[Samba] kerberos nfs4's principals and root access

Prunk Dump prunkdump at gmail.com
Fri Oct 9 09:33:33 UTC 2015 

Thanks you very much Louis !

I have tried your setup and I can't mount the share neither from the
server itself or the client.

On /var/log/syslog I have :

rpc.gssd : ERROR : no credentials found for connecting to server myserver

This is because the machine principal is not present in the keytab :

$ klist -k
1 nfs/myclient.samdom.com at SAMDOM.COM
1 nfs/myclient.samdom.com at SAMDOM.COM
1 nfs/myclient.samdom.com at SAMDOM.COM

If I add the machine principal. I can mount the share but root user
write as "machine" not as "root".

Can you check your setup ? Do you have your machine credential in
/etc/krb5.keytab ? (with klist -k)

Do you do something related with kerberos when you login as root ?

Do you have additional options in "/etc/idmap.conf" ?

Can you give me the result of :

$klist
$klist -k

When you are logged as root ?

Thanks you again !

Baptiste.


2015-10-09 9:13 GMT+02:00 L.P.H. van Belle <belle at bazuin.nl>:
> Hai,
>
> I had it the other way around. Only root acces.
>
> I have scripted my setup and tested on debian.
> Look here
> https://secure.bazuin.nl/scripts/these_are_experimental_scripts/
> setup-nfsv4-kerberos.sh
>
> If you get the file, setup-nfsv4-kerberos.sh  and compair it to your setup.
> If you can read the bash script maybe you see something you missed.
>
> When i write as "root" its root and not the machine account who owns the file.
>
>
> How is your exports file on the server configured?
>
> Greetz,
>
> Louis
>
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Prunk Dump
>> Verzonden: vrijdag 9 oktober 2015 8:59
>> Aan: samba at lists.samba.org
>> Onderwerp: [Samba] kerberos nfs4's principals and root access
>>
>> Hello samba team !
>>
>> I have some NFS4 exports managed by a Samba's Kerberos realm. All the
>> standard user accesses work fine.
>>
>> I try now to setup an NFS4 root access to administer the share from
>> another server (the two host are DC, one PDC  and one SDC). But I have
>> trouble understanding the kerberos/principals layer.
>>
>> ------------
>> Actually I do
>> -------------
>>
>> -> on the server I create an nfs principal and export it to the keytab
>> $ samba-tool user add nfs-myserver --random-password
>> $ samba-tool spn add nfs/myserver.samdom.com nfs-myserver
>> $ samba-tool domain exportkeytab --principal=nfs/myserver.samdom.com
>> /etc/krb5.keytab
>>
>> -> on the client I use the machine keytab.
>> $ samba-tool domain exportkeytab --principal=MYCLIENT$ /etc/krb5.keytab
>>
>> With this setup all my domain users can write to the share. But when I
>> try with the root account it use the machine keytab (that's normal,
>> root is not a domain user but he have access to the keytab) :
>>
>> -> on the client as root
>> $ touch /myshare/testfile
>>
>> -> on the server
>> $ ls -al /srv/nfs4/myshare/testfile
>> -rw-r--r--     SAMDOM\MYCLIENT$     SAMDOM\Domain Controllers  ....
>> /nfs4/myshare/tesfile
>>
>> But I need root access !
>>
>> ----------
>> I have tried with a root/myclient service principal name
>> ----------
>>
>> -> on the client I create an root/myclient spn and export to keytab
>> $ samba-tool user add root-myclient --random-password
>> $ samba-tool spn add root/myclient.samdom.com root-myclient
>> $ samba-tool domain exportkeytab --principal=root/myclient.samdom.com
>> /etc/krb5.keytab
>>
>> But nothings change when I access the share. I tried to kinit this
>> principal but it fail. However kinit with the machine principal works.
>>
>> $ kinit -k  root/myclient.samdom.com
>> kinit: Client 'root/myclient.samdom.com at SAMDOM.COM' not found in
>> kerberos database while getting initial credentials
>>
>> $ kinit -k MYCLIENT$
>> ok
>>
>> ---------
>> I tried creating a samba root user.
>> ---------
>>
>> -> on the client I create a root user and export to keytab
>> $ samba-tool user add root
>> $ samba-tool domain exportkeytab --principal=root /etc/krb5.keytab
>>
>> Same problem but here "kinit -k root" works.
>>
>> $ kinit -k root
>> ok
>>
>>
>> ------
>> I tried to kinit anather samba user
>> ------
>>
>> -> on the client I kinit a valid user and write to the share
>>
>> $  kinit validuser
>> $ touch /myshare/testfile2
>>
>> Here the nfs4 connection is not made with the validuser's principal.
>> Always with the machine's principal.
>>
>>
>> -------
>> So
>> -------
>>
>> I don't understand why in can "kinit root" but not "kinit
>> root/myclient.samdom.com". What's the difference between there
>> principals ?
>>
>> I don't understand how the nfs4 client choose the principal used to
>> make the connection to the nfs4 share. Why the root user can only use
>> the machine's principal ?
>>
>> I don't know if the problem come from the creation of kerberos
>> principals or come from the nfs4 client not choosing the correct
>> principal...
>>
>> Can someone give me a tips ?
>>
>> Thanks !
>>
>> Baptiste.
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list