Luc Lalonde
2022-Jan-13 18:30 UTC
[Samba] Samba on CentOS 8 with sssd and AD users/groups and local users/groups
While we wait for RedHat to get their stuff in order wrt Winbind, here's
my '/etc/krb5.conf' and '/etc/sssd/sssd.conf' if it can help
someone:
########/etc/krb5.conf ##############
[logging]
default = SYSLOG:INFO:DAEMON
kdc = SYSLOG:INFO:DAEMON
admin_server = SYSLOG:INFO:DAEMON
[libdefaults]
default_realm = example.com
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 10h
renew_lifetime = 7d
forwardable = true
allow_weak_crypto = true
[realms]
example.com = {
??default_domain = example.com
??kdc=dc1.example.com
??kdc=dc2.example.com
??admin_server=dc1.example.com
}
[domain_realm]
example.com = example.com
.dgi.polymtl.ca = example.com
dgi.polymtl.ca = example.com
.example.com = example.com
[appdefaults]
pam = {
??debug = false
??ticket_lifetime = 10h
??renew_lifetime = 7d
??forwardable = true
??krb4_convert = false
??validate = true
}
####################################
########/etc/sssd/sssd.conf#########
[sssd]
services = nss, pam
config_file_version = 2
domains = example.com
debug_level = 9
[nss]
filter_groups = root
filter_users = root
[pam]
[sudo]
[autofs]
[ssh]
[domain/example.com]
ldap_referrals = false
enumerate = false
cache_credentials = true
id_provider = ldap
access_provider = ldap
ldap_uri = ldap://dc1.example.com,ldap://dc2.example.com
ldap_search_base = dc=example,dc=com
ldap_tls_reqcert = never
ldap_default_authtok_type = password
ldap_sasl_mech = GSSAPI
ldap_user_search_base = dc=example,dc=com
ldap_user_object_class = user
ldap_user_home_directory = unixHomeDirectory
ldap_user_principal = userPrincipalName
ldap_schema = rfc2307bis
ldap_user_fullname = displayName
ldap_user_name = sAMAccountName
ldap_group_object_class = group
ldap_group_search_base = ou=Groups,dc=example,dc=com
ldap_group_object_class = group
ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = true
auth_provider = krb5
chpass_provider = krb5
krb5_realm = example.com
krb5_server = dc1.example.com,dc2.example.com
krb5_auth_timeout = 15
krb5_canonicalize = false
krb5_lifetime = 10h
krb5_renewable_lifetime = 7d
krb5_renew_interval = 15
cache_credentials = True
####################################
On 1/13/22 13:05, Luc Lalonde via samba wrote:> No I read that!
>
> To me it says:
>
> 1. We know that there are issues with using SSSD and we're working on
it
> 2. We'll continue to support you if you choose this configuration
> 3. We're not ready to offer a working supported alternative yet, again,
> ?? we're working on it
>
> In my experience, RHEL7 works well with standalone Winbind.
>
> Unfortunately, I can't get it to work properly on RHEL8 without SSSD.
>
> Perhaps I'm missing something, but the latest Redhat documentation
> continues to push SSSD + Winbind ad the way to go:
>
>
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_authentication_and_authorization_in_rhel/configuring-a-rhel-host-to-use-ad-as-an-authentication-provider_configuring-authentication-and-authorization-in-rhel
>
>
> I would love to dump SSSD on my RedHat/CentOS/Fedora systems... but
> we're not quite there yet!
>
> On 1/13/22 10:47, Rowland Penny via samba wrote:
>> On Thu, 2022-01-13 at 10:22 -0500, Luc Lalonde via samba wrote:
>>> Hello Rowland,
>>>
>>> I've read the article mentionned below...? and I don't see
how it
>>> could
>>> be interpreted as a 'non-recomendation'.
>> Did you miss this under 'Support status':
>>
>> [quote]
>> Therefore Red Hat currently does not recommend using the idmap_sss
>> module for Samba file server enrolled into an IdM or AD domain.
>> [/quote]
>>
>> They only provide limited support if you use sssd with Samba and only
>> then if it is an existing setup.
>>
>> I cannot see any other definition of 'does not recommend' other
than
>> 'do not use it'
>>
>> Rowland
>>
>>
--
Luc Lalonde, analyste
-----------------------------
D?partement de g?nie informatique et g?nie logiciel:
?cole polytechnique de MTL
(514) 340-4711 x5049
Luc.Lalonde at polymtl.ca
Luc Lalonde
2022-Jan-13 18:53 UTC
[Samba] Samba on CentOS 8 with sssd and AD users/groups and local users/groups
Also forgot to mention, for this configuration to work, your client
needs to be joined to the domain (net ads join...) :
########/etc/samba/smb.conf ###
[global]
??workgroup = Example
??realm = example.com
??netbios name = clientname
??security = ADS
??password server = dc1.example.com, dc2.example.com
??client signing = yes
??client use spnego = yes
??kerberos method = secrets and keytab
??log file = /var/log/samba/%m.log
??dedicated keytab file = /etc/krb5.keytab
##############################
########/etc/idmapd.conf ###
[General]
Domain = GIGL.POLYMTL.CA
[Mapping]
Nobody-User = rpcuser
Nobody-Group = rpcuser
##############################
This will give you a 'supported' single-domain configuration by Redhat
(https://access.redhat.com/articles/4355391).?? In the 'There are a few
exceptions though':
* In cases where Red Hat Enterprise Linux 7.x or 8.0 is used and where
Samba/Winbind has already been configured to use the |idmap_sss|
module and where the setup works as expected, Red Hat would still
provide support for a single domain (e.g, Samba file server machine
is enrolled in AD.COM and all users who want to access the Samba
share are managed in this domain).
