[Samba] Using Samba AD for NFSV4 Kerberos servers and clients
Ken McDonald
ken at generation.tech
Mon Feb 5 13:21:57 UTC 2018
Hi Kevin,
Thanks for your detailed reply. Just to confirm details of your overall
implementation:
1) You are using a non-Samba AD LDAP/Kerberos directory as your main
source of users/groups? (the LDAP server configuration is not shown here)
2) Through some nifty scripts you synchronize users between that LDAP
server and Samba AD? (because as I understand it, Samba AD will not use
and external LDAP server)
3 ) Is NFS also used export file shares or are your Linux clients
mount'ing SMB shares?
4) If NFS, would you post your server /etc/exports and client mount command?
Thanks for the assistance. It's been a while since I considered using
Samba at customer sites (because the NT4 style was limited and required
manual registry entries to reduce security on modern Windows OS's in
order to join domain). Now I think with a little effort I can fully
deploy Samba AD as an alternative to native Windows AD and realize the
cost savings for customers. Also I find the AD tools and AD server
software (whether Windows AD or Samba AD) much easier to work with than
a Linux LDAP server. I never liked the fact there seemed to be little
GUI tools for Linux LDAP besides paid versions or Apache Studio, which
required Java...
-Ken
On 02/05/2018 08:01 AM, Luc Lalonde wrote:
>
> Hello Kevin,
>
> We have a Samba/Windows20008R2 domain that's been running a few years
> now.
>
> Here are the details:
>
> * clients auth with SSSD (ldap, kerberos, ldap_schema=rfc2307bis)
> * idmap
> * samba on clients/server for joining domain
>
> We have scripts that automatically create users with UnixHomeDir, UID
> and GUID numbers within AD.
>
> I don't know about using WInbind... I dropped that option during
> testing. I found it to be a flaky daemon. SSSD also had more options.
>
> Here's a sanitized version of some of some config files:
>
> ########## /etc/auto.master #################################
> /users /etc/auto.home_all --timeout=60
> #############################################################
>
> ########## /etc/auto.home_all ###############################
> * -fstype=nfs4,rw,sec=krb5 server.example.com:/&
> #############################################################
>
> ########## begin client /etc/samba/smb.conf ##########################
> [global]
> workgroup = GIGL
> realm = example.com
> netbios name = workstation-name
> security = ADS
> password server = DOMSERVER1.EXAMPLE.COM, DOMSERVER2.EXAMPLE.COM
> client signing = yes
> client use spnego = yes
> kerberos method = secrets and keytab
> log file = /var/log/samba/%m.log
> dedicated keytab file = /etc/krb5.keytab
> ########## end client /etc/samba/smb.conf ############################
>
> ########## begin server /etc/samba/smb.conf ##########################
> [global]
> workgroup = GIGL
> realm = example.com
> netbios name = SERVER
> security = ADS
> password server = DOMSERVER1.EXAMPLE.COM, DOMSERVER2.EXAMPLE.COM
> client signing = yes
> client use spnego = yes
> kerberos method = secrets and keytab
> log file = /var/log/samba/%m.log
> dedicated keytab file = /etc/krb5.keytab
>
> [homes]
> comment = homes
> read only = No
> directory mask = 0700
> force directory mode = 0700
> create mask = 0600
> force create mode = 0600
> browseable = No
> valid users = %S
> follow symlinks = yes
> ########## end server /etc/samba/smb.conf ############################
>
> ############## begin /etc/krb5.conf ####################
> [logging]
> default = SYSLOG:INFO:DAEMON
> kdc = SYSLOG:INFO:DAEMON
> admin_server = SYSLOG:INFO:DAEMON
>
> [libdefaults]
> default_realm = EXAMPLE.COM
> dns_lookup_realm = false
> dns_lookup_kdc = false
> ticket_lifetime = 10h
> renew_lifetime = 7d
> forwardable = true
> allow_weak_crypto = true
>
> [realms]
> EXAMPLE.COM = {
> default_domain = example.com
> master_kdc= domserver1.example.com
> kdc=domserver1.example.com
> kdc=domserver2.example.com
> admin_server=domserver1.example.com
> }
>
> [domain_realm]
> example.com = EXAMPLE.COM
> subnet1.example.com = EXAMPLE.COM
> .subnet1.example.com = EXAMPLE.COM
> subnet2.example.com = EXAMPLE.COM
> .subnet2.example.com = EXAMPLE.COM
>
> [appdefaults]
> pam = {
> debug = false
> ticket_lifetime = 10h
> renew_lifetime = 7d
> forwardable = true
> krb4_convert = false
> validate = true
> }
> ############## end /etc/krb5.conf #####################
>
> Here's the command that I run to generate the keytab on the nfs server
> (after properly configuring '/etc/samba/smb.conf':
>
> #############
> kinit Administrator at EXMAPLE.COM
> rm -rf /etc/krb5.keytab;
> msktutil --delegation --dont-expire-password \
> --no-pac --computer-name server \
> --enctypes 0x1F -b "OU=Services" \
> -k /etc/krb5.keytab -h server.example.com \
> -s nfs/server.example.com \
> --upn nfs/server.example.com --verbose
>
> rm -rf /etc/krb5.keytab
> net ads join -k -UAdministrator
> #############
>
> Also, don't forget that you need the 'ServicePrincipalNames' enabled
> for your NFS service. I don't know the command on Samba, but here's
> the command on Windows2008R2 (I keep these in the OU=Services):
>
> #############
>
> setspn -A nfs/server.example.com example
> setspn -A nfs/server server
> setspn -L server
> Registered ServicePrincipalNames for
> CN=server,OU=Services,DC=example,DC=com:
> nfs/server
> nfs/server.example.com
> HOST/server.example.com
> HOST/server
>
> #############
>
>
> And on the client:
>
> #############
> kinit Administrator at EXMAPLE.COM
> rm -rf /etc/krb5.keytab;
> msktutil --server domserver1.example.com --delegation \
> --dont-expire-password --no-pac --computer-name workstation-client-nfs \
> --enctypes 0x1F -b "OU=Services" -k /etc/krb5.keytab \
> -h workstation-client.example.com \
> -s nfs/workstation-client.example.com \
> --upn nfs/workstation-client.example.com --verbose
> #############
>
> There are more details... too much to put in this email. Hopefully,
> this can get you on the right path. Maybe I should take the time to
> document this on the Samba Wiki.
>
> Bye.
>
> On 2018-02-05 12:13 AM, Ken McDonald via samba wrote:
>> I found one of my problems was that on the client, in the
>> /etc/krb5.conf file, the domain name was in lower case. The one on
>> the server was upper case. Upper case'ing the client one fixed my
>> nfs4 mount issue, but now I have another one.
>>
>> The nfs4 krb5 export mounts on the remote client, but doesn't seem to
>> recognize permissions. The mount directory is shown as owned by root
>> and the group is 4294967294
>>
>> If I mount the export using nfs4 without krb5 it works as expected
>> and the mount directory is owned by root and the group is from Samba
>> AD as DOMAIN\group
>>
>> I suppose this has something to do with id mapping and a special
>> requirement for nfs4 krb5. I have winbindd running, which of course
>> is why my perms are working non-krb5.
>>
>> Help?
>>
>>
>> On 02/04/2018 08:23 PM, Ken McDonald via samba wrote:
>>> Thanks Luc,
>>>
>>> First, can I just use the small /etc/krb5.conf suggested in Samba AD
>>> docs or do I need something more substantial on the server & client
>>> for Kerberos NFS to work?
>>>
>>> [libdefaults]
>>> default_realm = SUBDOMAIN.DOMAIN.COM
>>> dns_lookup_realm = false
>>> dns_lookup_kdc = true
>>>
>>> I understand a /etc/krb5.keytab file has to be created on both
>>> server & client. Most of the existing docs show commands to do this
>>> using a real KDC, not Samba AD. If I try to use the kadmin tool,
>>> there's a message about the krb5.conf being incomplete. I am able to
>>> use klist and ktutil
>>>
>>> How do I generate the keytab file with the correct credentials?
>>>
>>> nfs/server at subdomain.domain.com
>>>
>>> nfs/client at subdomain.domain.com
>>>
>>> Are these created manually by adding some account in ADUC and then
>>> use "samba-tool domain exportkeytab" to export the krb5.keytab file
>>>
>>> https://wiki.samba.org/index.php/Generating_Keytabs
>>>
>>> -Ken
>>>
>>>
>>>
>>> On 02/04/2018 06:29 PM, Luc Lalonde wrote:
>>>> Hey Ken,
>>>>
>>>> We’re using AD as a Kerberos server for NFSv4 in our Linux labs to
>>>> automount the students home directories.
>>>>
>>>> I can answer specific questions if you’ve got some.
>>>>
>>>> Cheers, Luc.
>>>>
>>>>
>>>> Luc Lalonde, analyste
>>>> -----------------------------
>>>> Département de génie informatique:
>>>> École polytechnique de MTL
>>>> (514) 340-4711 x5049
>>>> Luc.Lalonde at polymtl.ca
>>>> -----------------------------
>>>>
>>>>> On Feb 4, 2018, at 16:30, Ken McDonald via samba
>>>>> <samba at lists.samba.org> wrote:
>>>>>
>>>>> Is it possible to use Samba AD for Kerberos KDC with NFV4 servers
>>>>> and then have clients connect to them?
>>>>>
>>>>> I have Ubuntu Server for the server and Linux Mint for clients. So
>>>>> far, I've got a lot setup according to these instructions
>>>>>
>>>>> https://help.ubuntu.com/community/NFSv4Howto
>>>>>
>>>>> And seem to have adapted the keytab entries from using this Samba
>>>>> AD info
>>>>>
>>>>> https://wiki.samba.org/index.php/Generating_Keytabs
>>>>>
>>>>> But I'm kind of stuck getting the actual mount to work on a client
>>>>> side. I'll admit to never using Kerberos with NFS before and my
>>>>> Samba AD knowledge is also fairly new (but I do have working Samba
>>>>> AD for Windows and Linux client logins, group, POSIX & Win ACls).
>>>>> I can't seem to find good information or howto on implementing
>>>>> NFSKerberos + SambaAD
>>>>>
>>>>> Before I post actual questions and logs, is this configuration
>>>>> even possible?
>>>>>
>>>>>
>>>>> --
>>>>> To unsubscribe from this list go to the following URL and read the
>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>
>>>>
>>>
>>>
>>
>>
>
More information about the samba
mailing list