Hello Foks, I would like to remove SSSD from the equation for NFSv4 + AutoFS mounts. Presently we use SSSD + Winbind for LDAP-KRB5 authentication and AutoFS-NFSv4 for home directories. We have 4 NFS servers that split the load for our Linux clients. We use this option in SSSD.CONF to get the users home directory: ldap_user_home_directory = unixHomeDirectory Here are other options that we use: ldap_user_search_base = dc=example,dc=com ldap_user_object_class = user ldap_user_principal = userPrincipalName ldap_schema = rfc2307bis ldap_user_fullname = displayName ldap_user_name = sAMAccountName ldap_group_object_class = group Upon account creation, UID and GID are stored in AD, and everything works great. We also do not use DOMAIN\USERNAME logins, just USERNAME. Is there a way to achieve this with just WINBIND? Thank You! -- Luc Lalonde, analyste ----------------------------- D?partement de g?nie informatique: ?cole polytechnique de MTL (514) 340-4711 x5049 Luc.Lalonde at polymtl.ca ----------------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature Type: application/pgp-signature Size: 840 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20210830/d2dbed5d/OpenPGP_signature.sig>
On Mon, 2021-08-30 at 13:26 -0400, Luc Lalonde via samba wrote:> Hello Foks, > > I would like to remove SSSD from the equation for NFSv4 + AutoFS > mounts. > > Presently we use SSSD + WinbindYou shouldn't be unless you are using a version of Samba less than 4.8.0> for LDAP-KRB5 authentication and AutoFS-NFSv4 for home directories. > > We have 4 NFS servers that split the load for our Linux clients. We > use this option in SSSD.CONF to get the users home directory: > > ldap_user_home_directory = unixHomeDirectory > > Here are other options that we use: > > ldap_user_search_base = dc=example,dc=com > ldap_user_object_class = user > ldap_user_principal = userPrincipalName > ldap_schema = rfc2307bis > ldap_user_fullname = displayName > ldap_user_name = sAMAccountName > ldap_group_object_class = group > > Upon account creation, UID and GID are stored in AD, and everything > works great. We also do not use DOMAIN\USERNAME logins, just > USERNAME. > > Is there a way to achieve this with just WINBIND?Yes Oh, I think you mean 'how do I do this' :-) Post your smb.conf and I will talk you through how, but it starts with removing sssd and realm I will also need to know what the lowest uidNumber attribute is. Rowland
I can show you my config for automounted homedirs with kerverised NFSv4.
I saw the AD-DC smb.conf in the other post.
Great, you use unix id's.
So my setup, setup any "MEMBER" as you would do normaly for with
RFC2307.
Make sure you have this in smb.conf:
kerberos method = secrets and keytab
dedicated keytab file = /etc/krb5.keytab
# renew the kerberos ticket
winbind refresh tickets = yes
# Gives username and not DOM\username
winbind use default domain = yes
I've added nfs/name.internal.dom.tld to the keytab file with with net ads
( you might want to add cifs/ also to it, can be handy )
In the list "samba4 kerberized nfs4 with sssd ad client"
https://lists.samba.org/archive/samba/2020-July/231149.html
Thats how i run it with a systemd automounter.
with winbind offcourse.
If you use it on a AD-DC, i suggest read this and use the parts you need.
https://wiki.samba.org/index.php/OpenSSH_Single_sign-on
This is what its all about.
Recommended: Make a custom auth_to_local mapping in your krb5.conf.
Integrate the following into your configuration krb5.conf
[realms]
SAMDOM.EXAMPLE.COM = {
auth_to_local = RULE:[1:SAMDOM\$1]
}
But read the page before you implement it.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Luc
> Lalonde via samba
> Verzonden: maandag 30 augustus 2021 19:27
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Replacing SSSD with just WINBIND for NFSv4
>
> Hello Foks,
>
> I would like to remove SSSD from the equation for NFSv4 +
> AutoFS mounts.
>
> Presently we use SSSD + Winbind for LDAP-KRB5 authentication
> and AutoFS-NFSv4 for home directories.
>
> We have 4 NFS servers that split the load for our Linux
> clients. We use this option in SSSD.CONF to get the users
> home directory:
>
> ldap_user_home_directory = unixHomeDirectory
>
> Here are other options that we use:
>
> ldap_user_search_base = dc=example,dc=com
> ldap_user_object_class = user
> ldap_user_principal = userPrincipalName
> ldap_schema = rfc2307bis
> ldap_user_fullname = displayName
> ldap_user_name = sAMAccountName
> ldap_group_object_class = group
>
> Upon account creation, UID and GID are stored in AD, and
> everything works great. We also do not use DOMAIN\USERNAME
> logins, just USERNAME.
>
> Is there a way to achieve this with just WINBIND?
>
> Thank You!
