[Samba] kerberos nfs4's principals and root access

L.P.H. van Belle belle at bazuin.nl
Fri Oct 9 11:33:53 UTC 2015 

Ok, not working...

But found this... 

( http://users.suse.com/~sjayaraman/nfs4_howto.txt )

4.5 A known issue using NFS with kerberos
_________________________________________

Even if "no_root_squash" option is used, while exporting a filesystem at the 
server, root on the client gets a "Permission denied"  error when creating 
files on the mount point.

This is because there is no proper mapping between root and the GSSAuthName.

Note: Trying to set 777 permission is not correct as it is not secure. Also,
any file created on the mountpoint will have "nobody" as owner.

There is a work around for this if both NFS server and client use umich_ldap
methods to authenticate. If the idmapd on both server and client is configured 
to use umich_ldap modules then having GSSAuthName (<nfs/hostname at realm>) 
parameter map to root user, on the ldap server will solve this problem.


Still reading, but should be solveable..

Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens L.P.H. van Belle
> Verzonden: vrijdag 9 oktober 2015 13:17
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] kerberos nfs4's principals and root access
> 
> Hai Baptiste,
> 
> I re-checked my setup and your totaly correct.
> I can not enter the nfsV4 mounted directory as root.
> 
> What i've added in idmap.conf
> Is this :
> Domain = your_DNS_domain.tld
> 
> [Translation]
> 
> Method = nsswitch
> 
> And i found this link.
> 
> http://serverfault.com/questions/526762/root-access-to-kerberized-nfsv4-
> host-on-ubuntu
> 
> im testing this now.
> 
> Greetz,
> 
> Louis
> 
> 
> 
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Prunk Dump
> > Verzonden: vrijdag 9 oktober 2015 11:34
> > Aan: samba at lists.samba.org
> > Onderwerp: Re: [Samba] kerberos nfs4's principals and root access
> >
> > Thanks you very much Louis !
> >
> > I have tried your setup and I can't mount the share neither from the
> > server itself or the client.
> >
> > On /var/log/syslog I have :
> >
> > rpc.gssd : ERROR : no credentials found for connecting to server
> myserver
> >
> > This is because the machine principal is not present in the keytab :
> >
> > $ klist -k
> > 1 nfs/myclient.samdom.com at SAMDOM.COM
> > 1 nfs/myclient.samdom.com at SAMDOM.COM
> > 1 nfs/myclient.samdom.com at SAMDOM.COM
> >
> > If I add the machine principal. I can mount the share but root user
> > write as "machine" not as "root".
> >
> > Can you check your setup ? Do you have your machine credential in
> > /etc/krb5.keytab ? (with klist -k)
> >
> > Do you do something related with kerberos when you login as root ?
> >
> > Do you have additional options in "/etc/idmap.conf" ?
> >
> > Can you give me the result of :
> >
> > $klist
> > $klist -k
> >
> > When you are logged as root ?
> >
> > Thanks you again !
> >
> > Baptiste.
> >
> >
> > 2015-10-09 9:13 GMT+02:00 L.P.H. van Belle <belle at bazuin.nl>:
> > > Hai,
> > >
> > > I had it the other way around. Only root acces.
> > >
> > > I have scripted my setup and tested on debian.
> > > Look here
> > > https://secure.bazuin.nl/scripts/these_are_experimental_scripts/
> > > setup-nfsv4-kerberos.sh
> > >
> > > If you get the file, setup-nfsv4-kerberos.sh  and compair it to your
> > setup.
> > > If you can read the bash script maybe you see something you missed.
> > >
> > > When i write as "root" its root and not the machine account who owns
> the
> > file.
> > >
> > >
> > > How is your exports file on the server configured?
> > >
> > > Greetz,
> > >
> > > Louis
> > >
> > >
> > >
> > >> -----Oorspronkelijk bericht-----
> > >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Prunk Dump
> > >> Verzonden: vrijdag 9 oktober 2015 8:59
> > >> Aan: samba at lists.samba.org
> > >> Onderwerp: [Samba] kerberos nfs4's principals and root access
> > >>
> > >> Hello samba team !
> > >>
> > >> I have some NFS4 exports managed by a Samba's Kerberos realm. All the
