On 7/24/20 11:33 AM, Rowland penny via samba wrote:> On 24/07/2020 16:08, Robert Marcano via samba wrote: >> On 7/24/20 10:53 AM, Rowland penny via samba wrote: >>> On 24/07/2020 15:45, Jason Keltz via samba wrote: >>>> >>>> On 7/24/2020 7:25 AM, Peter Milesson via samba wrote: >>>>> >>>>> On 2020-07-24 12:57, Jason Keltz via samba wrote: >>>>>> Hi Rowland, >>>>>> >>>>>> In effect, I'm still using Samba on the DC, which is why I still >>>>>> thought this was relevant on the mailing list. :) >>>>>> >>>>>> The reason in particular that I was looking at sssd client as >>>>>> opposed to winbind was that? we are running CentOS 7. I know if I >>>>>> want to use the latest Samba 4.12 on the clients, I'll have >>>>>> problems with gnutls because it's outdated in CentOS 7. Yes, >>>>>> someone has figured out a way around that by compiling a separate >>>>>> gnutls, but I'm just not 100% comfortable with that. It's still an >>>>>> option.? The problem is that if I spend my days figuring out how >>>>>> to upgrade hundreds of custom CentOS machines from 7 to 8 (which I >>>>>> will no doubt eventually do) then I won't have time to figure out >>>>>> integration of this domain into AD. If I start with AD then I >>>>>> can't really use the latest? 4.12. maybe that's fine because >>>>>> eventually we will move to CentOS 8. However, what if a later >>>>>> Samba version requires an even later version of? gnutls that >>>>>> CentOS 8 doesn't run with in the future!? Then I'll again be stuck >>>>>> in this position and may have to upgrade the OS clients to use the >>>>>> later Samba. There's al >>>>>> ? ways going to be this chicken and egg problem of course. That's >>>>>> just the environment we work in. That's why I was hoping that if I >>>>>> used SSSD then I could somewhat punt the problem . As long as the >>>>>> main DC was running the latest OS and could run the latest Samba >>>>>> then the clients could use their SSSD to connect. In addition, the >>>>>> SSSD configuration for AD is so trivial.? The winbind >>>>>> configuration, I have tested and it works but it's definately more >>>>>> complex. I have to see whether it handles token groups because the >>>>>> SSSD configuration without token groups was very slow using SSSD >>>>>> because of the number of groups.? I'm not fixed at using sssd but >>>>>> just thinking about all the options. There are always many ways to >>>>>> solve the same problem. :) >>>>>> >>>>>> Jason. >>>>>> >>>>>> On Jul. 24, 2020, 2:22 a.m., at 2:22 a.m., Rowland penny via samba >>>>>> <samba at lists.samba.org> wrote: >>>>>>> On 24/07/2020 03:42, Jason Keltz via samba wrote: >>>>>>>> Hi everyone, >>>>>>>> >>>>>>>> I have a samba DC, let's call it dc1.ad.example.com. >>>>>>>> >>>>>>>> I have two members of the domain - server1.ad.example.com and >>>>>>>> server2.ad.example.com.?? They are not running smbd and winbind. >>>>>>>> Instead, they are running SSSD with AD backend. >>>>>>> Sorry Jason, wrong mailing list, we do not produce sssd, so cannot >>>>>>> support it, because we know very little about it. I suggest you >>>>>>> try the >>>>>>> >>>>>>> sssd-users mailing list. >>>>>>> >>>>>>> If you want to use Samba instead, I am more than willing to help you >>>>>>> with this, it is very easy and there is the bonus of being able to >>>>>>> share >>>>>>> files. >>>>>>> >>>>>>> Rowland >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> To unsubscribe from this list go to the following URL and read the >>>>>>> instructions: https://lists.samba.org/mailman/options/samba >>>>> Hi Jason, >>>>> >>>>> I have got a few CentOS servers as Samba AD members. I found out >>>>> that upgrading them to CentOS 8 isn't worth the hazzle, a >>>>> completely different paradigm, and lots of migration issues to >>>>> solve. As you have got lots of machines, it could probably pay off >>>>> to create your own solution, but in your place, I would get nervous >>>>> that every new update would break something. >>>>> >>>>> I'm going to migrate my few servers to Debian Buster instead. It >>>>> seems to be a much less painful