Hello again, My mounts are working as described in my earlier posts... However, I get 'permission denied' when I try to access my home directory. Here's my config file: [global] ??? workgroup = EXAMPLE ??? realm = EXAMPLE.COM ??? security = ADS ??? kerberos method = secrets and keytab ??? dedicated keytab file = /etc/krb5.keytab ??? kerberos method = secrets and keytab ??? winbind use default domain = yes ??? winbind expand groups = 2 ??? winbind refresh tickets = Yes ??? winbind enum groups = Yes ??? winbind enum users = Yes ??? idmap config *:backend = tdb ??? idmap config *:range = 200-999 ??? idmap config EXAMPLE:backend = ad ??? idmap config EXAMPLE:schema_mode = rfc2307 ??? idmap config EXAMPLE:unix_nss_info = yes ??? idmap config EXAMPLE:range = 1100-999999 ??? idmap config EXAMPLE:unix_primary_group = yes ??? username map = /etc/samba/user.map I think I'm almost there... Is there something missing with my ID mapping??? Do you need to see my /etc/krb5.conf? Thanks! On 2021-09-02 10:51 a.m., L.P.H. van Belle via samba wrote:>> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >> Rowland Penny via samba >> Verzonden: donderdag 2 september 2021 16:40 >> Aan: samba at lists.samba.org >> Onderwerp: Re: [Samba] Replacing SSSD with just WINBIND for NFSv4 >> >> On Thu, 2021-09-02 at 09:53 -0400, Luc Lalonde via samba wrote: >>> Hello Louis, >>> >>> I'm still getting all the info together but I think that you're >>> right. >>> >>> This directive on the client's configuration should make sure that >>> unixHomeDirectory is properly passed along to AutoFS: >>> >>>> idmap config DOMAIN : unix_nss_info| >>> I'm going to do some tests and get back to you! >>> >>> Thank You!. >>> >> I am getting lost here, I thought that autofs, when using NFS, could >> only mount what the NFS server is exporting and that is fixed i.e. all >> users will use /path/to/usersdir from the NFS server. This means that >> you cannot use different paths for different users, or am I missing >> something ? > > If i read it correctly what Luc showed. > > Let say i have as homedir : /usagers1/username > /usagers1/username Mounts on fs1.example.com:/& > > If i change it to /usagers2/username i move to server2 > /usagers2/username Mounts on fs2.example.com:/& > > I never used automount like that, but if it works, i'll document it. > So i wait for Luc his success message :-)) > > Where if often goes wrong is the missing SPNs, then a user can mount his homedir > The quick/dirty fix is root/SPN, but better is nfs/FQ.DN.TLD (@Realm) > > >> I can think of one way around this, but it doesn't involve >> unixhomedirectory or NFS > Always ears and open for new ideas :-) > How would you do this? > > > Greetz, > > Louis > >-- Luc Lalonde, analyste ----------------------------- D?partement de g?nie informatique: ?cole polytechnique de MTL (514) 340-4711 x5049 Luc.Lalonde at polymtl.ca ----------------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature Type: application/pgp-signature Size: 840 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20210902/01241056/OpenPGP_signature.sig>
Ok, figured it out...? There was something missing in the 'join'. If I did a 'kinit username' and typed in my password, I no longer had permission problems. This time I did it using my trusty MSKTUTIL: msktutil --delegation --dont-expire-password --no-pac --computer-name centos8-test -b "OU=Services" -k /etc/krb5.keytab -h centos8-test.example.com -s nfs/centos8-test.example.com --upn nfs/centos8-test.example.com --verbose Then I did a 'net ads join'... Everything works now ;-) From what I read, I now need WINBINDD, SMBD, and NMBD started? Or can I just have WINBIND? Also, with SSSD, I just needed the keytab file.?? I didn't need to run the 'net ads join'.?? Is there a way to automate this for multiple machines via a script? On 2021-09-02 2:06 p.m., Luc Lalonde via samba wrote:> Hello again, > > My mounts are working as described in my earlier posts... > > However, I