> > >> standard user accesses work fine.
> > >>
> > >> I try now to setup an NFS4 root access to administer the share from
> > >> another server (the two host are DC, one PDC  and one SDC). But I
> have
> > >> trouble understanding the kerberos/principals layer.
> > >>
> > >> ------------
> > >> Actually I do
> > >> -------------
> > >>
> > >> -> on the server I create an nfs principal and export it to the
> keytab
> > >> $ samba-tool user add nfs-myserver --random-password
> > >> $ samba-tool spn add nfs/myserver.samdom.com nfs-myserver
> > >> $ samba-tool domain exportkeytab --principal=nfs/myserver.samdom.com
> > >> /etc/krb5.keytab
> > >>
> > >> -> on the client I use the machine keytab.
> > >> $ samba-tool domain exportkeytab --principal=MYCLIENT$
> /etc/krb5.keytab
> > >>
> > >> With this setup all my domain users can write to the share. But when
> I
> > >> try with the root account it use the machine keytab (that's normal,
> > >> root is not a domain user but he have access to the keytab) :
> > >>
> > >> -> on the client as root
> > >> $ touch /myshare/testfile
> > >>
> > >> -> on the server
> > >> $ ls -al /srv/nfs4/myshare/testfile
> > >> -rw-r--r--     SAMDOM\MYCLIENT$     SAMDOM\Domain Controllers  ....
> > >> /nfs4/myshare/tesfile
> > >>
> > >> But I need root access !
> > >>
> > >> ----------
> > >> I have tried with a root/myclient service principal name
> > >> ----------
> > >>
> > >> -> on the client I create an root/myclient spn and export to keytab
> > >> $ samba-tool user add root-myclient --random-password
> > >> $ samba-tool spn add root/myclient.samdom.com root-myclient
> > >> $ samba-tool domain exportkeytab --principal=root/myclient.samdom.com
> > >> /etc/krb5.keytab
> > >>
> > >> But nothings change when I access the share. I tried to kinit this
> > >> principal but it fail. However kinit with the machine principal
> works.
> > >>
> > >> $ kinit -k  root/myclient.samdom.com
> > >> kinit: Client 'root/myclient.samdom.com at SAMDOM.COM' not found in
> > >> kerberos database while getting initial credentials
> > >>
> > >> $ kinit -k MYCLIENT$
> > >> ok
> > >>
> > >> ---------
> > >> I tried creating a samba root user.
> > >> ---------
> > >>
> > >> -> on the client I create a root user and export to keytab
> > >> $ samba-tool user add root
> > >> $ samba-tool domain exportkeytab --principal=root /etc/krb5.keytab
> > >>
> > >> Same problem but here "kinit -k root" works.
> > >>
> > >> $ kinit -k root
> > >> ok
> > >>
> > >>
> > >> ------
> > >> I tried to kinit anather samba user
> > >> ------
> > >>
> > >> -> on the client I kinit a valid user and write to the share
> > >>
> > >> $  kinit validuser
> > >> $ touch /myshare/testfile2
> > >>
> > >> Here the nfs4 connection is not made with the validuser's principal.
> > >> Always with the machine's principal.
> > >>
> > >>
> > >> -------
> > >> So
> > >> -------
> > >>
> > >> I don't understand why in can "kinit root" but not "kinit
> > >> root/myclient.samdom.com". What's the difference between there
> > >> principals ?
> > >>
> > >> I don't understand how the nfs4 client choose the principal used to
> > >> make the connection to the nfs4 share. Why the root user can only use
> > >> the machine's principal ?
> > >>
> > >> I don't know if the problem come from the creation of kerberos
> > >> principals or come from the nfs4 client not choosing the correct
> > >> principal...
> > >>
> > >> Can someone give me a tips ?
> > >>
> > >> Thanks !
> > >>
> > >> Baptiste.
> > >>
> > >> --
> > >> To unsubscribe from this list go to the following URL and read the
> > >> instructions:  https://lists.samba.org/mailman/options/samba
> > >
> > >
> > >
> > > --
> > > To unsubscribe from this list go to the following URL and read the
> > > instructions:  https://lists.samba.org/mailman/options/samba
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> 
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list