way. Up until recently, I have >>>>> exclusively used CentOS, but I have found Debian very capable, and >>>>> not very different to work with, compared to CentOS 7. The updaMIR >>>>> te policy is also fairly conservative. >>>>> >>>>> Just my five cents... >>>>> >>>>> Best regards, >>>>> >>>>> Peter >>>> >>>> >>>> Hi Peter, >>>> >>>> Our client systems need to continue to run CentOS because a variety >>>> of software that we use requires CentOS/RHEL.? Some of the software >>>> is very version specific.? I can't even upgrade to CentOS 8 until >>>> certain software is compatible with 8. Running a separate Linux >>>> distribution on the servers and the clients is possible, of course, >>>> but in a small team, just a headache to handle multiple OS paths. If >>>> we were a bigger team, this is definately something I would consider >>>> though. >>>> >>>> Jason. >>>> >>>> >>> Rule one: Never run software that is tied to a specific OS, you get >>> trapped, as you have found. If some entity tries selling you software >>> that requires a specific OS (and worse a specific version), tell them >>> to **** off. >>> >>> Just what are these 'softwares' that require Centos ? >>> >>> Rowland >>> >> >> I usually avoid threads where someone mentions SSSD because they >> always end the same way. The original poster is asking a question >> about using a Samba DC server using winbind at the server and his >> problems our doubts about the using the Kerberos part of Samba AD, and >> the discussion goes down to SSSD no no no, change OS, etc. A user >> asking with problems with a Mac or Windows client doesn't get that >> kind of responses, clients more closed that anything Red Hat produces. >> >> The initial response that asking on the SSSD mailing list would be a >> better idea was probably the good end of it if no other person was >> able to help. >> >> I personally can't help, because I use FreeIPA for my Linux clients >> and Samba AD for Windows clients, establishing a trust between >> domains. I have done long ago the other way of the original poster >> problem, NFS Kerberized NFS shares from a domain using MIT Kerberos >> (via FreeIPA), shares to Windows clients with Samba, but Samba >> standalone shares, doing LDPA integration with FreeIPA 389 server, but >> I would not recommend that now that the AD implementation of Samba is >> robust enough. >> >> Note: Now that CentOS 8 where mentioned early on the list, CentOS 8 >> clients joined to a Samba domain using SSSD works pretty well. Some >> tips at https://lists.samba.org/archive/samba/2020-March/228875.html >> >> >> > Robert, I have said numerous times that I personally have nothing > against sssd, just that I do not see the point in using it with Samba. > This forum cannot support sssd because we do not produce it and know > little about it, but it has its own mailing list, sssd-users, that is > undoubtedly the correct place to ask questions about sssd. > > Also, you can use sssd on centos clients to access Samba shares on > another Unix domain member (this much I do know), but you cannot use > sssd on a Samba fileserver. > > Rowland >And the original mail said SSSD on client not on server, even the Subjects says it, It is just like someona asking problems using Samba Ad Kerberos problems from a Mac, the client on a Mac isn't even based on Samba. Web SSSDers should probably create a mailing list named "SSSD on Samba AD clients" :-P. If anyone comes an ask about winbind on clients, will get a lecture, again :-P
On 24/07/2020 16:44, Robert Marcano via samba wrote:> On 7/24/20 11:33 AM, Rowland penny via samba wrote: >> On 24/07/2020 16:08, Robert Marcano via samba wrote: >>> On 7/24/20 10:53 AM, Rowland penny via samba wrote: >>>> On 24/07/2020 15:45, Jason Keltz via samba wrote: >>>>> >>>>> On 7/24/2020 7:25 AM, Peter Milesson via samba wrote: >>>>>> >>>>>> On 2020-07-24 12:57, Jason Keltz via samba wrote: >>>>>>> Hi Rowland, >>>>>>> >>>>>>> In effect, I'm still using Samba on the DC, which is why I still >>>>>>> thought this was relevant on the mailing list. :) >>>>>>> >>>>>>> The reason in particular that I was looking at sssd client as >>>>>>> opposed to winbind was that? we are running CentOS 7. I know if >>>>>>> I want to use the latest Samba 4.12 on the clients, I'll have >>>>>>> problems with gnutls because it's outdated in CentOS 7. Yes, >>>>>>> someone has figured out a way around that by compiling a >>>>>>> separate gnutls, but I'm just not 100% comfortable with that. >>>>>>> It's still an option.? The problem is that if I spend my days >>>>>>> figuring out how to upgrade hundreds of custom CentOS machines >>>>>>> from 7 to 8 (which I will no doubt eventually do) then I won't >>>>>>> have time to figure out integration of this domain into AD. If I >>>>>>> start with AD then I can't really use the latest? 4.12. maybe >>>>>>> that's fine because eventually we will move to CentOS 8. >>>>>>> However, what if a later Samba version requires an even later >>>>>>> version of? gnutls that CentOS 8 doesn't run with in the >>>>>>> future!? Then I'll again be stuck in this position and may have >>>>>>> to upgrade the OS clients to use the later Samba. There's al >>>>>>> ? ways going to be this chicken and egg problem of course. >>>>>>> That's just the environment we work in. That's why I was hoping >>>>>>> that if I used SSSD then I could somewhat punt the problem . As >>>>>>> long as the main DC was running the latest OS and could run the >>>>>>> latest Samba then the clients could use their SSSD to connect. >>>>>>> In addition, the SSSD configuration for AD is so trivial.? The >>>>>>> winbind configuration, I have tested and it works but it's >>>>>>> definately more complex. I have to see whether it handles token >>>>>>> groups because the SSSD configuration without token groups was >>>>>>> very slow using SSSD because of the number of groups.? I'm not >>>>>>> fixed at using sssd but just thinking about all the options. >>>>>>> There are always many ways to solve the same problem. :) >>>>>>> >>>>>>> Jason. >>>>>>> >>>>>>> On Jul. 24, 2020, 2:22 a.m., at 2:22 a.m., Rowland penny via >>>>>>> samba <samba at lists.samba.org> wrote: >>>>>>>> On 24/07/2020 03:42, Jason Keltz via samba wrote: >>>>>>>>> Hi everyone, >>>>>>>>> >>>>>>>>> I have a samba DC, let's call it dc1.ad.example.com. >>>>>>>>> >>>>>>>>> I have two members of the domain - server1.ad.example.com and >>>>>>>>> server2.ad.example.com.?? They are not running smbd and winbind. >>>>>>>>> Instead, they are running SSSD with AD backend. >>>>>>>> Sorry Jason, wrong mailing list, we do not produce sssd, so cannot >>>>>>>> support it, because we know very little about it. I suggest you >>>>>>>> try the >>>>>>>> >>>>>>>> sssd-users mailing list. >>>>>>>> >>>>>>>> If you want to use Samba instead, I am more than willing to >>>>>>>> help you >>>>>>>> with this, it is very easy and there is the bonus of being able to >>>>>>>> share >>>>>>>> files. >>>>>>>> >>>>>>>> Rowland >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> To unsubscribe from this list go to the following URL and read the >>>>>>>> instructions: https://lists.samba.org/mailman/options/samba >>>>>> Hi Jason, >>>>>> >>>>>> I have got a few CentOS servers as Samba AD members. I found out >>>>>> that upgrading them to CentOS 8 isn't worth the hazzle, a >>>>>> completely different paradigm, and lots of migration issues to >>>>>> solve. As you have got lots of machines, it could probably pay >>>>>> off to create your own solution, but in your place, I would get >>>>>> nervous that every new update would break something. >>>>>> >>>>>> I'm going to migrate my few servers to Debian Buster instead. It >>>>>> seems to be a much less painful way. Up until recently, I have >>>>>> exclusively used CentOS, but I have found Debian very capable, >>>>>> and not very different to work with, compared to CentOS 7. The >>>>>> updaMIR te policy is also fairly conservative. >>>>>> >>>>>> Just my five cents... >>>>>> >>>>>> Best regards, >>>>>> >>>>>> Peter >>>>> >>>>> >>>>> Hi Peter, >>>>> >>>>> Our client systems need to continue to run CentOS because a >>>>> variety of software that we use requires CentOS/RHEL. Some of the >>>>> software is very version specific.? I can't even upgrade to CentOS >>>>> 8 until certain software is compatible with 8. Running a separate >>>>> Linux distribution on the servers and the clients is possible, of >>>>> course, but in a small team, just a headache to handle multiple OS >>>>> paths. If we were a bigger team, this is definately something I >>>>> would consider though. >>>>> >>>>> Jason. >>>>> >>>>> >>>> Rule one: Never run software that is tied to a specific OS, you get >>>> trapped, as you have found. If some entity tries selling you >>>> software that requires a specific OS (and worse a specific >>>> version), tell them to **** off. >>>> >>>> Just what are these 'softwares' that require Centos ? >>>> >>>> Rowland >>>> >>> >>> I usually avoid threads where someone mentions SSSD because they >>> always end the same way. The original poster is asking a question >>> about using a Samba DC server using winbind at the server and his >>> problems our doubts about the using the Kerberos part of Samba AD, >>> and the discussion goes down to SSSD no no no, change OS, etc. A >>> user asking with problems with a Mac or Windows client doesn't get >>> that kind of responses, clients more closed that anything Red Hat >>> produces. >>> >>> The initial response that asking on the SSSD mailing list would be a >>> better idea was probably the good end of it if no other person was >>> able to help. >>> >>> I personally can't help, because I use FreeIPA for my Linux clients >>> and Samba AD for Windows clients, establishing a trust between >>> domains. I have done long ago the other way of the original poster >>> problem, NFS Kerberized NFS shares from a domain using MIT Kerberos >>> (via FreeIPA), shares to Windows clients with Samba, but Samba >>> standalone shares, doing LDPA integration with FreeIPA 389 server, >>> but I would not recommend that now that the AD implementation of >>> Samba is robust enough. >>> >>> Note: Now that CentOS 8 where mentioned early on the list, CentOS 8 >>> clients joined to a Samba domain using SSSD works pretty well. Some >>> tips at https://lists.samba.org/archive/samba/2020-March/228875.html >>> >>> >>> >> Robert, I have said numerous times that I personally have nothing >> against sssd, just that I do not see the point in using it with >> Samba. This forum cannot support sssd because we do not produce it >> and know little about it, but it has its own mailing list, >> sssd-users, that is undoubtedly the correct place to ask questions >> about sssd. >> >> Also, you can use sssd on centos clients to access Samba shares on >> another Unix domain member (this much I do know), but you cannot use >> sssd on a Samba fileserver. >> >> Rowland >> > > And the original mail said SSSD on client not on server, even the > Subjects says it, It is just like someona asking problems using Samba > Ad Kerberos problems from a Mac, the client on a Mac isn't even based > on Samba. Web SSSDers should probably create a mailing list named > "SSSD on Samba AD clients" :-P. If anyone comes an ask about winbind > on clients, will get a lecture, again :-P > >I replied: Sorry Jason, wrong mailing list, we do not produce sssd, so cannot support it, because we know very little about it. I suggest you try the sssd-users mailing list. If you want to use Samba instead, I am more than willing to help you with this, it is very easy and there is the bonus of being able to share files. Just where is the lecture in that ? Rowland