get 'permission denied' when I try to access my home > directory. > > Here's my config file: > > [global] > ??? workgroup = EXAMPLE > ??? realm = EXAMPLE.COM > ??? security = ADS > ??? kerberos method = secrets and keytab > > ??? dedicated keytab file = /etc/krb5.keytab > ??? kerberos method = secrets and keytab > ??? winbind use default domain = yes > ??? winbind expand groups = 2 > ??? winbind refresh tickets = Yes > ??? winbind enum groups = Yes > ??? winbind enum users = Yes > > ??? idmap config *:backend = tdb > ??? idmap config *:range = 200-999 > ??? idmap config EXAMPLE:backend = ad > ??? idmap config EXAMPLE:schema_mode = rfc2307 > ??? idmap config EXAMPLE:unix_nss_info = yes > ??? idmap config EXAMPLE:range = 1100-999999 > ??? idmap config EXAMPLE:unix_primary_group = yes > > ??? username map = /etc/samba/user.map > > I think I'm almost there... Is there something missing with my ID > mapping??? Do you need to see my /etc/krb5.conf? > > Thanks! > > On 2021-09-02 10:51 a.m., L.P.H. van Belle via samba wrote: >>> -----Oorspronkelijk bericht----- >>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >>> Rowland Penny via samba >>> Verzonden: donderdag 2 september 2021 16:40 >>> Aan: samba at lists.samba.org >>> Onderwerp: Re: [Samba] Replacing SSSD with just WINBIND for NFSv4 >>> >>> On Thu, 2021-09-02 at 09:53 -0400, Luc Lalonde via samba wrote: >>>> Hello Louis, >>>> >>>> I'm still getting all the info together but I think that you're >>>> right. >>>> >>>> This directive on the client's configuration should make sure that >>>> unixHomeDirectory is properly passed along to AutoFS: >>>> >>>>> idmap config DOMAIN : unix_nss_info| >>>> I'm going to do some tests and get back to you! >>>> >>>> Thank You!. >>>> >>> I am getting lost here, I thought that autofs, when using NFS, could >>> only mount what the NFS server is exporting and that is fixed i.e. all >>> users will use /path/to/usersdir from the NFS server. This means that >>> you cannot use different paths for different users, or am I missing >>> something ? >> >> If i read it correctly what Luc showed. >> >> Let say i have as homedir : /usagers1/username >> /usagers1/username? Mounts on fs1.example.com:/& >> >> If i change it to /usagers2/username i move to server2 >> /usagers2/username?? Mounts on fs2.example.com:/& >> >> I never used automount like that, but if it works, i'll document it. >> So i wait for Luc his success message :-)) >> >> Where if often goes wrong is the missing SPNs, then a user can mount >> his homedir >> The quick/dirty fix is root/SPN, but better is nfs/FQ.DN.TLD (@Realm) >> >> >>> I can think of one way around this, but it doesn't involve >>> unixhomedirectory or NFS >> Always ears and open for new ideas :-) >> How would you do this? >> >> >> Greetz, >> >> Louis >> >> >>-- Luc Lalonde, analyste ----------------------------- D?partement de g?nie informatique: ?cole polytechnique de MTL (514) 340-4711 x5049 Luc.Lalonde at polymtl.ca ----------------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature Type: application/pgp-signature Size: 840 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20210902/0393344a/OpenPGP_signature.sig>
Hai Luck, Great to hear it works now. Small note.. This,> msktutil --delegation --dont-expire-password --no-pac --computer-name centos8-test -b "OU=Services" -k /etc/krb5.keytab -h centos8-test.example.com -s nfs/centos8-test.example.com --upn nfs/centos8-test.example.com --verboseIs not really needed if you just joined and added the SPN. net ads keytab add_update_ads nfs/$(hostname -f) -U Administrator This adds the NFS SPN to /etc/krb5.keytab and in AD Do note, above, how you did it, isnt wrong also.