samba - Sep 2021 - Replacing SSSD with just WINBIND for NFSv4

Hi Luc, 

Lets me start with 2 things. 
1) i never used SSSD
2) i only have 1 server for for all home directories here.  
   But its also uses unixHomeDirectory

So that said. 

On below, thats a good one, the different homedirs is not the problem,
Im wondering how i would point userhomedirs to an other server..

And so far i cant think of one for my current setup. 
In my setup there is only 1 server holding all homedirs.

But im also thinking, why should this not work without sssd. 
unixHomeDirectory still is unixHomeDirectory 
When samba/winbind i setup 

Run : 
id username
getent passwd username

Is the output correct, then below should work in my opinion. 
Now, if you "users" cant trigger the mount, then your most probley 
missing SPN nfs/ or root/ 

Whats the Os running this? 
You already tried something and hitted errors, then show me the errors. 

So far, 

Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: Luc Lalonde [mailto:Luc.Lalonde at polymtl.ca] 
> Verzonden: woensdag 1 september 2021 16:48
> Aan: L.P.H. van Belle; samba at lists.samba.org
> Onderwerp: Re: [Samba] Replacing SSSD with just WINBIND for NFSv4
> 
> Hey Louis,
> 
> Again, thanks for your message!
> 
> Could you please show me how you resolve different automount 
> directories 
> for users without SSSD?
> 
> Presently, I use this line with SSSD:
> 
> ldap_user_home_directory = unixHomeDirectory
> 
> This value is stored in ActiveDirectory and is not the same 
> for all users.
> 
> AutoFs maps the users home directory accordingly (auto.master, 
> auto.home[1-4]):
> 
> ### /etc/auto.master? ##############
> /usagers1????????? /etc/auto.home1 --timeout=60
> /usagers2????????? /etc/auto.home2 --timeout=60
> /usagers3????????? /etc/auto.home3 --timeout=60
> /usagers4????????? /etc/auto.home4 --timeout=60
> ############################
> 
> ### /etc/auto.home1 ###################
> *??? -fstype=nfs4,rw,sec=krb5????? fs1.example.com:/&
> ################################
> 
> ### /etc/auto.home2 ##################
> *??? -fstype=nfs4,rw,sec=krb5????? fs2.example.com:/&
> ################################
> 
> ### /etc/auto.home3 ##################
> *??? -fstype=nfs4,rw,sec=krb5????? fs3.example.com:/&
> ################################
> 
> ### /etc/auto.home4 ##################
> *??? -fstype=nfs4,rw,sec=krb5????? fs4.example.com:/&
> ################################
> 
> Thank You!
> 
> On 2021-08-31 4:47 a.m., L.P.H. van Belle via samba wrote:
> > I can show you my config for automounted homedirs with 
> kerverised NFSv4.
> >
> > I saw the AD-DC smb.conf in the other post.
> > Great, you use unix id's.
> >
> > So my setup, setup any "MEMBER" as you would do normaly for 
> with RFC2307.
> >
> > Make sure you have this in smb.conf:
> >
> >      kerberos method = secrets and keytab
> >      dedicated keytab file = /etc/krb5.keytab
> >
> >      # renew the kerberos ticket
> >      winbind refresh tickets = yes
> >
> >      # Gives username and not DOM\username
> >      winbind use default domain = yes
> >
> > I've added nfs/name.internal.dom.tld to the keytab file 
> with with net ads
> > ( you might want to add cifs/ also to it, can be handy )
> >
> > In the list "samba4 kerberized nfs4 with sssd ad client"
> > https://lists.samba.org/archive/samba/2020-July/231149.html
> >
> > Thats how i run it with a systemd automounter.
> > with winbind offcourse.
> >
> > If you use it on a AD-DC, i suggest read this and use the 
> parts you need.
> > https://wiki.samba.org/index.php/OpenSSH_Single_sign-on
> > This is what its all about.
> > Recommended: Make a custom auth_to_local mapping in your krb5.conf.
> > Integrate the following into your configuration krb5.conf
> >
> > [realms]
> >      SAMDOM.EXAMPLE.COM = {
> >          auth_to_local = RULE:[1:SAMDOM\$1]
> >      }
> >
> > But read the page before you implement it.
> >
> >
> > Greetz,
> >
> > Louis
> >
> >
> >
> >
> >> -----Oorspronkelijk bericht-----
> >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Luc
> >> Lalonde via samba
> >> Verzonden: maandag 30 augustus 2021 19:27
> >> Aan: samba at lists.samba.org
> >> Onderwerp: [Samba] Replacing SSSD with just WINBIND for NFSv4
> >>
> >> Hello Foks,
> >>
> >> I would like to remove SSSD from the equation for NFSv4 +
> >> AutoFS mounts.
> >>
> >> Presently we use SSSD + Winbind for LDAP-KRB5 authentication
> >> and AutoFS-NFSv4 for home directories.
> >>
> >> We have 4 NFS servers that split the load for our Linux
> >> clients.   We use this option in SSSD.CONF to get the users
> >> home directory:
> >>
> >> ldap_user_home_directory = unixHomeDirectory
> >>
> >> Here are other options that we use:
> >>
> >> ldap_user_search_base = dc=example,dc=com
> >> ldap_user_object_class = user
> >> ldap_user_principal = userPrincipalName
> >> ldap_schema = rfc2307bis
> >> ldap_user_fullname = displayName
> >> ldap_user_name = sAMAccountName
> >> ldap_group_object_class = group
> >>
> >> Upon account creation, UID and GID are stored in AD, and
> >> everything works great.  We also do not use DOMAIN\USERNAME
> >> logins, just USERNAME.
> >>
> >> Is there a way to achieve this with just WINBIND?
> >>
> >> Thank You!
> >>
> >> -- 
> >> Luc Lalonde, analyste
> >> -----------------------------
> >> D?partement de g?nie informatique:
> >> ?cole polytechnique de MTL
> >> (514) 340-4711 x5049
> >> Luc.Lalonde at polymtl.ca
> >> -----------------------------
> >>
> >> -- 
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/options/samba
> >>
> >
> -- 
> Luc Lalonde, analyste
> -----------------------------
> D?partement de g?nie informatique:
> ?cole polytechnique de MTL
> (514) 340-4711 x5049
> Luc.Lalonde at polymtl.ca
> -----------------------------
> 
> 
>

