[Samba] kerberos nfs4's principals and root access

L.P.H. van Belle belle at bazuin.nl
Tue Aug 2 06:11:10 UTC 2016 

Hai, 

Here you go..

But all my settings are scripted.
https://github.com/thctlo/samba4
found here. 

Read the script : samba-with-nfsv4.sh
Start it like ./ samba-with-nfsv4.sh (client or server) 

Its tested and works on debian jessie. 
I contains the nfs server settings and client settings. 

Greetz, 

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Bruno MACADRÉ
> Verzonden: maandag 1 augustus 2016 17:16
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] kerberos nfs4's principals and root access
> 
> Hi,
> 
>      Sorry for this necrobump.... But I'm still can't use my local root
> user to browse content of my NFSv4/Krb5 share...... (others permission
> are checked when root use this share)
> 
>      So a lot of questions appeared during my tests :
> 
>      - Must i have same idmap.conf on both client and server ?
>      - Why rpc.idmapd only use 'nsswitch' method even if 'static' is
> placed before it in 'Method' and 'GSS-Methods' list ?
>      - Must root user use kinit before exploring ?
> 
>      And the most important question : Is there anybody who sucess to
> access (in a real root behaviour !!) to a nfsv4/krb5 share in a
> Samba4/Krb5/NFSv4 setup ?
> 
>      Thanks by advance,
>      Best regards,
>      Bruno
> 
> PS: I sent this morning a mail about access to this share from local
> user (www-data), but I think that granting access to root may be a good
> start point !!
> 
> Le 09/10/2015 à 15:42, L.P.H. van Belle a écrit :
> > Hai Batiste,
> >
> > Ok, thanks for these, i'll test that also.
> >
> > And the "why" is a bit more explained here.
> >
> http://www.citi.umich.edu/projects/nfsv4/crossrealm/libnfsidmap_config.htm
> l
> > and per example,
> >
> http://www.citi.umich.edu/projects/nfsv4/crossrealm/ldap_server_setup.html
> >
> > First my work here, but this is a good one which i also need to adjust
> in my scripts, so thank you for asking this on the samba list ;-)
> >
> > Gr,
> >
> > Louis
> >
> >> -----Oorspronkelijk bericht-----
> >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Prunk Dump
> >> Verzonden: vrijdag 9 oktober 2015 14:11
> >> Aan: samba at lists.samba.org
> >> Onderwerp: Re: [Samba] kerberos nfs4's principals and root access
> >>
> >> Thanks Louis  ! Very interesting !
> >>
> >> Maybe the simplest method is to set a static translation.
> >>
> >> 1) Enabling the no_root_squash option in /etc/exports
> >>
> >> 2) Set the translation in /etc/idmapd.conf
> >>
> >> ------------------------
> >> /etc/idmap.conf
> >> ------------------------
> >>
> >> ...
> >> [Translation]
> >>
> >> Method = static,nsswitch
> >>
> >> [Static]
> >>
> >> MYCLIENT$@SAMDOM.COM = root
> >>
> >> ------------------------
> >>
> >> But I don't understand why, with samba, we can't authenticate as
> >> client with nfs/myclient.samdom.com or root/myclient.samdom.com. It
> >> seem that it is because we can't kinit them. But I don't understand
> >> why...
> >>
> >> Thanks again !
> >>
> >> Baptiste.
> >>
> >>
> >> 2015-10-09 13:39 GMT+02:00 L.P.H. van Belle <belle at bazuin.nl>:
> >>> Ok, now its clear to me.
> >>>
> >>> We need to set UMICH_SCHEMA in idmap.conf
> >>> Read : http://linux.die.net/man/5/idmapd.conf
> >>>
> >>> Working on it now.
> >>>
> >>> Greetz,
> >>>
> >>> Louis
> >>>
> >>>
> >>>> -----Oorspronkelijk bericht-----
> >>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens L.P.H. van
> >> Belle
> >>>> Verzonden: vrijdag 9 oktober 2015 13:34
> >>>> Aan: samba at lists.samba.org
> >>>> Onderwerp: Re: [Samba] kerberos nfs4's principals and root access
> >>>>
> >>>> Ok, not working...
> >>>>
> >>>> But found this...
> >>>>
> >>>> ( http://users.suse.com/~sjayaraman/nfs4_howto.txt )
> >>>>
> >>>> 4.5 A known issue using NFS with kerberos
> >>>> _________________________________________
> >>>>
> >>>> Even if "no_root_squash" option is used, while exporting a filesystem
> >> at
> >>>> the
> >>>> server, root on the client gets a "Permission denied"  error when
> >> creating
> >>>> files on the mount point.
> >>>>
> >>>> This is because there is no proper mapping between root and the
> >>>> GSSAuthName.
> >>>>
> >>>> Note: Trying to set 777 permission is not correct as it is not
> secure.
> >>>> Also,
> >>>> any file created on the mountpoint will have "nobody" as owner.
> >>>>
> >>>> There is a work around for this if both NFS server and client use
> >>>> umich_ldap
> >>>> methods to authenticate. If the idmapd on both server and client is
> >>>> configured
> >>>> to use umich_ldap modules then having GSSAuthName
> >> (<nfs/hostname at realm>)
> >>>> parameter map to root user, on the ldap server will solve this
> problem.
> >>>>
> >>>>
> >>>> Still reading, but should be solveable..
> >>>>
> >>>> Greetz,
> >>>>
> >>>> Louis
> >>>>
> >>>>
> >>>>> -----Oorspronkelijk bericht-----
> >>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens L.P.H. van
> >>>> Belle
> >>>>> Verzonden: vrijdag 9 oktober 2015 13:17
> >>>>> Aan: samba at lists.samba.org
> >>>>> Onderwerp: Re: [Samba] kerberos nfs4's principals and root access
> >>>>>
> >>>>> Hai Baptiste,
> >>>>>
> >>>>> I re-checked my setup and your totaly correct.
> >>>>> I can not enter the nfsV4 mounted directory as root.
> >>>>>
> >>>>> What i've added in idmap.conf
> >>>>> Is this :
> >>>>> Domain = your_DNS_domain.tld
> >>>>>
> >>>>> [Translation]
> >>>>>
> >>>>> Method = nsswitch
> >>>>>
> >>>>> And i found this link.
> >>>>>
> >>>>> http://serverfault.com/questions/526762/root-access-to-kerberized-
> >> nfsv4-
> >>>>> host-on-ubuntu
> >>>>>
> >>>>> im testing this now.
> >>>>>
> >>>>> Greetz,
> >>>>>
> >>>>> Louis
> >>>>>
> >>>>>
> >>>>>
> >>>>>> -----Oorspronkelijk bericht-----
> >>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Prunk Dump
> >>>>>> Verzonden: vrijdag 9 oktober 2015 11:34
> >>>>>> Aan: samba at lists.samba.org
> >>>>>> Onderwerp: Re: [Samba] kerberos nfs4's principals and root access
> >>>>>>
> >>>>>> Thanks you very much Louis !
> >>>>>>
> >>>>>> I have tried your setup and I can't mount the share neither from
> >> the
> >>>>>> server itself or the client.
> >>>>>>
> >>>>>> On /var/log/syslog I have :
> >>>>>>
> >>>>>> rpc.gssd : ERROR : no credentials found for connecting to server
> >>>>> myserver
> >>>>>> This is because the machine principal is not present in the keytab
> >> :
> >>>>>> $ klist -k
> >>>>>> 1 nfs/myclient.samdom.com at SAMDOM.COM
> >>>>>> 1 nfs/myclient.samdom.com at SAMDOM.COM
> >>>>>> 1 nfs/myclient.samdom.com at SAMDOM.COM
> >>>>>>
> >>>>>> If I add the machine principal. I can mount the share but root user
> >>>>>> write as "machine" not as "root".
> >>>>>>
> >>>>>> Can you check your setup ? Do you have your machine credential in
> >>>>>> /etc/krb5.keytab ? (with klist -k)
> >>>>>>
> >>>>>> Do you do something related with kerberos when you login as root ?
> >>>>>>
> >>>>>> Do you have additional options in "/etc/idmap.conf" ?
> >>>>>>
> >>>>>> Can you give me the result of :
> >>>>>>
> >>>>>> $klist
> >>>>>> $klist -k
> >>>>>>
> >>>>>> When you are logged as root ?
> >>>>>>
> >>>>>> Thanks you again !
> >>>>>>