>
> --
> Luc Lalonde, analyste
> -----------------------------
> D?partement de g?nie informatique:
> ?cole polytechnique de MTL
> (514) 340-4711 x5049
> Luc.Lalonde at polymtl.ca
> -----------------------------
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
Hey Louis, Again, thanks for your message! Could you please show me how you resolve different automount directories for users without SSSD? Presently, I use this line with SSSD: ldap_user_home_directory = unixHomeDirectory This value is stored in ActiveDirectory and is not the same for all users. AutoFs maps the users home directory accordingly (auto.master, auto.home[1-4]): ### /etc/auto.master? ############## /usagers1????????? /etc/auto.home1 --timeout=60 /usagers2????????? /etc/auto.home2 --timeout=60 /usagers3????????? /etc/auto.home3 --timeout=60 /usagers4????????? /etc/auto.home4 --timeout=60 ############################ ### /etc/auto.home1 ################### *??? -fstype=nfs4,rw,sec=krb5????? fs1.example.com:/& ################################ ### /etc/auto.home2 ################## *??? -fstype=nfs4,rw,sec=krb5????? fs2.example.com:/& ################################ ### /etc/auto.home3 ################## *??? -fstype=nfs4,rw,sec=krb5????? fs3.example.com:/& ################################ ### /etc/auto.home4 ################## *??? -fstype=nfs4,rw,sec=krb5????? fs4.example.com:/& ################################ Thank You! On 2021-08-31 4:47 a.m., L.P.H. van Belle via samba wrote:> I can show you my config for automounted homedirs with kerverised NFSv4. > > I saw the AD-DC smb.conf in the other post. > Great, you use unix id's. > > So my setup, setup any "MEMBER" as you would do normaly for with RFC2307. > > Make sure you have this in smb.conf: > > kerberos method = secrets and keytab > dedicated keytab file = /etc/krb5.keytab > > # renew the kerberos ticket > winbind refresh tickets = yes > > # Gives username and not DOM\username > winbind use default domain = yes > > I've added nfs/name.internal.dom.tld to the keytab file with with net ads > ( you might want to add cifs/ also to it, can be handy ) > > In the list "samba4 kerberized nfs4 with sssd ad client" > https://lists.samba.org/archive/samba/2020-July/231149.html > > Thats how i run it with a systemd automounter. > with winbind offcourse. > > If you use it on a AD-DC, i suggest read this and use the parts you need. > https://wiki.samba.org/index.php/OpenSSH_Single_sign-on > This is what its all about. > Recommended: Make a custom auth_to_local mapping in your krb5.conf. > Integrate the following into your configuration krb5.conf > > [realms] > SAMDOM.EXAMPLE.COM = { > auth_to_local = RULE:[1:SAMDOM\$1] > } > > But read the page before you implement it. > > > Greetz, > > Louis > > > > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Luc >> Lalonde via samba >> Verzonden: maandag 30 augustus 2021 19:27 >> Aan: samba at lists.samba.org >> Onderwerp: [Samba] Replacing SSSD with just WINBIND for NFSv4 >> >> Hello Foks, >> >> I would like to remove SSSD from the equation for NFSv4 + >> AutoFS mounts. >> >> Presently we use SSSD + Winbind for LDAP-KRB5 authentication >> and AutoFS-NFSv4 for home directories. >> >> We have 4 NFS servers that split the load for our Linux >> clients. We use this option in SSSD.CONF to get the users >> home directory: >> >> ldap_user_home_directory = unixHomeDirectory >> >> Here are other options that we use: >> >> ldap_user_search_base = dc=example,dc=com >> ldap_user_object_class = user >> ldap_user_principal = userPrincipalName >> ldap_schema = rfc2307bis >> ldap_user_fullname = displayName >> ldap_user_name = sAMAccountName >> ldap_group_object_class = group >> >> Upon account creation, UID and GID are stored in AD, and >> everything works great. We also do not use DOMAIN\USERNAME >> logins, just USERNAME. >> >> Is there a way to achieve this with just WINBIND? >> >> Thank You! >> >> -- >> Luc Lalonde, analyste >> ----------------------------- >> D?partement de g?nie informatique: >> ?cole polytechnique de MTL >> (514) 340-4711 x5049 >> Luc.Lalonde at polymtl.ca >> ----------------------------- >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >-- Luc Lalonde, analyste ----------------------------- D?partement de g?nie informatique: ?cole polytechnique de MTL (514) 340-4711 x5049 Luc.Lalonde at polymtl.ca ----------------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature Type: application/pgp-signature Size: 840 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20210901/029864c9/OpenPGP_signature.sig>