> From what I read, I now need WINBINDD, SMBD, and NMBD started? Or can I just have WINBIND?Depends how you use this server, if its only for auth, winbind is sufficient, fileshare + start smbd. You dont need NMDB, unless you want network browsing. None of my servers have NMBD enabled, but i've also network browsingin disabled in the windows pc's. Greetz, Louis ________________________________ Van: Luc Lalonde [mailto:Luc.Lalonde at polymtl.ca] Verzonden: donderdag 2 september 2021 22:22 Aan: L.P.H. van Belle; samba at lists.samba.org Onderwerp: Re: [Samba] Replacing SSSD with just WINBIND for NFSv4 Ok, figured it out... There was something missing in the 'join'. If I did a 'kinit username' and typed in my password, I no longer had permission problems. This time I did it using my trusty MSKTUTIL: msktutil --delegation --dont-expire-password --no-pac --computer-name centos8-test -b "OU=Services" -k /etc/krb5.keytab -h centos8-test.example.com -s nfs/centos8-test.example.com --upn nfs/centos8-test.example.com --verbose Then I did a 'net ads join'... Everything works now ;-) From what I read, I now need WINBINDD, SMBD, and NMBD started? Or can I just have WINBIND? Also, with SSSD, I just needed the keytab file. I didn't need to run the 'net ads join'. Is there a way to automate this for multiple machines via a script? On 2021-09-02 2:06 p.m., Luc Lalonde via samba wrote: Hello again, My mounts are working as described in my earlier posts... However, I get 'permission denied' when I try to access my home directory. Here's my config file: [global] workgroup = EXAMPLE realm = EXAMPLE.COM security = ADS kerberos method = secrets and keytab dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab winbind use default domain = yes winbind expand groups = 2 winbind refresh tickets = Yes winbind enum groups = Yes winbind enum users = Yes idmap config *:backend = tdb idmap config *:range = 200-999 idmap config EXAMPLE:backend = ad idmap config EXAMPLE:schema_mode = rfc2307 idmap config EXAMPLE:unix_nss_info = yes idmap config EXAMPLE:range = 1100-999999 idmap config EXAMPLE:unix_primary_group = yes username map = /etc/samba/user.map I think I'm almost there... Is there something missing with my ID mapping? Do you need to see my /etc/krb5.conf? Thanks! On 2021-09-02 10:51 a.m., L.P.H. van Belle via samba wrote: -----Oorspronkelijk bericht----- Van: samba [ MailScanner heeft een e-mail met mogelijk een poging tot fraude gevonden van "lists.samba.org" mailto:samba-bounces at lists.samba.org <mailto:samba-bounces at lists.samba.org> ] Namens Rowland Penny via samba Verzonden: donderdag 2 september 2021 16:40 Aan: samba at lists.samba.org Onderwerp: Re: [Samba] Replacing SSSD with just WINBIND for NFSv4 On Thu, 2021-09-02 at 09:53 -0400, Luc Lalonde via samba wrote: Hello Louis, I'm still getting all the info together but I think that you're right. This directive on the client's configuration should make sure that unixHomeDirectory is properly passed along to AutoFS: idmap config DOMAIN : unix_nss_info| I'm going to do some tests and get back to you! Thank You!. I am getting lost here, I thought that autofs, when using NFS, could only mount what the NFS server is exporting and that is fixed i.e. all users will use /path/to/usersdir from the NFS server. This means that you cannot use different paths for different users, or am I missing something ? If i read it correctly what Luc showed. Let say i have as homedir : /usagers1/username /usagers1/username Mounts on fs1.example.com:/& If i change it to /usagers2/username i move to server2 /usagers2/username Mounts on fs2.example.com:/& I never used automount like that, but if it works, i'll document it. So i wait for Luc his success message :-)) Where if often goes wrong is the missing SPNs, then a user can mount his homedir The quick/dirty fix is root/SPN, but better is nfs/FQ.DN.TLD (@Realm) I can think of one way around this, but it doesn't involve unixhomedirectory or NFS Always ears and open for new ideas :-) How would you do this? Greetz, Louis -- Luc Lalonde, analyste ----------------------------- D?partement de g?nie informatique: ?cole polytechnique de MTL (514) 340-4711 x5049 Luc.Lalonde at polymtl.ca -----------------------------