Hello Louis,

I'm still getting all the info together but I think that you're right.

This directive on the client's configuration should make sure that 
unixHomeDirectory is properly passed along to AutoFS:

|idmap config DOMAIN?: unix_nss_info|

||

I'm going to do some tests and get back to you!

Thank You!.


On 2021-09-02 3:35 a.m., L.P.H. van Belle via samba
wrote:
> Hi Luc,
>
> Lets me start with 2 things.
> 1) i never used SSSD
> 2) i only have 1 server for for all home directories here.
>     But its also uses unixHomeDirectory
>
> So that said.
>
> On below, thats a good one, the different homedirs is not the problem,
> Im wondering how i would point userhomedirs to an other server..
>
> And so far i cant think of one for my current setup.
> In my setup there is only 1 server holding all homedirs.
>
> But im also thinking, why should this not work without sssd.
> unixHomeDirectory still is unixHomeDirectory
> When samba/winbind i setup
>
> Run :
> id username
> getent passwd username
>
> Is the output correct, then below should work in my opinion.
> Now, if you "users" cant trigger the mount, then your most
probley
> missing SPN nfs/ or root/
>
> Whats the Os running this?
> You already tried something and hitted errors, then show me the errors.
>
> So far,
>
> Greetz,
>
> Louis
>
>
>> -----Oorspronkelijk bericht-----
>> Van: Luc Lalonde [mailto:Luc.Lalonde at polymtl.ca]
>> Verzonden: woensdag 1 september 2021 16:48
>> Aan: L.P.H. van Belle; samba at lists.samba.org
>> Onderwerp: Re: [Samba] Replacing SSSD with just WINBIND for NFSv4
>>
>> Hey Louis,
>>
>> Again, thanks for your message!
>>
>> Could you please show me how you resolve different automount
>> directories
>> for users without SSSD?
>>
>> Presently, I use this line with SSSD:
>>
>> ldap_user_home_directory = unixHomeDirectory
>>
>> This value is stored in ActiveDirectory and is not the same
>> for all users.
>>
>> AutoFs maps the users home directory accordingly (auto.master,
>> auto.home[1-4]):
>>
>> ### /etc/auto.master? ##############
>> /usagers1????????? /etc/auto.home1 --timeout=60
>> /usagers2????????? /etc/auto.home2 --timeout=60
>> /usagers3????????? /etc/auto.home3 --timeout=60
>> /usagers4????????? /etc/auto.home4 --timeout=60
>> ############################
>>
>> ### /etc/auto.home1 ###################
>> *??? -fstype=nfs4,rw,sec=krb5????? fs1.example.com:/&
>> ################################
>>
>> ### /etc/auto.home2 ##################
>> *??? -fstype=nfs4,rw,sec=krb5????? fs2.example.com:/&
>> ################################
>>
>> ### /etc/auto.home3 ##################
>> *??? -fstype=nfs4,rw,sec=krb5????? fs3.example.com:/&
>> ################################
>>
>> ### /etc/auto.home4 ##################
>> *??? -fstype=nfs4,rw,sec=krb5????? fs4.example.com:/&
>> ################################
>>
>> Thank You!
>>
>> On 2021-08-31 4:47 a.m., L.P.H. van Belle via samba wrote:
>>> I can show you my config for automounted homedirs with
>> kerverised NFSv4.
>>> I saw the AD-DC smb.conf in the other post.
>>> Great, you use unix id's.
>>>
>>> So my setup, setup any "MEMBER" as you would do normaly
for
>> with RFC2307.
>>> Make sure you have this in smb.conf:
>>>
>>>       kerberos method = secrets and keytab
>>>       dedicated keytab file = /etc/krb5.keytab
