[Samba] nfs root kerberos
Rowland penny
rpenny at samba.org
Thu Nov 12 13:52:56 UTC 2020
On 12/11/2020 13:27, Jason Keltz via samba wrote:
>
> On 11/12/2020 8:17 AM, Rowland penny via samba wrote:
>> On 11/11/2020 10:54, Jason Keltz via samba wrote:
>>> Hi Louis,
>>> I've looked into that and I'm not sure how this would be done?
>>> By the way, even with your NFS translation fix (which doesn't work
>>> for me because gssproxy), do you do this before accessing root files..?
>>> sudo root
>>> kinit -k 'host$'
>>>
>> OK, after a bit of a battle, I now have a Centos 7 Unix domain member
>> mounting an NFS share from a Devuan NFS4 server.
>>
>> The actual mount wasn't a problem, it was getting the NFS server to
>> work 😮
>>
>> I used Samba AD DC's for the authentication, a Unix domain member as
>> the NFS server and a Centos 7 Unix domain member as the NFS client. I
>> did minimal setup on the Centos machine.
>
> Hi Rowland,
>
> The problem wasn't getting NFS to work - it was getting NFS "root"
> access to work between a CentOS 7 client and CentOS 7 server (AKA
> no_root_squash in /etc/exports).
>
> Finally, after a significant amount of effort, I figured that out last
> night.
>
> In my case, I needed to add a realms section for realm
> AD.EECS.YORKU.CA and include 2 auth_to_local rules as follows:
>
> [realms]
> AD.EECS.YORKU.CA = {
> auth_to_local = RULE:[1:$1@$0](J1\$@AD.EECS.YORKU.CA)s/.*/root/
> auth_to_local = DEFAULT
> }
>
> This allows root on "J1" to "really" be root. Additional of the first
> line are required for each system. The DEFAULT line is required.
> Lots of fun let me tell ya.
>
> Jason.
>
>
Define what you mean by 'really root' ?
The root user is a Unix user and, as such, has nothing to do with AD (or
NFS).
If you can login into a Unix domain member, you should be able to use
root and if you login into a Windows domain member, then try to use
root, it should go 'root ? who is that ?'
So, when you log into a Unix domain member, what isn't working ?
Rowland
More information about the samba
mailing list