[Samba] nfs4 with Samba 4
steve at steve-ss.com
Sat Jan 28 10:49:35 MST 2012
On 28/01/12 17:12, Gémes Géza wrote:
> 2012-01-28 12:21 keltezéssel, steve írta:
>> On 28/01/12 11:03, Gémes Géza wrote:
>>> 2012-01-28 10:40 keltezéssel, steve írta:
>>>> Hi everyone
>>>> Version 4.0.0alpha18-GIT-bfc7481
>>>> openSUSE 12.1
>>>> Conventional nfs4 export works fine, but I'm having trouble
>>>> kerberizing it for Samba 4 for my Samba 4 users.
>>>> I've setup the nfs4 pseudo stuff like this:
>>>> hh3:/ # mkdir /export
>>>> hh3:/ # mkdir /export/home
>>>> hh3:/ # mount --bind /home /export/home
>>>> Here is /etc/exports:
>>>> /export gss/krb5(rw,fsid=0,insecure,no_subtree_check,async)
>>>> /export/home gss/krb5(rw,nohide,insecure,no_subtree_check,async)
>>>> /etc/sysconfig/nfs has:
>>>> I have used samba-tool to make an nfs service principal and it
>>>> Kerberos: TGS-REQ HH3$@HH3.SITE from ipv4:192.168.1.3:35191 for
>>>> nfs/hh3.hh3.site at HH3.SITE [canonicalize, renewable]
>>>> Kerberos: TGS-REQ authtime: 2012-01-28T09:31:37 starttime:
>>>> 2012-01-28T09:31:37 endtime: 2012-01-28T19:31:37 renew till:
>>>> when I:
>>>> mount -t nfs4 hh3:/home /mnt -o sec=krb5
>>>> It mounts OK and mount shows:
>>>> hh3:/home/ on /mnt type nfs4
>>>> Autenticated Samba 4 users get 'Permission denied when trying to cd to
>>>> /mnt. Only root can enter. The permissions using ls -la are:
>>>> d????????? ? ? ? ? ? mnt
>>>> You can see that /home has indeed been mounted but with strange
>>>> Has anyone tried nfs with Samba 4 Kerberos?
>>>> Why the permissions?
>>>> What am I missing?
>>> root can enter, because (you don't have no_root_squash) it is mapped to
>>> the nobody user and thus has the basic rights
>>> I would check if the user account you are trying to read/write/list/etc
>>> the /mnt dir has got the nfs tickets, with a klist
>> Hi Geza, hi everyone
>> A bit of progress:
>> Yes, the /mnt dir got the nfs ticket when I issued the mount command.
>> Also, authenticated Samba 4 users can enter /mnt but only if they do a
>> kinit first. IOW they have to authenticate twice. Once in his home
>> folder (now under /mnt) he only has read access to his files.
>> klist looks OK:
>> Ticket cache: FILE:/tmp/krb5cc_3000020
>> Default principal: steve5 at HH3.SITE
>> Valid starting Expires Service principal
>> 01/28/12 11:57:35 01/28/12 21:57:35 krbtgt/HH3.SITE at HH3.SITE
>> renew until 01/29/12 11:57:29
>> 01/28/12 11:57:40 01/28/12 21:57:35 nfs/hh3.hh3.site at HH3.SITE
>> renew until 01/29/12 11:57:29
>> I think I'd need root_squash to prevent root no? But no worries. Just
>> trying to get nfs write access for a user.
>> The Kerberos seems to be working in that a local user gets 'Pemission
>> denied when trying to cd to /mnt and gets this when ls'ing:
>> d????????? ? ? ? ? ? mnt
>> A doubly authenticated Samba 4 user gets:
>> drwxr-xr-x 5 root root 4096 Dec 23 00:15 mnt
>> but no write access to his nfs mounted home folder.
>> Why is the double authentication needed?
>> How can we get rw access to the share?
> It seems that your authentication scheme (pam) doesn't involve kerberos.
> You can check after login with klist if you have any tickets.
> If not you would probably need to setup pam in order to use kerberos for
> authentication (from my memories it was pretty easy using yast)
Thanks for that.
I've got the pam stuff going now.
Next think is the write access. OK by conventional nfs4 but not with
kerberized mounts. The latter mount read only.
More information about the samba