samba - Jan 2022 - Samba on CentOS 8 with sssd and AD users/groups and local users/groups

No I read that!

To me it says:

 1. We know that there are issues with using SSSD and we're working on it
 2. We'll continue to support you if you choose this configuration
 3. We're not ready to offer a working supported alternative yet, again,
    we're working on it

In my experience, RHEL7 works well with standalone Winbind.

Unfortunately, I can't get it to work properly on RHEL8 without SSSD.

Perhaps I'm missing something, but the latest Redhat documentation 
continues to push SSSD + Winbind ad the way to go:

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_authentication_and_authorization_in_rhel/configuring-a-rhel-host-to-use-ad-as-an-authentication-provider_configuring-authentication-and-authorization-in-rhel

I would love to dump SSSD on my RedHat/CentOS/Fedora systems... but 
we're not quite there yet!

On 1/13/22 10:47, Rowland Penny via samba wrote:
> On Thu, 2022-01-13 at 10:22 -0500, Luc Lalonde via samba wrote:
>> Hello Rowland,
>>
>> I've read the article mentionned below...  and I don't see how
it
>> could
>> be interpreted as a 'non-recomendation'.
> Did you miss this under 'Support status':
>
> [quote]
> Therefore Red Hat currently does not recommend using the idmap_sss
> module for Samba file server enrolled into an IdM or AD domain.
> [/quote]
>
> They only provide limited support if you use sssd with Samba and only
> then if it is an existing setup.
>
> I cannot see any other definition of 'does not recommend' other
than
> 'do not use it'
>
> Rowland
>   
>
>
-- 
Luc Lalonde, analyste
-----------------------------
D?partement de g?nie informatique et g?nie logiciel:
?cole polytechnique de MTL
(514) 340-4711 x5049
Luc.Lalonde at polymtl.ca

While we wait for RedHat to get their stuff in order wrt Winbind, here's 
my '/etc/krb5.conf' and '/etc/sssd/sssd.conf' if it can help
someone:


########/etc/krb5.conf ##############

[logging]
default = SYSLOG:INFO:DAEMON
kdc = SYSLOG:INFO:DAEMON
admin_server = SYSLOG:INFO:DAEMON

[libdefaults]
default_realm = example.com
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 10h
renew_lifetime = 7d
forwardable = true
allow_weak_crypto = true

[realms]
example.com = {
 ??default_domain = example.com
 ??kdc=dc1.example.com
 ??kdc=dc2.example.com
 ??admin_server=dc1.example.com
}

[domain_realm]
example.com = example.com
.dgi.polymtl.ca = example.com
dgi.polymtl.ca = example.com
.example.com = example.com

[appdefaults]
pam = {
 ??debug = false
 ??ticket_lifetime = 10h
 ??renew_lifetime = 7d
 ??forwardable = true
 ??krb4_convert = false
 ??validate = true
}
####################################


########/etc/sssd/sssd.conf#########

[sssd]
services = nss, pam
config_file_version = 2
domains = example.com
debug_level = 9

[nss]
filter_groups = root
filter_users = root

[pam]

[sudo]

[autofs]

[ssh]

[domain/example.com]
ldap_referrals = false
enumerate = false
cache_credentials = true

id_provider = ldap
access_provider = ldap
ldap_uri = ldap://dc1.example.com,ldap://dc2.example.com
ldap_search_base = dc=example,dc=com
ldap_tls_reqcert = never
ldap_default_authtok_type = password
ldap_sasl_mech = GSSAPI

ldap_user_search_base = dc=example,dc=com
ldap_user_object_class = user
ldap_user_home_directory = unixHomeDirectory
ldap_user_principal = userPrincipalName
ldap_schema = rfc2307bis
ldap_user_fullname = displayName
ldap_user_name = sAMAccountName
ldap_group_object_class = group

ldap_group_search_base = ou=Groups,dc=example,dc=com
ldap_group_object_class = group

ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = true

auth_provider = krb5
chpass_provider = krb5
krb5_realm = example.com
krb5_server = dc1.example.com,dc2.example.com
krb5_auth_timeout = 15
krb5_canonicalize = false
krb5_lifetime = 10h
krb5_renewable_lifetime = 7d
krb5_renew_interval = 15

cache_credentials = True
####################################

On 1/13/22 13:05, Luc Lalonde via samba wrote:
> No I read that!
>
> To me it says:
>
> 1. We know that there are issues with using SSSD and we're working on
it
> 2. We'll continue to support you if you choose this configuration
> 3. We're not ready to offer a working supported alternative yet, again,
> ?? we're working on it
>
> In my experience, RHEL7 works well with standalone Winbind.
>
> Unfortunately, I can't get it to work properly on RHEL8 without SSSD.
>
> Perhaps I'm missing something, but the latest Redhat documentation 
> continues to push SSSD + Winbind ad the way to go:
>
>
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_authentication_and_authorization_in_rhel/configuring-a-rhel-host-to-use-ad-as-an-authentication-provider_configuring-authentication-and-authorization-in-rhel
>
>
> I would love to dump SSSD on my RedHat/CentOS/Fedora systems... but 
> we're not quite there yet!
>
> On 1/13/22 10:47, Rowland Penny via samba wrote:
>> On Thu, 2022-01-13 at 10:22 -0500, Luc Lalonde via samba wrote:
>>> Hello Rowland,
>>>
>>> I've read the article mentionned below...? and I don't see
how it
>>> could
>>> be interpreted as a 'non-recomendation'.
>> Did you miss this under 'Support status':
>>
>> [quote]
>> Therefore Red Hat currently does not recommend using the idmap_sss
>> module for Samba file server enrolled into an IdM or AD domain.
>> [/quote]
>>
>> They only provide limited support if you use sssd with Samba and only
>> then if it is an existing setup.
>>
>> I cannot see any other definition of 'does not recommend' other
than
>> 'do not use it'
>>
>> Rowland
>>
>>
-- 
Luc Lalonde, analyste
-----------------------------
D?partement de g?nie informatique et g?nie logiciel:
?cole polytechnique de MTL
(514) 340-4711 x5049
Luc.Lalonde at polymtl.ca

On Thu, 2022-01-13 at 13:05 -0500, Luc Lalonde via samba
wrote:
> No I read that!
> 
> To me it says:
> 
>  1. We know that there are issues with using SSSD and we're working
> on it
They seem to have been working on it for the last two years (at least)
>  2. We'll continue to support you if you choose this configuration
As long as you have a support contract and it is an existing setup.
>  3. We're not ready to offer a working supported alternative yet,
> again,
>     we're working on it
See my first reply ;-)
> 
> In my experience, RHEL7 works well with standalone Winbind.
> 
> Unfortunately, I can't get it to work properly on RHEL8 without SSSD.
This 'may' have something to do with the removing of libpam-krb5
> 
> Perhaps I'm missing something, but the latest Redhat documentation 
> continues to push SSSD + Winbind ad the way to go:
> 
>
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_authentication_and_authorization_in_rhel/configuring-a-rhel-host-to-use-ad-as-an-authentication-provider_configuring-authentication-and-authorization-in-rhel
It says:

Important

Implement this procedure only in the rare cases where this approach is
preferred. 

That hardly inspires confidence.
> 
> I would love to dump SSSD on my RedHat/CentOS/Fedora systems... but 
> we're not quite there yet!
You could always dump the red-hat machines and come over to the Debian
side, where it has always worked.

The following is totally my opinion:

sssd, realmd etc were written to be used with FreeIPA and as such,
should only be used with FreeIPA.

If you are using Samba, then you should use Samba's tools, winbind,
net, wbinfo etc.

Others may have a different view (and probably will). I cannot and will
not try to make anyone follow my view, anyone reading this should make
their own decision on which path to follow. I just know what has worked
for myself since 2012, part of which time I used sssd, this was until I
found that winbind was actually easier to use (once I got my head
around the 'idmap config' lines).

Rowland

On 1/13/22 12:05, Luc Lalonde via samba wrote:
> No I read that!
> 
> To me it says:
> 
> 1. We know that there are issues with using SSSD and we're working on
it
> 2. We'll continue to support you if you choose this configuration
> 3. We're not ready to offer a working supported alternative yet, again,
>  ?? we're working on it
> 
> In my experience, RHEL7 works well with standalone Winbind.
> 
> Unfortunately, I can't get it to work properly on RHEL8 without SSSD.
Probably doesn't help, but I have several domain joined CentOS 8 boxes
joined
and using just winbind just fine, both for login and for sharing files.  Using 
the samba version that comes with latest CentOS 8 (not Stream).

sssd is the devil.