Luc Lalonde
2022-Jan-13 18:30 UTC
[Samba] Samba on CentOS 8 with sssd and AD users/groups and local users/groups
While we wait for RedHat to get their stuff in order wrt Winbind, here's my '/etc/krb5.conf' and '/etc/sssd/sssd.conf' if it can help someone: ########/etc/krb5.conf ############## [logging] default = SYSLOG:INFO:DAEMON kdc = SYSLOG:INFO:DAEMON admin_server = SYSLOG:INFO:DAEMON [libdefaults] default_realm = example.com dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 10h renew_lifetime = 7d forwardable = true allow_weak_crypto = true [realms] example.com = { ??default_domain = example.com ??kdc=dc1.example.com ??kdc=dc2.example.com ??admin_server=dc1.example.com } [domain_realm] example.com = example.com .dgi.polymtl.ca = example.com dgi.polymtl.ca = example.com .example.com = example.com [appdefaults] pam = { ??debug = false ??ticket_lifetime = 10h ??renew_lifetime = 7d ??forwardable = true ??krb4_convert = false ??validate = true } #################################### ########/etc/sssd/sssd.conf######### [sssd] services = nss, pam config_file_version = 2 domains = example.com debug_level = 9 [nss] filter_groups = root filter_users = root [pam] [sudo] [autofs] [ssh] [domain/example.com] ldap_referrals = false enumerate = false cache_credentials = true id_provider = ldap access_provider = ldap ldap_uri = ldap://dc1.example.com,ldap://dc2.example.com ldap_search_base = dc=example,dc=com ldap_tls_reqcert = never ldap_default_authtok_type = password ldap_sasl_mech = GSSAPI ldap_user_search_base = dc=example,dc=com ldap_user_object_class = user ldap_user_home_directory = unixHomeDirectory ldap_user_principal = userPrincipalName ldap_schema = rfc2307bis ldap_user_fullname = displayName ldap_user_name = sAMAccountName ldap_group_object_class = group ldap_group_search_base = ou=Groups,dc=example,dc=com ldap_group_object_class = group ldap_access_order = expire ldap_account_expire_policy = ad ldap_force_upper_case_realm = true auth_provider = krb5 chpass_provider = krb5 krb5_realm = example.com krb5_server = dc1.example.com,dc2.example.com krb5_auth_timeout = 15 krb5_canonicalize = false krb5_lifetime = 10h krb5_renewable_lifetime = 7d krb5_renew_interval = 15 cache_credentials = True #################################### On 1/13/22 13:05, Luc Lalonde via samba wrote:> No I read that! > > To me it says: > > 1. We know that there are issues with using SSSD and we're working on it > 2. We'll continue to support you if you choose this configuration > 3. We're not ready to offer a working supported alternative yet, again, > ?? we're working on it > > In my experience, RHEL7 works well with standalone Winbind. > > Unfortunately, I can't get it to work properly on RHEL8 without SSSD. > > Perhaps I'm missing something, but the latest Redhat documentation > continues to push SSSD + Winbind ad the way to go: > > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_authentication_and_authorization_in_rhel/configuring-a-rhel-host-to-use-ad-as-an-authentication-provider_configuring-authentication-and-authorization-in-rhel > > > I would love to dump SSSD on my RedHat/CentOS/Fedora systems... but > we're not quite there yet! > > On 1/13/22 10:47, Rowland Penny via samba wrote: >> On Thu, 2022-01-13 at 10:22 -0500, Luc Lalonde via samba wrote: >>> Hello Rowland, >>> >>> I've read the article mentionned below...? and I don't see how it >>> could >>> be interpreted as a 'non-recomendation'. >> Did you miss this under 'Support status': >> >> [quote] >> Therefore Red Hat currently does not recommend using the idmap_sss >> module for Samba file server enrolled into an IdM or AD domain. >> [/quote] >> >> They only provide limited support if you use sssd with Samba and only >> then if it is an existing setup. >> >> I cannot see any other definition of 'does not recommend' other than >> 'do not use it' >> >> Rowland >> >>-- Luc Lalonde, analyste ----------------------------- D?partement de g?nie informatique et g?nie logiciel: ?cole polytechnique de MTL (514) 340-4711 x5049 Luc.Lalonde at polymtl.ca
Luc Lalonde
2022-Jan-13 18:53 UTC
[Samba] Samba on CentOS 8 with sssd and AD users/groups and local users/groups
Also forgot to mention, for this configuration to work, your client needs to be joined to the domain (net ads join...) : ########/etc/samba/smb.conf ### [global] ??workgroup = Example ??realm = example.com ??netbios name = clientname ??security = ADS ??password server = dc1.example.com, dc2.example.com ??client signing = yes ??client use spnego = yes ??kerberos method = secrets and keytab ??log file = /var/log/samba/%m.log ??dedicated keytab file = /etc/krb5.keytab ############################## ########/etc/idmapd.conf ### [General] Domain = GIGL.POLYMTL.CA [Mapping] Nobody-User = rpcuser Nobody-Group = rpcuser ############################## This will give you a 'supported' single-domain configuration by Redhat (https://access.redhat.com/articles/4355391).?? In the 'There are a