[Samba] nfs4 with Samba 4

steve steve at steve-ss.com
Sat Jan 28 04:21:47 MST 2012 

On 28/01/12 11:03, Gémes Géza wrote:
> 2012-01-28 10:40 keltezéssel, steve írta:
>> Hi everyone
>> Version 4.0.0alpha18-GIT-bfc7481
>> openSUSE 12.1
>>
>> Conventional nfs4 export works fine, but I'm having trouble
>> kerberizing it for Samba 4 for my Samba 4 users.
>>
>> I've setup the nfs4 pseudo stuff like this:
>> hh3:/ # mkdir /export
>> hh3:/ # mkdir /export/home
>> hh3:/ # mount --bind /home /export/home
>>
>> Here is /etc/exports:
>> /export        gss/krb5(rw,fsid=0,insecure,no_subtree_check,async)
>> /export/home    gss/krb5(rw,nohide,insecure,no_subtree_check,async)
>>
>> /etc/sysconfig/nfs has:
>> NFS_SECURITY_GSS="yes"
>>
>> I have used samba-tool to make an nfs service principal and it responds:
>> Kerberos: TGS-REQ HH3$@HH3.SITE from ipv4:192.168.1.3:35191 for
>> nfs/hh3.hh3.site at HH3.SITE [canonicalize, renewable]
>> Kerberos: TGS-REQ authtime: 2012-01-28T09:31:37 starttime:
>> 2012-01-28T09:31:37 endtime: 2012-01-28T19:31:37 renew till:
>> 2012-01-29T09:31:37
>> when I:
>> mount -t nfs4 hh3:/home /mnt -o sec=krb5
>>
>> It mounts OK and mount shows:
>> hh3:/home/ on /mnt type nfs4
>> (rw,relatime,vers=4,rsize=65536,wsize=65536,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=krb5,clientaddr=192.168.1.3,minorversion=0,local_lock=none,addr=192.168.1.3)
>>
>> Autenticated Samba 4 users get 'Permission denied when trying to cd to
>> /mnt. Only root can enter. The permissions using ls -la are:
>> d?????????   ? ?    ?        ?            ? mnt
>> You can see that /home has indeed been mounted but with strange
>> permissions.
>>
>> Has anyone tried nfs with Samba 4 Kerberos?
>> Why the permissions?
>> What am I missing?
>>
>> Cheers,
>> Steve
> root can enter, because (you don't have no_root_squash) it is mapped to
> the nobody user and thus has the basic rights
> I would check if the user account you are trying to read/write/list/etc
> the /mnt dir has got the nfs tickets, with a klist
>
> Regards
>
> Geza
Hi Geza, hi everyone
A bit of progress:
Yes, the /mnt dir got the nfs ticket when I issued the mount command. 
Also, authenticated Samba 4 users can enter /mnt but only if they do a 
kinit first. IOW they have to authenticate twice. Once in his home 
folder (now under /mnt) he only has read access to his files.
klist looks OK:
Ticket cache: FILE:/tmp/krb5cc_3000020
Default principal: steve5 at HH3.SITE
Valid starting     Expires            Service principal
01/28/12 11:57:35  01/28/12 21:57:35  krbtgt/HH3.SITE at HH3.SITE
     renew until 01/29/12 11:57:29
01/28/12 11:57:40  01/28/12 21:57:35  nfs/hh3.hh3.site at HH3.SITE
     renew until 01/29/12 11:57:29

I think I'd need root_squash to prevent root no? But no worries. Just 
trying to get nfs write access for a user.

The Kerberos seems to be working in that a local user gets 'Pemission 
denied when trying to cd to /mnt and gets this when ls'ing:

d?????????   ? ?    ?        ?            ? mnt

A doubly authenticated Samba 4 user gets:
drwxr-xr-x   5 root root  4096 Dec 23 00:15 mnt
but no write access to his nfs mounted home folder.

Why is the double authentication needed?
How can we get rw access to the share?
Thanks,
Steve

More information about the samba mailing list