[Samba] kerberos nfs4's principals and root access
L.P.H. van Belle
belle at bazuin.nl
Fri Oct 9 07:13:48 UTC 2015
Hai,
I had it the other way around. Only root acces.
I have scripted my setup and tested on debian.
Look here
https://secure.bazuin.nl/scripts/these_are_experimental_scripts/
setup-nfsv4-kerberos.sh
If you get the file, setup-nfsv4-kerberos.sh and compair it to your setup.
If you can read the bash script maybe you see something you missed.
When i write as "root" its root and not the machine account who owns the file.
How is your exports file on the server configured?
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Prunk Dump
> Verzonden: vrijdag 9 oktober 2015 8:59
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] kerberos nfs4's principals and root access
>
> Hello samba team !
>
> I have some NFS4 exports managed by a Samba's Kerberos realm. All the
> standard user accesses work fine.
>
> I try now to setup an NFS4 root access to administer the share from
> another server (the two host are DC, one PDC and one SDC). But I have
> trouble understanding the kerberos/principals layer.
>
> ------------
> Actually I do
> -------------
>
> -> on the server I create an nfs principal and export it to the keytab
> $ samba-tool user add nfs-myserver --random-password
> $ samba-tool spn add nfs/myserver.samdom.com nfs-myserver
> $ samba-tool domain exportkeytab --principal=nfs/myserver.samdom.com
> /etc/krb5.keytab
>
> -> on the client I use the machine keytab.
> $ samba-tool domain exportkeytab --principal=MYCLIENT$ /etc/krb5.keytab
>
> With this setup all my domain users can write to the share. But when I
> try with the root account it use the machine keytab (that's normal,
> root is not a domain user but he have access to the keytab) :
>
> -> on the client as root
> $ touch /myshare/testfile
>
> -> on the server
> $ ls -al /srv/nfs4/myshare/testfile
> -rw-r--r-- SAMDOM\MYCLIENT$ SAMDOM\Domain Controllers ....
> /nfs4/myshare/tesfile
>
> But I need root access !
>
> ----------
> I have tried with a root/myclient service principal name
> ----------
>
> -> on the client I create an root/myclient spn and export to keytab
> $ samba-tool user add root-myclient --random-password
> $ samba-tool spn add root/myclient.samdom.com root-myclient
> $ samba-tool domain exportkeytab --principal=root/myclient.samdom.com
> /etc/krb5.keytab
>
> But nothings change when I access the share. I tried to kinit this
> principal but it fail. However kinit with the machine principal works.
>
> $ kinit -k root/myclient.samdom.com
> kinit: Client 'root/myclient.samdom.com at SAMDOM.COM' not found in
> kerberos database while getting initial credentials
>
> $ kinit -k MYCLIENT$
> ok
>
> ---------
> I tried creating a samba root user.
> ---------
>
> -> on the client I create a root user and export to keytab
> $ samba-tool user add root
> $ samba-tool domain exportkeytab --principal=root /etc/krb5.keytab
>
> Same problem but here "kinit -k root" works.
>
> $ kinit -k root
> ok
>
>
> ------
> I tried to kinit anather samba user
> ------
>
> -> on the client I kinit a valid user and write to the share
>
> $ kinit validuser
> $ touch /myshare/testfile2
>
> Here the nfs4 connection is not made with the validuser's principal.
> Always with the machine's principal.
>
>
> -------
> So
> -------
>
> I don't understand why in can "kinit root" but not "kinit
> root/myclient.samdom.com". What's the difference between there
> principals ?
>
> I don't understand how the nfs4 client choose the principal used to
> make the connection to the nfs4 share. Why the root user can only use
> the machine's principal ?
>
> I don't know if the problem come from the creation of kerberos
> principals or come from the nfs4 client not choosing the correct
> principal...
>
> Can someone give me a tips ?
>
> Thanks !
>
> Baptiste.
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list