[Samba] kerberos nfs4's principals and root access

Fri Oct 9 07:13:48 UTC 2015

Hai, 

I had it the other way around. Only root acces. 

I have scripted my setup and tested on debian. 
Look here 
https://secure.bazuin.nl/scripts/these_are_experimental_scripts/ 
setup-nfsv4-kerberos.sh 

If you get the file, setup-nfsv4-kerberos.sh  and compair it to your setup.
If you can read the bash script maybe you see something you missed. 

When i write as "root" its root and not the machine account who owns the file. 

How is your exports file on the server configured? 

Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Prunk Dump
> Verzonden: vrijdag 9 oktober 2015 8:59
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] kerberos nfs4's principals and root access
> 
> Hello samba team !
> 
> I have some NFS4 exports managed by a Samba's Kerberos realm. All the
> standard user accesses work fine.
> 
> I try now to setup an NFS4 root access to administer the share from
> another server (the two host are DC, one PDC  and one SDC). But I have
> trouble understanding the kerberos/principals layer.
> 
> ------------
> Actually I do
> -------------
> 
> -> on the server I create an nfs principal and export it to the keytab
> $ samba-tool user add nfs-myserver --random-password
> $ samba-tool spn add nfs/myserver.samdom.com nfs-myserver
> $ samba-tool domain exportkeytab --principal=nfs/myserver.samdom.com
> /etc/krb5.keytab
> 
> -> on the client I use the machine keytab.
> $ samba-tool domain exportkeytab --principal=MYCLIENT$ /etc/krb5.keytab
> 
> With this setup all my domain users can write to the share. But when I
> try with the root account it use the machine keytab (that's normal,
> root is not a domain user but he have access to the keytab) :
> 
> -> on the client as root
> $ touch /myshare/testfile
> 
> -> on the server
> $ ls -al /srv/nfs4/myshare/testfile
> -rw-r--r--     SAMDOM\MYCLIENT$     SAMDOM\Domain Controllers  ....
> /nfs4/myshare/tesfile
> 
> But I need root access !
> 
> ----------
> I have tried with a root/myclient service principal name
> ----------
> 
> -> on the client I create an root/myclient spn and export to keytab
> $ samba-tool user add root-myclient --random-password
> $ samba-tool spn add root/myclient.samdom.com root-myclient
> $ samba-tool domain exportkeytab --principal=root/myclient.samdom.com
> /etc/krb5.keytab
> 
> But nothings change when I access the share. I tried to kinit this
> principal but it fail. However kinit with the machine principal works.
> 
> $ kinit -k  root/myclient.samdom.com
> kinit: Client 'root/myclient.samdom.com at SAMDOM.COM' not found in
> kerberos database while getting initial credentials
> 
> $ kinit -k MYCLIENT$
> ok
> 
> ---------
> I tried creating a samba root user.
> ---------
> 
> -> on the client I create a root user and export to keytab
> $ samba-tool user add root
> $ samba-tool domain exportkeytab --principal=root /etc/krb5.keytab
> 
> Same problem but here "kinit -k root" works.
> 
> $ kinit -k root
> ok
> 
> 
> ------
> I tried to kinit anather samba user
> ------
> 
> -> on the client I kinit a valid user and write to the share
> 
> $  kinit validuser
> $ touch /myshare/testfile2
> 
> Here the nfs4 connection is not made with the validuser's principal.
> Always with the machine's principal.
> 
> 
> -------
> So
> -------
> 
> I don't understand why in can "kinit root" but not "kinit
> root/myclient.samdom.com". What's the difference between there
> principals ?
> 
> I don't understand how the nfs4 client choose the principal used to
> make the connection to the nfs4 share. Why the root user can only use
> the machine's principal ?
> 
> I don't know if the problem come from the creation of kerberos
> principals or come from the nfs4 client not choosing the correct
> principal...
> 
> Can someone give me a tips ?
> 
> Thanks !
> 
> Baptiste.
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba