samba - Aug 2021 - Replacing SSSD with just WINBIND for NFSv4

On Mon, 2021-08-30 at 13:26 -0400, Luc Lalonde via samba
wrote:
> Hello Foks,
> 
> I would like to remove SSSD from the equation for NFSv4 + AutoFS
> mounts.
> 
> Presently we use SSSD + Winbind
You shouldn't be unless you are using a version of Samba less than
4.8.0
>  for LDAP-KRB5 authentication and AutoFS-NFSv4 for home directories.
> 
> We have 4 NFS servers that split the load for our Linux clients.   We
> use this option in SSSD.CONF to get the users home directory:
> 
> ldap_user_home_directory = unixHomeDirectory
> 
> Here are other options that we use:
> 
> ldap_user_search_base = dc=example,dc=com
> ldap_user_object_class = user
> ldap_user_principal = userPrincipalName
> ldap_schema = rfc2307bis
> ldap_user_fullname = displayName
> ldap_user_name = sAMAccountName
> ldap_group_object_class = group
> 
> Upon account creation, UID and GID are stored in AD, and everything
> works great.  We also do not use DOMAIN\USERNAME logins, just
> USERNAME.
> 
> Is there a way to achieve this with just WINBIND?
Yes


Oh, I think you mean 'how do I do this' :-)

Post your smb.conf and I will talk you through how, but it starts with
removing sssd and realm

I will also need to know what the lowest uidNumber attribute is.

Rowland

Here's one of my DC's 'smb.conf':

[global]
 ??????? workgroup = EXAMPLE
 ??????? realm = example.com
 ??????? netbios name = DC1
 ??????? server role = active directory domain controller
 ??????? idmap_ldb:use rfc2307 = Yes

[netlogon]
 ??????? path = /usr/local/samba/var/locks/sysvol/gigl.polymtl.ca/scripts
 ??????? read only = No

[sysvol]
 ??????? path = /usr/local/samba/var/locks/sysvol
 ??????? read only = No

The other two are Windows 2012R2 DC's

My first UID is 1167, and my last is 32962 as of this morning. My user 
creation/maintenance scripts keep a separate database of UID, GID, 
GECOS, etc.

Thanks!


On 2021-08-30 1:48 p.m., Rowland Penny via samba wrote:
> On Mon, 2021-08-30 at 13:26 -0400, Luc Lalonde via samba wrote:
>> Hello Foks,
>>
>> I would like to remove SSSD from the equation for NFSv4 + AutoFS
>> mounts.
>>
>> Presently we use SSSD + Winbind
> You shouldn't be unless you are using a version of Samba less than
> 4.8.0
>
>>   for LDAP-KRB5 authentication and AutoFS-NFSv4 for home directories.
>>
>> We have 4 NFS servers that split the load for our Linux clients.   We
>> use this option in SSSD.CONF to get the users home directory:
>>
>> ldap_user_home_directory = unixHomeDirectory
>>
>> Here are other options that we use:
>>
>> ldap_user_search_base = dc=example,dc=com
>> ldap_user_object_class = user
>> ldap_user_principal = userPrincipalName
>> ldap_schema = rfc2307bis
>> ldap_user_fullname = displayName
>> ldap_user_name = sAMAccountName
>> ldap_group_object_class = group
>>
>> Upon account creation, UID and GID are stored in AD, and everything
>> works great.  We also do not use DOMAIN\USERNAME logins, just
>> USERNAME.
>>
>> Is there a way to achieve this with just WINBIND?
> Yes
>
>
> Oh, I think you mean 'how do I do this' :-)
>
> Post your smb.conf and I will talk you through how, but it starts with
> removing sssd and realm
>
> I will also need to know what the lowest uidNumber attribute is.
>
> Rowland
>
>
>
-- 
Luc Lalonde, analyste
-----------------------------
D?partement de g?nie informatique:
?cole polytechnique de MTL
(514) 340-4711 x5049
Luc.Lalonde at polymtl.ca
-----------------------------


-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.samba.org/pipermail/samba/attachments/20210830/c9574c96/OpenPGP_signature.sig>