[Samba] Samba server with NFSV4/kerberos

Volker Lendecke Volker.Lendecke at SerNet.DE
Tue Mar 24 06:21:50 MDT 2015


On Tue, Mar 24, 2015 at 11:18:13AM +0100, Rainer Krienke wrote:
> Now here is the problem: When samba tries to access a directory of a
> windows user say "john"  (john's home is NFS4 mounted on the samba
> server) the samba process does this as the user "john" not root and gets
> a permission denied, since for user "john" there is no kerberos TGT
> allowing him to access the kerberized service NFS. This happens because
> a windows user authenticates against the windows ADS server when he logs
> in at windows and my MIT kerberos server does not know anything about this.
> 
> Does anyone have a similar setup and has a solution for the problem
> described thats working?

We've done something very similar eons ago with AFS. Similar
problem. With the fake-kaserver Samba could create its own
tickets. Something that in modern days you definitely do NOT
want. We need to hook Samba much better into the nfsv4
client now. Somehow we need to acquire credentials for the
NFS4 service, probably to do this MIT somehow needs to trust
the AD with a cross-realm trust. If Samba has the nfsv4
ticket, we need to tell the kernel to use it when we switch
to "john". Interesting project, but none of this is done yet
unfortunately.

Volker

-- 
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kontakt at sernet.de


More information about the samba mailing list