[Samba] kerberos nfs4's principals and root access
Prunk Dump
prunkdump at gmail.com
Fri Oct 9 06:59:10 UTC 2015
Hello samba team !
I have some NFS4 exports managed by a Samba's Kerberos realm. All the
standard user accesses work fine.
I try now to setup an NFS4 root access to administer the share from
another server (the two host are DC, one PDC and one SDC). But I have
trouble understanding the kerberos/principals layer.
------------
Actually I do
-------------
-> on the server I create an nfs principal and export it to the keytab
$ samba-tool user add nfs-myserver --random-password
$ samba-tool spn add nfs/myserver.samdom.com nfs-myserver
$ samba-tool domain exportkeytab --principal=nfs/myserver.samdom.com
/etc/krb5.keytab
-> on the client I use the machine keytab.
$ samba-tool domain exportkeytab --principal=MYCLIENT$ /etc/krb5.keytab
With this setup all my domain users can write to the share. But when I
try with the root account it use the machine keytab (that's normal,
root is not a domain user but he have access to the keytab) :
-> on the client as root
$ touch /myshare/testfile
-> on the server
$ ls -al /srv/nfs4/myshare/testfile
-rw-r--r-- SAMDOM\MYCLIENT$ SAMDOM\Domain Controllers ....
/nfs4/myshare/tesfile
But I need root access !
----------
I have tried with a root/myclient service principal name
----------
-> on the client I create an root/myclient spn and export to keytab
$ samba-tool user add root-myclient --random-password
$ samba-tool spn add root/myclient.samdom.com root-myclient
$ samba-tool domain exportkeytab --principal=root/myclient.samdom.com
/etc/krb5.keytab
But nothings change when I access the share. I tried to kinit this
principal but it fail. However kinit with the machine principal works.
$ kinit -k root/myclient.samdom.com
kinit: Client 'root/myclient.samdom.com at SAMDOM.COM' not found in
kerberos database while getting initial credentials
$ kinit -k MYCLIENT$
ok
---------
I tried creating a samba root user.
---------
-> on the client I create a root user and export to keytab
$ samba-tool user add root
$ samba-tool domain exportkeytab --principal=root /etc/krb5.keytab
Same problem but here "kinit -k root" works.
$ kinit -k root
ok
------
I tried to kinit anather samba user
------
-> on the client I kinit a valid user and write to the share
$ kinit validuser
$ touch /myshare/testfile2
Here the nfs4 connection is not made with the validuser's principal.
Always with the machine's principal.
-------
So
-------
I don't understand why in can "kinit root" but not "kinit
root/myclient.samdom.com". What's the difference between there
principals ?
I don't understand how the nfs4 client choose the principal used to
make the connection to the nfs4 share. Why the root user can only use
the machine's principal ?
I don't know if the problem come from the creation of kerberos
principals or come from the nfs4 client not choosing the correct
principal...
Can someone give me a tips ?
Thanks !
Baptiste.
More information about the samba
mailing list