few exceptions though': * In cases where Red Hat Enterprise Linux 7.x or 8.0 is used and where Samba/Winbind has already been configured to use the |idmap_sss| module and where the setup works as expected, Red Hat would still provide support for a single domain (e.g, Samba file server machine is enrolled in AD.COM and all users who want to access the Samba share are managed in this domain). * In a later release, Red Hat will also provide support for Samba file server on directly enrolled Active Directory member systems. They're really, really not ready yet ;-)?? That document was updated on June 1st, 2021. If you want to use only Winbind, use Debian...? That's my conclusion unfortunately! On 1/13/22 13:30, Luc Lalonde via samba wrote:> While we wait for RedHat to get their stuff in order wrt Winbind, > here's my '/etc/krb5.conf' and '/etc/sssd/sssd.conf' if it can help > someone: > > > ########/etc/krb5.conf ############## > > [logging] > default = SYSLOG:INFO:DAEMON > kdc = SYSLOG:INFO:DAEMON > admin_server = SYSLOG:INFO:DAEMON > > [libdefaults] > default_realm = example.com > dns_lookup_realm = false > dns_lookup_kdc = false > ticket_lifetime = 10h > renew_lifetime = 7d > forwardable = true > allow_weak_crypto = true > > [realms] > example.com = { > ??default_domain = example.com > ??kdc=dc1.example.com > ??kdc=dc2.example.com > ??admin_server=dc1.example.com > } > > [domain_realm] > example.com = example.com > .dgi.polymtl.ca = example.com > dgi.polymtl.ca = example.com > .example.com = example.com > > [appdefaults] > pam = { > ??debug = false > ??ticket_lifetime = 10h > ??renew_lifetime = 7d > ??forwardable = true > ??krb4_convert = false > ??validate = true > } > #################################### > > > ########/etc/sssd/sssd.conf######### > > [sssd] > services = nss, pam > config_file_version = 2 > domains = example.com > debug_level = 9 > > [nss] > filter_groups = root > filter_users = root > > [pam] > > [sudo] > > [autofs] > > [ssh] > > [domain/example.com] > ldap_referrals = false > enumerate = false > cache_credentials = true > > id_provider = ldap > access_provider = ldap > ldap_uri = ldap://dc1.example.com,ldap://dc2.example.com > ldap_search_base = dc=example,dc=com > ldap_tls_reqcert = never > ldap_default_authtok_type = password > ldap_sasl_mech = GSSAPI > > ldap_user_search_base = dc=example,dc=com > ldap_user_object_class = user > ldap_user_home_directory = unixHomeDirectory > ldap_user_principal = userPrincipalName > ldap_schema = rfc2307bis > ldap_user_fullname = displayName > ldap_user_name = sAMAccountName > ldap_group_object_class = group > > ldap_group_search_base = ou=Groups,dc=example,dc=com > ldap_group_object_class = group > > ldap_access_order = expire > ldap_account_expire_policy = ad > ldap_force_upper_case_realm = true > > auth_provider = krb5 > chpass_provider = krb5 > krb5_realm = example.com > krb5_server = dc1.example.com,dc2.example.com > krb5_auth_timeout = 15 > krb5_canonicalize = false > krb5_lifetime = 10h > krb5_renewable_lifetime = 7d > krb5_renew_interval = 15 > > cache_credentials = True > #################################### > > On 1/13/22 13:05, Luc Lalonde via samba wrote: >> No I read that! >> >> To me it says: >> >> 1. We know that there are issues with using SSSD and we're working on it >> 2. We'll continue to support you if you choose this configuration >> 3. We're not ready to offer a working supported alternative yet, again, >> ?? we're working on it >> >> In my experience, RHEL7 works well with standalone Winbind. >> >> Unfortunately, I can't get it to work properly on RHEL8 without SSSD. >> >> Perhaps I'm missing something, but the latest Redhat documentation >> continues to push SSSD + Winbind ad the way to go: >> >> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_authentication_and_authorization_in_rhel/configuring-a-rhel-host-to-use-ad-as-an-authentication-provider_configuring-authentication-and-authorization-in-rhel >> >> >> I would love to dump SSSD on my RedHat/CentOS/Fedora systems... but >> we're not quite there yet! >> >> On 1/13/22 10:47, Rowland Penny via samba wrote: >>> On Thu, 2022-01-13 at 10:22 -0500, Luc Lalonde via samba wrote: >>>> Hello Rowland, >>>> >>>> I've read the article mentionned below...? and I don't see how it >>>> could >>>> be interpreted as a 'non-recomendation'. >>> Did you miss this under 'Support status': >>> >>> [quote] >>> Therefore Red Hat currently does not recommend using the idmap_sss >>> module for Samba file server enrolled into an IdM or AD domain. >>> [/quote] >>> >>> They only provide limited support if you use sssd with Samba and only >>> then if it is an existing setup. >>> >>> I cannot see any other definition of 'does not recommend' other than >>> 'do not use it' >>> >>> Rowland >>> >>>-- Luc Lalonde, analyste ----------------------------- D?partement de g?nie informatique et g?nie logiciel: ?cole polytechnique de MTL (514) 340-4711 x5049 Luc.Lalonde at polymtl.ca