Rowland penny
2019-Jun-17 16:58 UTC
[Samba] Fwd: Re: Fwd: Re: Kerberos and NTLMv2 authentication
On 17/06/2019 17:45, Edouard Guign? via samba wrote:> Hello, > > I do not know how should be nsswitch.conf configured. > What should I change in it according to "/you either do not have the > passwd, group and shadow lines or you have chosen not to show them/" ? > Something like this? added to nsswitch.conf ? > passwd : files > group : files > shadow : files > > What does it change if not to show them ?If you do not have them set in /etc/nsswitch.conf, then NSS will not use them and if you set them as your example, only the local files will be used, nothing from AD. Try it like this: passwd:???????? files winbind group:????????? files winbind shadow:???????? files gshadow:??????? files hosts:????????? files dns bootparams: nisplus [NOTFOUND=return] files ethers:???? files netmasks:?? files networks:?? files protocols:? files rpc:??????? files services:?? files netgroup:?? files publickey:? nisplus automount:? files aliases:??? files nisplus Rowland
Edouard Guigné
2019-Jun-17 17:37 UTC
[Samba] Fwd: Re: Fwd: Re: Kerberos and NTLMv2 authentication
On my linux box (centos 7), I set Samba + Winbind against AD. But I also set SSSD against AD for an other purpose (sftp access). I am wondering if there is no risk to disable sftpd/sssd if I add winbind in /etc/nsswitch.conf Can Winbind and SSSD be installed on the same system if they are not used for the same purpose ? Le 17/06/2019 ? 13:58, Rowland penny via samba a ?crit?:> On 17/06/2019 17:45, Edouard Guign? via samba wrote: >> Hello, >> >> I do not know how should be nsswitch.conf configured. >> What should I change in it according to "/you either do not have the >> passwd, group and shadow lines or you have chosen not to show them/" ? >> Something like this? added to nsswitch.conf ? >> passwd : files >> group : files >> shadow : files >> >> What does it change if not to show them ? > > If you do not have them set in /etc/nsswitch.conf, then NSS will not > use them and if you set them as your example, only the local files > will be used, nothing from AD. Try it like this: > > passwd:???????? files winbind > group:????????? files winbind > shadow:???????? files > gshadow:??????? files > > hosts:????????? files dns > > bootparams: nisplus [NOTFOUND=return] files > > ethers:???? files > netmasks:?? files > networks:?? files > protocols:? files > rpc:??????? files > services:?? files > > netgroup:?? files > > publickey:? nisplus > > automount:? files > aliases:??? files nisplus > > Rowland > > >
Rowland penny
2019-Jun-17 18:06 UTC
[Samba] Fwd: Re: Fwd: Re: Kerberos and NTLMv2 authentication
On 17/06/2019 18:37, Edouard Guign? via samba wrote:> On my linux box (centos 7), I set Samba + Winbind against AD. > But I also set SSSD against AD for an other purpose (sftp access). > > I am wondering if there is no risk to disable sftpd/sssd if I add > winbind in /etc/nsswitch.conf > > Can Winbind and SSSD be installed on the same system if they are not > used for the same purposeWe do not produce sssd, it is a Red-Hat product, so we do not know how to configure it and have not tested its use with Samba. What I can say is this, Red-Hat is now saying that they do not support the use of sssd with Samba, you should use winbind, see here: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-file_and_print_servers#the_samba_services I personally do not use sssd (I used to) and have nothing against it except the fact that I now no longer know how to configure it. It will be your choice whether to use it or not, but we cannot provide support for it, for the reasons given above. There is also very little that sssd can do, that winbind cannot and you can usually find a workaround for the stuff it doesn't do. Rowland
Goetz, Patrick G
2019-Jun-17 19:05 UTC
[Samba] Fwd: Re: Fwd: Re: Kerberos and NTLMv2 authentication
On 6/17/19 12:37 PM, Edouard Guign? via samba wrote:> On my linux box (centos 7), I set Samba + Winbind against AD. > But I also set SSSD against AD for an other purpose (sftp access). > > I am wondering if there is no risk to disable sftpd/sssd if I add > winbind in /etc/nsswitch.conf > > Can Winbind and SSSD be installed on the same system if they are not > used for the same purpose ?I'm wondering this myself. Regarding nsswitch.conf, the options are searched in order. So passwd: compat systemd sss winbind shadow: compat sss windbind would presumably look in the local /etc/passwd|shadow files first for authentication, then check sssd, and finally winbind. The question is will a Samba mount fail trying to use sssd? You could try putting winbind before sssd, or in theory winbind should be able to handle ssh authentication? Can someone confirm this? I'm still confused by the RHEL documentation on this. Rowland is correct, the RHEL 8 documentation states this: "Red Hat only supports running Samba as a server with the winbindd service to provide domain users and groups to the local system. Due to certain limitations, such as missing Windows access control list (ACL) support and NT LAN Manager (NTLM) fallback, SSSD is not supported." https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/deploying_different_types_of_servers/assembly_using-samba-as-a-server_deploying-different-types-of-servers What's confusing is that the RHEL 7 documentation says: "Prior to Red Hat Enterprise Linux 7.1, only Winbind provided this functionality. In Red Hat Enterprise Linux 7.1 and later, you no longer need to run Winbind and SSSD in parallel to access SMB shares. For example, accessing the Access Control Lists (ACLs) no longer requires Winbind on SSSD clients." and "4.2.2. Determining Whether to Use SSSD or Winbind for SMB Shares For most SSSD clients, using SSSD is recommended:" and most worrisome, in my use case: "In environments with direct Active Directory integration where the clients use SSSD for general Active Directory user mappings, using Winbind for the SMB ID mapping instead of SSSD can result in inconsistent mapping." What changed between versions 7 and 8 of RHEL/Cent OS? Is it just the upgrade from Samba 4.7.x to 4.8.x? What's especially weird is that RHEL does not support the use of Samba as an AD domain controller: "Red Hat does not support running Samba as an AD domain controller (DC)." https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/deploying_different_types_of_servers/assembly_using-samba-as-a-server_deploying-different-types-of-servers They want you to use idM, which is closely associated with sssd, which begs the question "are they assuming no one is going to want to serve files from a linux box to Windows systems? At least in my environment, that's a very poor assumption indeed. Question: How feasible would it be to have a version of smbd that just works with sssd. I understand a big feature of Samba 4 is providing a standalone AD domain controller, but for environments that already have AD, kind of all you really need is file services, and it would be very convenient to be able to install a version of smbd that just works with sssd out of the box.