> >>>>>> Baptiste.
> >>>>>>
> >>>>>>
> >>>>>> 2015-10-09 9:13 GMT+02:00 L.P.H. van Belle <belle at bazuin.nl>:
> >>>>>>> Hai,
> >>>>>>>
> >>>>>>> I had it the other way around. Only root acces.
> >>>>>>>
> >>>>>>> I have scripted my setup and tested on debian.
> >>>>>>> Look here
> >>>>>>> https://secure.bazuin.nl/scripts/these_are_experimental_scripts/
> >>>>>>> setup-nfsv4-kerberos.sh
> >>>>>>>
> >>>>>>> If you get the file, setup-nfsv4-kerberos.sh  and compair it to
> >> your
> >>>>>> setup.
> >>>>>>> If you can read the bash script maybe you see something you
> >> missed.
> >>>>>>> When i write as "root" its root and not the machine account who
> >> owns
> >>>>> the
> >>>>>> file.
> >>>>>>>
> >>>>>>> How is your exports file on the server configured?
> >>>>>>>
> >>>>>>> Greetz,
> >>>>>>>
> >>>>>>> Louis
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>> -----Oorspronkelijk bericht-----
> >>>>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Prunk
> >> Dump
> >>>>>>>> Verzonden: vrijdag 9 oktober 2015 8:59
> >>>>>>>> Aan: samba at lists.samba.org
> >>>>>>>> Onderwerp: [Samba] kerberos nfs4's principals and root access
> >>>>>>>>
> >>>>>>>> Hello samba team !
> >>>>>>>>
> >>>>>>>> I have some NFS4 exports managed by a Samba's Kerberos realm.
> >> All
> >>>> the
> >>>>>>>> standard user accesses work fine.
> >>>>>>>>
> >>>>>>>> I try now to setup an NFS4 root access to administer the share
> >> from
> >>>>>>>> another server (the two host are DC, one PDC  and one SDC). But
> >> I
> >>>>> have
> >>>>>>>> trouble understanding the kerberos/principals layer.
> >>>>>>>>
> >>>>>>>> ------------
> >>>>>>>> Actually I do
> >>>>>>>> -------------
> >>>>>>>>
> >>>>>>>> -> on the server I create an nfs principal and export it to the
> >>>>> keytab
> >>>>>>>> $ samba-tool user add nfs-myserver --random-password
> >>>>>>>> $ samba-tool spn add nfs/myserver.samdom.com nfs-myserver
> >>>>>>>> $ samba-tool domain exportkeytab --
> >>>> principal=nfs/myserver.samdom.com
> >>>>>>>> /etc/krb5.keytab
> >>>>>>>>
> >>>>>>>> -> on the client I use the machine keytab.
> >>>>>>>> $ samba-tool domain exportkeytab --principal=MYCLIENT$
> >>>>> /etc/krb5.keytab
> >>>>>>>> With this setup all my domain users can write to the share. But
> >>>> when
> >>>>> I
> >>>>>>>> try with the root account it use the machine keytab (that's
> >> normal,
> >>>>>>>> root is not a domain user but he have access to the keytab) :
> >>>>>>>>
> >>>>>>>> -> on the client as root
> >>>>>>>> $ touch /myshare/testfile
> >>>>>>>>
> >>>>>>>> -> on the server
> >>>>>>>> $ ls -al /srv/nfs4/myshare/testfile
> >>>>>>>> -rw-r--r--     SAMDOM\MYCLIENT$     SAMDOM\Domain Controllers
> >> ....
> >>>>>>>> /nfs4/myshare/tesfile
> >>>>>>>>
> >>>>>>>> But I need root access !
> >>>>>>>>
> >>>>>>>> ----------
> >>>>>>>> I have tried with a root/myclient service principal name
> >>>>>>>> ----------
> >>>>>>>>
> >>>>>>>> -> on the client I create an root/myclient spn and export to
> >> keytab
> >>>>>>>> $ samba-tool user add root-myclient --random-password
> >>>>>>>> $ samba-tool spn add root/myclient.samdom.com root-myclient
> >>>>>>>> $ samba-tool domain exportkeytab --
> >>>> principal=root/myclient.samdom.com
> >>>>>>>> /etc/krb5.keytab
> >>>>>>>>
> >>>>>>>> But nothings change when I access the share. I tried to kinit
> >> this
> >>>>>>>> principal but it fail. However kinit with the machine principal
> >>>>> works.
> >>>>>>>> $ kinit -k  root/myclient.samdom.com
> >>>>>>>> kinit: Client 'root/myclient.samdom.com at SAMDOM.COM' not found in
> >>>>>>>> kerberos database while getting initial credentials
> >>>>>>>>
> >>>>>>>> $ kinit -k MYCLIENT$
> >>>>>>>> ok
> >>>>>>>>
> >>>>>>>> ---------
> >>>>>>>> I tried creating a samba root user.
> >>>>>>>> ---------
> >>>>>>>>
> >>>>>>>> -> on the client I create a root user and export to keytab
> >>>>>>>> $ samba-tool user add root
> >>>>>>>> $ samba-tool domain exportkeytab --principal=root
> >> /etc/krb5.keytab
> >>>>>>>> Same problem but here "kinit -k root" works.
> >>>>>>>>
> >>>>>>>> $ kinit -k root
> >>>>>>>> ok
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> ------
> >>>>>>>> I tried to kinit anather samba user
> >>>>>>>> ------
> >>>>>>>>
> >>>>>>>> -> on the client I kinit a valid user and write to the share
> >>>>>>>>
> >>>>>>>> $  kinit validuser
> >>>>>>>> $ touch /myshare/testfile2
> >>>>>>>>
> >>>>>>>> Here the nfs4 connection is not made with the validuser's
> >>>> principal.
> >>>>>>>> Always with the machine's principal.
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> -------
> >>>>>>>> So
> >>>>>>>> -------
> >>>>>>>>
> >>>>>>>> I don't understand why in can "kinit root" but not "kinit
> >>>>>>>> root/myclient.samdom.com". What's the difference between there
> >>>>>>>> principals ?
> >>>>>>>>
> >>>>>>>> I don't understand how the nfs4 client choose the principal used
> >> to
> >>>>>>>> make the connection to the nfs4 share. Why the root user can
> >> only
> >>>> use
> >>>>>>>> the machine's principal ?
> >>>>>>>>
> >>>>>>>> I don't know if the problem come from the creation of kerberos
> >>>>>>>> principals or come from the nfs4 client not choosing the correct
> >>>>>>>> principal...
> >>>>>>>>
> >>>>>>>> Can someone give me a tips ?
> >>>>>>>>
> >>>>>>>> Thanks !
> >>>>>>>>
> >>>>>>>> Baptiste.
> >>>>>>>>
> >>>>>>>> --
> >>>>>>>> To unsubscribe from this list go to the following URL and read
> >> the
> >>>>>>>> instructions:  https://lists.samba.org/mailman/options/samba
> >>>>>>>
> >>>>>>>
> >>>>>>> --
> >>>>>>> To unsubscribe from this list go to the following URL and read
> >> the
> >>>>>>> instructions:  https://lists.samba.org/mailman/options/samba
> >>>>>> --
> >>>>>> To unsubscribe from this list go to the following URL and read the
> >>>>>> instructions:  https://lists.samba.org/mailman/options/samba
> >>>>>
> >>>>>
> >>>>> --
> >>>>> To unsubscribe from this list go to the following URL and read the
> >>>>> instructions:  https://lists.samba.org/mailman/options/samba
> >>>>
> >>>>
> >>>> --
> >>>> To unsubscribe from this list go to the following URL and read the
> >>>> instructions:  https://lists.samba.org/mailman/options/samba
> >>>
> >>>
> >>> --
> >>> To unsubscribe from this list go to the following URL and read the
> >>> instructions:  https://lists.samba.org/mailman/options/samba
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/options/samba
> >
> >
> 
> --
> 
> Bruno MACADRE
> -------------------------------------------------------------------
>   Ingénieur Systèmes et Réseau     | Systems and Network Engineer
>   Département Informatique         | Department of computer science
>   Responsable Info SER             | SER IT Manager
>   Université de Rouen              | University of Rouen
> -------------------------------------------------------------------
> Coordonnées / Contact :
> 	Université de Rouen
> 	Faculté des Sciences et Techniques - Madrillet
> 	Avenue de l'Université
> 	CS 70012
> 	76801 St Etienne du Rouvray CEDEX
> 	FRANCE
> 
> 	Tél : +33 (0)2-32-95-51-86
> 	Mob : +33 (0)6-74-71-45-64
> -------------------------------------------------------------------
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list