* In a later release, Red Hat will also provide support for Samba file
server on directly enrolled Active Directory member systems.
They're really, really not ready yet ;-)?? That document was updated on
June 1st, 2021.
If you want to use only Winbind, use Debian...? That's my conclusion
unfortunately!
On 1/13/22 13:30, Luc Lalonde via samba wrote:> While we wait for RedHat to get their stuff in order wrt Winbind,
> here's my '/etc/krb5.conf' and '/etc/sssd/sssd.conf' if
it can help
> someone:
>
>
> ########/etc/krb5.conf ##############
>
> [logging]
> default = SYSLOG:INFO:DAEMON
> kdc = SYSLOG:INFO:DAEMON
> admin_server = SYSLOG:INFO:DAEMON
>
> [libdefaults]
> default_realm = example.com
> dns_lookup_realm = false
> dns_lookup_kdc = false
> ticket_lifetime = 10h
> renew_lifetime = 7d
> forwardable = true
> allow_weak_crypto = true
>
> [realms]
> example.com = {
> ??default_domain = example.com
> ??kdc=dc1.example.com
> ??kdc=dc2.example.com
> ??admin_server=dc1.example.com
> }
>
> [domain_realm]
> example.com = example.com
> .dgi.polymtl.ca = example.com
> dgi.polymtl.ca = example.com
> .example.com = example.com
>
> [appdefaults]
> pam = {
> ??debug = false
> ??ticket_lifetime = 10h
> ??renew_lifetime = 7d
> ??forwardable = true
> ??krb4_convert = false
> ??validate = true
> }
> ####################################
>
>
> ########/etc/sssd/sssd.conf#########
>
> [sssd]
> services = nss, pam
> config_file_version = 2
> domains = example.com
> debug_level = 9
>
> [nss]
> filter_groups = root
> filter_users = root
>
> [pam]
>
> [sudo]
>
> [autofs]
>
> [ssh]
>
> [domain/example.com]
> ldap_referrals = false
> enumerate = false
> cache_credentials = true
>
> id_provider = ldap
> access_provider = ldap
> ldap_uri = ldap://dc1.example.com,ldap://dc2.example.com
> ldap_search_base = dc=example,dc=com
> ldap_tls_reqcert = never
> ldap_default_authtok_type = password
> ldap_sasl_mech = GSSAPI
>
> ldap_user_search_base = dc=example,dc=com
> ldap_user_object_class = user
> ldap_user_home_directory = unixHomeDirectory
> ldap_user_principal = userPrincipalName
> ldap_schema = rfc2307bis
> ldap_user_fullname = displayName
> ldap_user_name = sAMAccountName
> ldap_group_object_class = group
>
> ldap_group_search_base = ou=Groups,dc=example,dc=com
> ldap_group_object_class = group
>
> ldap_access_order = expire
> ldap_account_expire_policy = ad
> ldap_force_upper_case_realm = true
>
> auth_provider = krb5
> chpass_provider = krb5
> krb5_realm = example.com
> krb5_server = dc1.example.com,dc2.example.com
> krb5_auth_timeout = 15
> krb5_canonicalize = false
> krb5_lifetime = 10h
> krb5_renewable_lifetime = 7d
> krb5_renew_interval = 15
>
> cache_credentials = True
> ####################################
>
> On 1/13/22 13:05, Luc Lalonde via samba wrote:
>> No I read that!
>>
>> To me it says:
>>
>> 1. We know that there are issues with using SSSD and we're working
on it
>> 2. We'll continue to support you if you choose this configuration
>> 3. We're not ready to offer a working supported alternative yet,
again,
>> ?? we're working on it
>>
>> In my experience, RHEL7 works well with standalone Winbind.
>>
>> Unfortunately, I can't get it to work properly on RHEL8 without
SSSD.
>>
>> Perhaps I'm missing something, but the latest Redhat documentation
>> continues to push SSSD + Winbind ad the way to go:
>>
>>
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_authentication_and_authorization_in_rhel/configuring-a-rhel-host-to-use-ad-as-an-authentication-provider_configuring-authentication-and-authorization-in-rhel
>>
>>
>> I would love to dump SSSD on my RedHat/CentOS/Fedora systems... but
>> we're not quite there yet!
>>
>> On 1/13/22 10:47, Rowland Penny via samba wrote:
>>> On Thu, 2022-01-13 at 10:22 -0500, Luc Lalonde via samba wrote:
>>>> Hello Rowland,
>>>>
>>>> I've read the article mentionned below...? and I don't
see how it
>>>> could
>>>> be interpreted as a 'non-recomendation'.
>>> Did you miss this under 'Support status':
>>>
>>> [quote]
>>> Therefore Red Hat currently does not recommend using the idmap_sss
>>> module for Samba file server enrolled into an IdM or AD domain.
>>> [/quote]
>>>
>>> They only provide limited support if you use sssd with Samba and
only
>>> then if it is an existing setup.
>>>
>>> I cannot see any other definition of 'does not recommend'
other than
>>> 'do not use it'
>>>
>>> Rowland
>>>
>>>
--
Luc Lalonde, analyste
-----------------------------
D?partement de g?nie informatique et g?nie logiciel:
?cole polytechnique de MTL
(514) 340-4711 x5049
Luc.Lalonde at polymtl.ca