On 7/24/20 11:49 AM, Rowland penny via samba wrote:> On 24/07/2020 16:44, Robert Marcano via samba wrote: >> On 7/24/20 11:33 AM, Rowland penny via samba wrote: >>> On 24/07/2020 16:08, Robert Marcano via samba wrote: >>>> On 7/24/20 10:53 AM, Rowland penny via samba wrote: >>>>> On 24/07/2020 15:45, Jason Keltz via samba wrote: >>>>>> >>>>>> On 7/24/2020 7:25 AM, Peter Milesson via samba wrote: >>>>>>> >>>>>>> On 2020-07-24 12:57, Jason Keltz via samba wrote: >>>>>>>> Hi Rowland, >>>>>>>> >>>>>>>> In effect, I'm still using Samba on the DC, which is why I still >>>>>>>> thought this was relevant on the mailing list. :) >>>>>>>> >>>>>>>> The reason in particular that I was looking at sssd client as >>>>>>>> opposed to winbind was that? we are running CentOS 7. I know if >>>>>>>> I want to use the latest Samba 4.12 on the clients, I'll have >>>>>>>> problems with gnutls because it's outdated in CentOS 7. Yes, >>>>>>>> someone has figured out a way around that by compiling a >>>>>>>> separate gnutls, but I'm just not 100% comfortable with that. >>>>>>>> It's still an option.? The problem is that if I spend my days >>>>>>>> figuring out how to upgrade hundreds of custom CentOS machines >>>>>>>> from 7 to 8 (which I will no doubt eventually do) then I won't >>>>>>>> have time to figure out integration of this domain into AD. If I >>>>>>>> start with AD then I can't really use the latest? 4.12. maybe >>>>>>>> that's fine because eventually we will move to CentOS 8. >>>>>>>> However, what if a later Samba version requires an even later >>>>>>>> version of? gnutls that CentOS 8 doesn't run with in the >>>>>>>> future!? Then I'll again be stuck in this position and may have >>>>>>>> to upgrade the OS clients to use the later Samba. There's al >>>>>>>> ? ways going to be this chicken and egg problem of course. >>>>>>>> That's just the environment we work in. That's why I was hoping >>>>>>>> that if I used SSSD then I could somewhat punt the problem . As >>>>>>>> long as the main DC was running the latest OS and could run the >>>>>>>> latest Samba then the clients could use their SSSD to connect. >>>>>>>> In addition, the SSSD configuration for AD is so trivial.? The >>>>>>>> winbind configuration, I have tested and it works but it's >>>>>>>> definately more complex. I have to see whether it handles token >>>>>>>> groups because the SSSD configuration without token groups was >>>>>>>> very slow using SSSD because of the number of groups.? I'm not >>>>>>>> fixed at using sssd but just thinking about all the options. >>>>>>>> There are always many ways to solve the same problem. :) >>>>>>>> >>>>>>>> Jason. >>>>>>>> >>>>>>>> On Jul. 24, 2020, 2:22 a.m., at 2:22 a.m., Rowland penny via >>>>>>>> samba <samba at lists.samba.org> wrote: >>>>>>>>> On 24/07/2020 03:42, Jason Keltz via samba wrote: >>>>>>>>>> Hi everyone, >>>>>>>>>> >>>>>>>>>> I have a samba DC, let's call it dc1.ad.example.com. >>>>>>>>>> >>>>>>>>>> I have two members of the domain - server1.ad.example.com and >>>>>>>>>> server2.ad.example.com.?? They are not running smbd and winbind. >>>>>>>>>> Instead, they are running SSSD with AD backend. >>>>>>>>> Sorry Jason, wrong mailing list, we do not produce sssd, so cannot >>>>>>>>> support it, because we know very little about it. I suggest you >>>>>>>>> try the >>>>>>>>> >>>>>>>>> sssd-users mailing list. >>>>>>>>> >>>>>>>>> If you want to use Samba instead, I am more than willing to >>>>>>>>> help you >>>>>>>>> with this, it is very easy and there is the bonus of being able to >>>>>>>>> share >>>>>>>>> files. >>>>>>>>> >>>>>>>>> Rowland >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> To unsubscribe from this list go to the following URL and read the >>>>>>>>> instructions: https://lists.samba.org/mailman/options/samba >>>>>>> Hi Jason, >>>>>>> >>>>>>> I have got a few CentOS servers as Samba AD members. I found out >>>>>>> that upgrading them to CentOS 8 isn't worth the hazzle, a >>>>>>> completely different paradigm, and lots of migration issues to >>>>>>> solve. As you have got lots of machines, it could probably pay >>>>>>> off to create your own solution, but in your place, I would get >>>>>>> nervous that every new update would break something. >>>>>>> >>>>>>> I'm going to migrate my few servers to Debian Buster instead. It >>>>>>> seems to be a much less painful way. Up until recently, I have >>>>>>> exclusively used CentOS, but I have found Debian very capable, >>>>>>> and not very different to work with, compared to CentOS 7. The >>>>>>> updaMIR te policy is also fairly conservative. >>>>>>> >>>>>>> Just my five cents... >>>>>>> >>>>>>> Best