[Samba] kerberos nfs4's principals and root access

Prunk Dump prunkdump at gmail.com
Fri Oct 9 06:59:10 UTC 2015 

Hello samba team !

I have some NFS4 exports managed by a Samba's Kerberos realm. All the
standard user accesses work fine.

I try now to setup an NFS4 root access to administer the share from
another server (the two host are DC, one PDC  and one SDC). But I have
trouble understanding the kerberos/principals layer.

------------
Actually I do
-------------

-> on the server I create an nfs principal and export it to the keytab
$ samba-tool user add nfs-myserver --random-password
$ samba-tool spn add nfs/myserver.samdom.com nfs-myserver
$ samba-tool domain exportkeytab --principal=nfs/myserver.samdom.com
/etc/krb5.keytab

-> on the client I use the machine keytab.
$ samba-tool domain exportkeytab --principal=MYCLIENT$ /etc/krb5.keytab

With this setup all my domain users can write to the share. But when I
try with the root account it use the machine keytab (that's normal,
root is not a domain user but he have access to the keytab) :

-> on the client as root
$ touch /myshare/testfile

-> on the server
$ ls -al /srv/nfs4/myshare/testfile
-rw-r--r--     SAMDOM\MYCLIENT$     SAMDOM\Domain Controllers  ....
/nfs4/myshare/tesfile

But I need root access !

----------
I have tried with a root/myclient service principal name
----------

-> on the client I create an root/myclient spn and export to keytab
$ samba-tool user add root-myclient --random-password
$ samba-tool spn add root/myclient.samdom.com root-myclient
$ samba-tool domain exportkeytab --principal=root/myclient.samdom.com
/etc/krb5.keytab

But nothings change when I access the share. I tried to kinit this
principal but it fail. However kinit with the machine principal works.

$ kinit -k  root/myclient.samdom.com
kinit: Client 'root/myclient.samdom.com at SAMDOM.COM' not found in
kerberos database while getting initial credentials

$ kinit -k MYCLIENT$
ok

---------
I tried creating a samba root user.
---------

-> on the client I create a root user and export to keytab
$ samba-tool user add root
$ samba-tool domain exportkeytab --principal=root /etc/krb5.keytab

Same problem but here "kinit -k root" works.

$ kinit -k root
ok


------
I tried to kinit anather samba user
------

-> on the client I kinit a valid user and write to the share

$  kinit validuser
$ touch /myshare/testfile2

Here the nfs4 connection is not made with the validuser's principal.
Always with the machine's principal.


-------
So
-------

I don't understand why in can "kinit root" but not "kinit
root/myclient.samdom.com". What's the difference between there
principals ?

I don't understand how the nfs4 client choose the principal used to
make the connection to the nfs4 share. Why the root user can only use
the machine's principal ?

I don't know if the problem come from the creation of kerberos
principals or come from the nfs4 client not choosing the correct
principal...

Can someone give me a tips ?

Thanks !

Baptiste.

More information about the samba mailing list