[Samba] kerberos nfs4's principals and root access

L.P.H. van Belle belle at bazuin.nl
Fri Oct 9 11:17:19 UTC 2015 

Hai Baptiste, 

I re-checked my setup and your totaly correct. 
I can not enter the nfsV4 mounted directory as root.

What i've added in idmap.conf
Is this :  
Domain = your_DNS_domain.tld

[Translation]

Method = nsswitch

And i found this link.

http://serverfault.com/questions/526762/root-access-to-kerberized-nfsv4-host-on-ubuntu 

im testing this now. 

Greetz, 

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Prunk Dump
> Verzonden: vrijdag 9 oktober 2015 11:34
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] kerberos nfs4's principals and root access
> 
> Thanks you very much Louis !
> 
> I have tried your setup and I can't mount the share neither from the
> server itself or the client.
> 
> On /var/log/syslog I have :
> 
> rpc.gssd : ERROR : no credentials found for connecting to server myserver
> 
> This is because the machine principal is not present in the keytab :
> 
> $ klist -k
> 1 nfs/myclient.samdom.com at SAMDOM.COM
> 1 nfs/myclient.samdom.com at SAMDOM.COM
> 1 nfs/myclient.samdom.com at SAMDOM.COM
> 
> If I add the machine principal. I can mount the share but root user
> write as "machine" not as "root".
> 
> Can you check your setup ? Do you have your machine credential in
> /etc/krb5.keytab ? (with klist -k)
> 
> Do you do something related with kerberos when you login as root ?
> 
> Do you have additional options in "/etc/idmap.conf" ?
> 
> Can you give me the result of :
> 
> $klist
> $klist -k
> 
> When you are logged as root ?
> 
> Thanks you again !
> 
> Baptiste.
> 
> 
> 2015-10-09 9:13 GMT+02:00 L.P.H. van Belle <belle at bazuin.nl>:
> > Hai,
> >
> > I had it the other way around. Only root acces.
> >
> > I have scripted my setup and tested on debian.
> > Look here
> > https://secure.bazuin.nl/scripts/these_are_experimental_scripts/
> > setup-nfsv4-kerberos.sh
> >
> > If you get the file, setup-nfsv4-kerberos.sh  and compair it to your
> setup.
> > If you can read the bash script maybe you see something you missed.
> >
> > When i write as "root" its root and not the machine account who owns the
> file.
> >
> >
> > How is your exports file on the server configured?
> >
> > Greetz,
> >
> > Louis
> >
> >
> >
> >> -----Oorspronkelijk bericht-----
> >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Prunk Dump
> >> Verzonden: vrijdag 9 oktober 2015 8:59
> >> Aan: samba at lists.samba.org
> >> Onderwerp: [Samba] kerberos nfs4's principals and root access
> >>
> >> Hello samba team !
> >>
> >> I have some NFS4 exports managed by a Samba's Kerberos realm. All the
> >> standard user accesses work fine.
> >>
> >> I try now to setup an NFS4 root access to administer the share from
> >> another server (the two host are DC, one PDC  and one SDC). But I have
> >> trouble understanding the kerberos/principals layer.
> >>
> >> ------------
> >> Actually I do
> >> -------------
> >>
> >> -> on the server I create an nfs principal and export it to the keytab
> >> $ samba-tool user add nfs-myserver --random-password
> >> $ samba-tool spn add nfs/myserver.samdom.com nfs-myserver
> >> $ samba-tool domain exportkeytab --principal=nfs/myserver.samdom.com
> >> /etc/krb5.keytab
> >>
> >> -> on the client I use the machine keytab.
> >> $ samba-tool domain exportkeytab --principal=MYCLIENT$ /etc/krb5.keytab
> >>
> >> With this setup all my domain users can write to the share. But when I
> >> try with the root account it use the machine keytab (that's normal,
> >> root is not a domain user but he have access to the keytab) :
> >>
> >> -> on the client as root
> >> $ touch /myshare/testfile
> >>
> >> -> on the server
> >> $ ls -al /srv/nfs4/myshare/testfile
> >> -rw-r--r--     SAMDOM\MYCLIENT$     SAMDOM\Domain Controllers  ....
> >> /nfs4/myshare/tesfile
> >>
> >> But I need root access !
> >>
> >> ----------
> >> I have tried with a root/myclient service principal name
> >> ----------
> >>
> >> -> on the client I create an root/myclient spn and export to keytab
> >> $ samba-tool user add root-myclient --random-password
> >> $ samba-tool spn add root/myclient.samdom.com root-myclient
> >> $ samba-tool domain exportkeytab --principal=root/myclient.samdom.com
> >> /etc/krb5.keytab
> >>
> >> But nothings change when I access the share. I tried to kinit this
> >> principal but it fail. However kinit with the machine principal works.
> >>
> >> $ kinit -k  root/myclient.samdom.com
> >> kinit: Client 'root/myclient.samdom.com at SAMDOM.COM' not found in
> >> kerberos database while getting initial credentials
> >>
> >> $ kinit -k MYCLIENT$
> >> ok
> >>
> >> ---------
> >> I tried creating a samba root user.
> >> ---------
> >>
> >> -> on the client I create a root user and export to keytab
> >> $ samba-tool user add root
> >> $ samba-tool domain exportkeytab --principal=root /etc/krb5.keytab
> >>
> >> Same problem but here "kinit -k root" works.
> >>
> >> $ kinit -k root
> >> ok
> >>
> >>
> >> ------
> >> I tried to kinit anather samba user
> >> ------
> >>
> >> -> on the client I kinit a valid user and write to the share
> >>
> >> $  kinit validuser
> >> $ touch /myshare/testfile2
> >>
> >> Here the nfs4 connection is not made with the validuser's principal.
> >> Always with the machine's principal.
> >>
> >>
> >> -------
> >> So
> >> -------
> >>
> >> I don't understand why in can "kinit root" but not "kinit
> >> root/myclient.samdom.com". What's the difference between there
> >> principals ?
> >>
> >> I don't understand how the nfs4 client choose the principal used to
> >> make the connection to the nfs4 share. Why the root user can only use
> >> the machine's principal ?
> >>
> >> I don't know if the problem come from the creation of kerberos
> >> principals or come from the nfs4 client not choosing the correct
> >> principal...
> >>
> >> Can someone give me a tips ?
> >>
> >> Thanks !
> >>
> >> Baptiste.
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/options/samba
> >
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list