Hi Luc, Lets me start with 2 things. 1) i never used SSSD 2) i only have 1 server for for all home directories here. But its also uses unixHomeDirectory So that said. On below, thats a good one, the different homedirs is not the problem, Im wondering how i would point userhomedirs to an other server.. And so far i cant think of one for my current setup. In my setup there is only 1 server holding all homedirs. But im also thinking, why should this not work without sssd. unixHomeDirectory still is unixHomeDirectory When samba/winbind i setup Run : id username getent passwd username Is the output correct, then below should work in my opinion. Now, if you "users" cant trigger the mount, then your most probley missing SPN nfs/ or root/ Whats the Os running this? You already tried something and hitted errors, then show me the errors. So far, Greetz, Louis> -----Oorspronkelijk bericht----- > Van: Luc Lalonde [mailto:Luc.Lalonde at polymtl.ca] > Verzonden: woensdag 1 september 2021 16:48 > Aan: L.P.H. van Belle; samba at lists.samba.org > Onderwerp: Re: [Samba] Replacing SSSD with just WINBIND for NFSv4 > > Hey Louis, > > Again, thanks for your message! > > Could you please show me how you resolve different automount > directories > for users without SSSD? > > Presently, I use this line with SSSD: > > ldap_user_home_directory = unixHomeDirectory > > This value is stored in ActiveDirectory and is not the same > for all users. > > AutoFs maps the users home directory accordingly (auto.master, > auto.home[1-4]): > > ### /etc/auto.master? ############## > /usagers1????????? /etc/auto.home1 --timeout=60 > /usagers2????????? /etc/auto.home2 --timeout=60 > /usagers3????????? /etc/auto.home3 --timeout=60 > /usagers4????????? /etc/auto.home4 --timeout=60 > ############################ > > ### /etc/auto.home1 ################### > *??? -fstype=nfs4,rw,sec=krb5????? fs1.example.com:/& > ################################ > > ### /etc/auto.home2 ################## > *??? -fstype=nfs4,rw,sec=krb5????? fs2.example.com:/& > ################################ > > ### /etc/auto.home3 ################## > *??? -fstype=nfs4,rw,sec=krb5????? fs3.example.com:/& > ################################ > > ### /etc/auto.home4 ################## > *??? -fstype=nfs4,rw,sec=krb5????? fs4.example.com:/& > ################################ > > Thank You! > > On 2021-08-31 4:47 a.m., L.P.H. van Belle via samba wrote: > > I can show you my config for automounted homedirs with > kerverised NFSv4. > > > > I saw the AD-DC smb.conf in the other post. > > Great, you use unix id's. > > > > So my setup, setup any "MEMBER" as you would do normaly for > with RFC2307. > > > > Make sure you have this in smb.conf: > > > > kerberos method = secrets and keytab > > dedicated keytab file = /etc/krb5.keytab > > > > # renew the kerberos ticket > > winbind refresh tickets = yes > > > > # Gives username and not DOM\username > > winbind use default domain = yes > > > > I've added nfs/name.internal.dom.tld to the keytab file > with with net ads > > ( you might want to add cifs/ also to it, can be handy ) > > > > In the list "samba4 kerberized nfs4 with sssd ad client" > > https://lists.samba.org/archive/samba/2020-July/231149.html > > > > Thats how i run it with a systemd automounter. > > with winbind offcourse. > > > > If you use it on a AD-DC, i suggest read this and use the > parts you need. > > https://wiki.samba.org/index.php/OpenSSH_Single_sign-on > > This is what its all about. > > Recommended: Make a custom auth_to_local mapping in your krb5.conf. > > Integrate the following into your configuration krb5.conf > > > > [realms] > > SAMDOM.EXAMPLE.COM = { > > auth_to_local = RULE:[1:SAMDOM\$1] > > } > > > > But read the page before you implement it. > > > > > > Greetz, > > > > Louis > > > > > > > > > >> -----Oorspronkelijk bericht----- > >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Luc > >> Lalonde via samba > >> Verzonden: maandag 30 augustus 2021 19:27 > >> Aan: samba at lists.samba.org > >> Onderwerp: [Samba] Replacing SSSD with just WINBIND for NFSv4 > >> > >> Hello Foks, > >> > >> I would like to remove SSSD from the equation for NFSv4 + > >> AutoFS mounts. > >> > >> Presently we use SSSD + Winbind for LDAP-KRB5 authentication > >> and AutoFS-NFSv4 for home directories. > >> > >> We have 4 NFS servers that split the load for our Linux > >> clients. We use this option in SSSD.CONF to get the users > >> home directory: > >> > >> ldap_user_home_directory = unixHomeDirectory > >> > >> Here are other options that we use: > >> > >> ldap_user_search_base = dc=example,dc=com > >> ldap_user_object_class = user > >> ldap_user_principal = userPrincipalName > >> ldap_schema = rfc2307bis > >> ldap_user_fullname = displayName > >> ldap_user_name = sAMAccountName > >> ldap_group_object_class = group > >> > >> Upon account creation, UID and GID are stored in AD, and > >> everything works great. We also do not use DOMAIN\USERNAME > >> logins, just USERNAME. > >> > >> Is there a way to achieve this with just WINBIND? > >> > >> Thank You! > >> > >> -- > >> Luc Lalonde, analyste > >> ----------------------------- > >> D?partement de g?nie informatique: > >> ?cole polytechnique de MTL > >> (514) 340-4711 x5049 > >> Luc.Lalonde at polymtl.ca > >> ----------------------------- > >> > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/options/samba > >> > > > -- > Luc Lalonde, analyste > ----------------------------- > D?partement de g?nie informatique: > ?cole polytechnique de MTL > (514) 340-4711 x5049 > Luc.Lalonde at polymtl.ca > ----------------------------- > > >