>>>
>>>       # renew the kerberos ticket
>>>       winbind refresh tickets = yes
>>>
>>>       # Gives username and not DOM\username
>>>       winbind use default domain = yes
>>>
>>> I've added nfs/name.internal.dom.tld to the keytab file
>> with with net ads
>>> ( you might want to add cifs/ also to it, can be handy )
>>>
>>> In the list "samba4 kerberized nfs4 with sssd ad client"
>>> https://lists.samba.org/archive/samba/2020-July/231149.html
>>>
>>> Thats how i run it with a systemd automounter.
>>> with winbind offcourse.
>>>
>>> If you use it on a AD-DC, i suggest read this and use the
>> parts you need.
>>> https://wiki.samba.org/index.php/OpenSSH_Single_sign-on
>>> This is what its all about.
>>> Recommended: Make a custom auth_to_local mapping in your krb5.conf.
>>> Integrate the following into your configuration krb5.conf
>>>
>>> [realms]
>>>       SAMDOM.EXAMPLE.COM = {
>>>           auth_to_local = RULE:[1:SAMDOM\$1]
>>>       }
>>>
>>> But read the page before you implement it.
>>>
>>>
>>> Greetz,
>>>
>>> Louis
>>>
>>>
>>>
>>>
>>>> -----Oorspronkelijk bericht-----
>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Luc
>>>> Lalonde via samba
>>>> Verzonden: maandag 30 augustus 2021 19:27
>>>> Aan: samba at lists.samba.org
>>>> Onderwerp: [Samba] Replacing SSSD with just WINBIND for NFSv4
>>>>
>>>> Hello Foks,
>>>>
>>>> I would like to remove SSSD from the equation for NFSv4 +
>>>> AutoFS mounts.
>>>>
>>>> Presently we use SSSD + Winbind for LDAP-KRB5 authentication
>>>> and AutoFS-NFSv4 for home directories.
>>>>
>>>> We have 4 NFS servers that split the load for our Linux
>>>> clients.   We use this option in SSSD.CONF to get the users
>>>> home directory:
>>>>
>>>> ldap_user_home_directory = unixHomeDirectory
>>>>
>>>> Here are other options that we use:
>>>>
>>>> ldap_user_search_base = dc=example,dc=com
>>>> ldap_user_object_class = user
>>>> ldap_user_principal = userPrincipalName
>>>> ldap_schema = rfc2307bis
>>>> ldap_user_fullname = displayName
>>>> ldap_user_name = sAMAccountName
>>>> ldap_group_object_class = group
>>>>
>>>> Upon account creation, UID and GID are stored in AD, and
>>>> everything works great.  We also do not use DOMAIN\USERNAME
>>>> logins, just USERNAME.
>>>>
>>>> Is there a way to achieve this with just WINBIND?
>>>>
>>>> Thank You!
>>>>
>>>> -- 
>>>> Luc Lalonde, analyste
>>>> -----------------------------
>>>> D?partement de g?nie informatique:
>>>> ?cole polytechnique de MTL
>>>> (514) 340-4711 x5049
>>>> Luc.Lalonde at polymtl.ca
>>>> -----------------------------
>>>>
>>>> -- 
>>>> To unsubscribe from this list go to the following URL and read
the
>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>
>> -- 
>> Luc Lalonde, analyste
>> -----------------------------
>> D?partement de g?nie informatique:
>> ?cole polytechnique de MTL
>> (514) 340-4711 x5049
>> Luc.Lalonde at polymtl.ca
>> -----------------------------
>>
>>
>>
>
-- 
Luc Lalonde, analyste
-----------------------------
D?partement de g?nie informatique:
?cole polytechnique de MTL
(514) 340-4711 x5049
Luc.Lalonde at polymtl.ca
-----------------------------

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.samba.org/pipermail/samba/attachments/20210902/233210e2/OpenPGP_signature.sig>