regards, >>>>>>> >>>>>>> Peter >>>>>> >>>>>> >>>>>> Hi Peter, >>>>>> >>>>>> Our client systems need to continue to run CentOS because a >>>>>> variety of software that we use requires CentOS/RHEL. Some of the >>>>>> software is very version specific.? I can't even upgrade to CentOS >>>>>> 8 until certain software is compatible with 8. Running a separate >>>>>> Linux distribution on the servers and the clients is possible, of >>>>>> course, but in a small team, just a headache to handle multiple OS >>>>>> paths. If we were a bigger team, this is definately something I >>>>>> would consider though. >>>>>> >>>>>> Jason. >>>>>> >>>>>> >>>>> Rule one: Never run software that is tied to a specific OS, you get >>>>> trapped, as you have found. If some entity tries selling you >>>>> software that requires a specific OS (and worse a specific >>>>> version), tell them to **** off. >>>>> >>>>> Just what are these 'softwares' that require Centos ? >>>>> >>>>> Rowland >>>>> >>>> >>>> I usually avoid threads where someone mentions SSSD because they >>>> always end the same way. The original poster is asking a question >>>> about using a Samba DC server using winbind at the server and his >>>> problems our doubts about the using the Kerberos part of Samba AD, >>>> and the discussion goes down to SSSD no no no, change OS, etc. A >>>> user asking with problems with a Mac or Windows client doesn't get >>>> that kind of responses, clients more closed that anything Red Hat >>>> produces. >>>> >>>> The initial response that asking on the SSSD mailing list would be a >>>> better idea was probably the good end of it if no other person was >>>> able to help. >>>> >>>> I personally can't help, because I use FreeIPA for my Linux clients >>>> and Samba AD for Windows clients, establishing a trust between >>>> domains. I have done long ago the other way of the original poster >>>> problem, NFS Kerberized NFS shares from a domain using MIT Kerberos >>>> (via FreeIPA), shares to Windows clients with Samba, but Samba >>>> standalone shares, doing LDPA integration with FreeIPA 389 server, >>>> but I would not recommend that now that the AD implementation of >>>> Samba is robust enough. >>>> >>>> Note: Now that CentOS 8 where mentioned early on the list, CentOS 8 >>>> clients joined to a Samba domain using SSSD works pretty well. Some >>>> tips at https://lists.samba.org/archive/samba/2020-March/228875.html >>>> >>>> >>>> >>> Robert, I have said numerous times that I personally have nothing >>> against sssd, just that I do not see the point in using it with >>> Samba. This forum cannot support sssd because we do not produce it >>> and know little about it, but it has its own mailing list, >>> sssd-users, that is undoubtedly the correct place to ask questions >>> about sssd. >>> >>> Also, you can use sssd on centos clients to access Samba shares on >>> another Unix domain member (this much I do know), but you cannot use >>> sssd on a Samba fileserver. >>> >>> Rowland >>> >> >> And the original mail said SSSD on client not on server, even the >> Subjects says it, It is just like someona asking problems using Samba >> Ad Kerberos problems from a Mac, the client on a Mac isn't even based >> on Samba. Web SSSDers should probably create a mailing list named >> "SSSD on Samba AD clients" :-P. If anyone comes an ask about winbind >> on clients, will get a lecture, again :-P >> >> > I replied: > > Sorry Jason, wrong mailing list, we do not produce sssd, so cannot > support it, because we know very little about it. I suggest you try the > sssd-users mailing list. > > If you want to use Samba instead, I am more than willing to help you > with this, it is very easy and there is the bonus of being able to share > files. > > > Just where is the lecture in that ?Nothing in that, but it are the later responses with: change OS, don't use software that requires an OS, etc, etc, no one says that to people asking with problems with a Mac o Windows clients here. I will end my participation in this thread because as I didn't intended it will extend more.