[Samba] Samba server with NFSV4/kerberos

Luc Lalonde Luc.Lalonde at polymtl.ca
Tue Mar 24 05:41:17 MDT 2015


Guten tag Rainer,

We use our Samba4/Win2k8 AD domain to authenticate all our Linux/Windows/OSX workstations.

The home directories are mounted using CIFS in the Windows and OSX clients and NFS4 (krb5) in our Linux labs.

Here’s our documentation (french):

https://techwiki.gi.polymtl.ca/NFSv4_Kerberos <https://techwiki.gi.polymtl.ca/NFSv4_Kerberos>

If Google translate gives you something unintelligible, I’ll be glad to clarify the translation to english…

Hope this helps!

-- 
Luc Lalonde, analyste
-----------------------------
Département de génie informatique:
École polytechnique de MTL
(514) 340-4711 x5049
Luc.Lalonde at polymtl.ca <mailto:Luc.Lalonde at polymtl.ca>
-----------------------------

> On Mar 24, 2015, at 6:18 AM, Rainer Krienke <krienke at uni-koblenz.de> wrote:
> 
> Hello,
> 
> I am searching for a solution that I thought should be kind of standard,
> but until now I was not successful finding anything. Here is the problem:
> 
> At our site we offer windows and linux, most servers (eg file, samba,
> web) are linux based. User data is stored on NFS file servers. Windows
> systems are part of a Windows domain with an ADS domain controller. At
> the moment the linux samba server is joined to the ADS domain
> (ADSREALM.UNI-KOBLENZ.DE) and uses a "secutrity=ADS" configuration.
> Works great with NFSV3.
> 
> Now I would like to set up a samba server that uses NFS V4/kerberos to
> access user data instead of NFS3. NFSV4 with sec=krb5 is running fine
> using a MIT kerberos server for the realm (LINUXREALM.UNI-KOBLENZ.DE)
> running on linux. So when I am root eg on the samba server I can access
> the NFS4 mounted user directories without any problem.
> 
> Now here is the problem: When samba tries to access a directory of a
> windows user say "john"  (john's home is NFS4 mounted on the samba
> server) the samba process does this as the user "john" not root and gets
> a permission denied, since for user "john" there is no kerberos TGT
> allowing him to access the kerberized service NFS. This happens because
> a windows user authenticates against the windows ADS server when he logs
> in at windows and my MIT kerberos server does not know anything about this.
> 
> Does anyone have a similar setup and has a solution for the problem
> described thats working?
> 
> Thanks
> Rainer
> -- 
> Rainer Krienke, Uni Koblenz, Rechenzentrum, A22, Universitaetsstrasse  1
> 56070 Koblenz, http://userpages.uni-koblenz.de/~krienke, Tel: +49261287 1312
> PGP: http://userpages.uni-koblenz.de/~krienke/mypgp.html,Fax: +49261287
> 1001312
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba



More information about the samba mailing list