 a.m., Rowland penny via samba >> <samba at lists.samba.org> wrote: >>> On 24/07/2020 03:42, Jason Keltz via samba wrote: >>>> Hi everyone, >>>> >>>> I have a samba DC, let's call it dc1.ad.example.com. >>>> >>>> I have two members of the domain - server1.ad.example.com and >>>> server2.ad.example.com.?? They are not running smbd and winbind. >>>> Instead, they are running SSSD with AD backend. >>> Sorry Jason, wrong mailing list, we do not produce sssd, so cannot >>> support it, because we know very little about it. I suggest you try the >>> >>> sssd-users mailing list. >>> >>> If you want to use Samba instead, I am more than willing to help you >>> with this, it is very easy and there is the bonus of being able to >>> share >>> files. >>> >>> Rowland >>> >>> >>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions:? https://lists.samba.org/mailman/options/samba > Hi Jason, > > I have got a few CentOS servers as Samba AD members. I found out that > upgrading them to CentOS 8 isn't worth the hazzle, a completely > different paradigm, and lots of migration issues to solve. As you have > got lots of machines, it could probably pay off to create your own > solution, but in your place, I would get nervous that every new update > would break something. > > I'm going to migrate my few servers to Debian Buster instead. It seems > to be a much less painful way. Up until recently, I have exclusively > used CentOS, but I have found Debian very capable, and not very > different to work with, compared to CentOS 7. The update policy is > also fairly conservative. > > Just my five cents... > > Best regards, > > PeterHi Peter, Our client systems need to continue to run CentOS because a variety of software that we use requires CentOS/RHEL.? Some of the software is very version specific.? I can't even upgrade to CentOS 8 until certain software is compatible with 8.? Running a separate Linux distribution on the servers and the clients is possible, of course, but in a small team, just a headache to handle multiple OS paths.?? If we were a bigger team, this is definately something I would consider though. Jason.