[Samba] kerberos nfs4's principals and root access

L.P.H. van Belle belle at bazuin.nl
Fri Oct 9 11:39:44 UTC 2015 

Ok, now its clear to me. 

We need to set UMICH_SCHEMA in idmap.conf 
Read : http://linux.die.net/man/5/idmapd.conf  

Working on it now. 

Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens L.P.H. van Belle
> Verzonden: vrijdag 9 oktober 2015 13:34
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] kerberos nfs4's principals and root access
> 
> Ok, not working...
> 
> But found this...
> 
> ( http://users.suse.com/~sjayaraman/nfs4_howto.txt )
> 
> 4.5 A known issue using NFS with kerberos
> _________________________________________
> 
> Even if "no_root_squash" option is used, while exporting a filesystem at
> the
> server, root on the client gets a "Permission denied"  error when creating
> files on the mount point.
> 
> This is because there is no proper mapping between root and the
> GSSAuthName.
> 
> Note: Trying to set 777 permission is not correct as it is not secure.
> Also,
> any file created on the mountpoint will have "nobody" as owner.
> 
> There is a work around for this if both NFS server and client use
> umich_ldap
> methods to authenticate. If the idmapd on both server and client is
> configured
> to use umich_ldap modules then having GSSAuthName (<nfs/hostname at realm>)
> parameter map to root user, on the ldap server will solve this problem.
> 
> 
> Still reading, but should be solveable..
> 
> Greetz,
> 
> Louis
> 
> 
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens L.P.H. van
> Belle
> > Verzonden: vrijdag 9 oktober 2015 13:17
> > Aan: samba at lists.samba.org
> > Onderwerp: Re: [Samba] kerberos nfs4's principals and root access
> >
> > Hai Baptiste,
> >
> > I re-checked my setup and your totaly correct.
> > I can not enter the nfsV4 mounted directory as root.
> >
> > What i've added in idmap.conf
> > Is this :
> > Domain = your_DNS_domain.tld
> >
> > [Translation]
> >
> > Method = nsswitch
> >
> > And i found this link.
> >
> > http://serverfault.com/questions/526762/root-access-to-kerberized-nfsv4-
> > host-on-ubuntu
> >
> > im testing this now.
> >
> > Greetz,
> >
> > Louis
> >
> >
> >
> > > -----Oorspronkelijk bericht-----
> > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Prunk Dump
> > > Verzonden: vrijdag 9 oktober 2015 11:34
> > > Aan: samba at lists.samba.org
> > > Onderwerp: Re: [Samba] kerberos nfs4's principals and root access
> > >
> > > Thanks you very much Louis !
> > >
> > > I have tried your setup and I can't mount the share neither from the
> > > server itself or the client.
> > >
> > > On /var/log/syslog I have :
> > >
> > > rpc.gssd : ERROR : no credentials found for connecting to server
> > myserver
> > >
> > > This is because the machine principal is not present in the keytab :
> > >
> > > $ klist -k
> > > 1 nfs/myclient.samdom.com at SAMDOM.COM
> > > 1 nfs/myclient.samdom.com at SAMDOM.COM
> > > 1 nfs/myclient.samdom.com at SAMDOM.COM
> > >
> > > If I add the machine principal. I can mount the share but root user
> > > write as "machine" not as "root".
> > >
> > > Can you check your setup ? Do you have your machine credential in
> > > /etc/krb5.keytab ? (with klist -k)
> > >
> > > Do you do something related with kerberos when you login as root ?
> > >
> > > Do you have additional options in "/etc/idmap.conf" ?
> > >
> > > Can you give me the result of :
> > >
> > > $klist
> > > $klist -k
> > >
> > > When you are logged as root ?
> > >
> > > Thanks you again !
> > >
> > > Baptiste.
> > >
> > >
> > > 2015-10-09 9:13 GMT+02:00 L.P.H. van Belle <belle at bazuin.nl>:
> > > > Hai,
> > > >
> > > > I had it the other way around. Only root acces.
> > > >
> > > > I have scripted my setup and tested on debian.
> > > > Look here
> > > > https://secure.bazuin.nl/scripts/these_are_experimental_scripts/
> > > > setup-nfsv4-kerberos.sh
> > > >
> > > > If you get the file, setup-nfsv4-kerberos.sh  and compair it to your
> > > setup.
> > > > If you can read the bash script maybe you see something you missed.
> > > >
> > > > When i write as "root" its root and not the machine account who owns
> > the
> > > file.
> > > >
> > > >
> > > > How is your exports file on the server configured?
> > > >
> > > > Greetz,
> > > >
> > > > Louis
> > > >
> > > >
> > > >
> > > >> -----Oorspronkelijk bericht-----
> > > >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Prunk Dump
> > > >> Verzonden: vrijdag 9 oktober 2015 8:59
> > > >> Aan: samba at lists.samba.org
> > > >> Onderwerp: [Samba] kerberos nfs4's principals and root access
> > > >>
> > > >> Hello samba team !
> > > >>
> > > >> I have some NFS4 exports managed by a Samba's Kerberos realm. All
> the
> > > >> standard user accesses work fine.
> > > >>
> > > >> I try now to setup an NFS4 root access to administer the share from
> > > >> another server (the two host are DC, one PDC  and one SDC). But I
> > have
> > > >> trouble understanding the kerberos/principals layer.
> > > >>
> > > >> ------------
> > > >> Actually I do
> > > >> -------------
> > > >>
> > > >> -> on the server I create an nfs principal and export it to the
> > keytab
> > > >> $ samba-tool user add nfs-myserver --random-password
> > > >> $ samba-tool spn add nfs/myserver.samdom.com nfs-myserver
> > > >> $ samba-tool domain exportkeytab --
> principal=nfs/myserver.samdom.com
> > > >> /etc/krb5.keytab
> > > >>
> > > >> -> on the client I use the machine keytab.
> > > >> $ samba-tool domain exportkeytab --principal=MYCLIENT$
> > /etc/krb5.keytab
> > > >>
> > > >> With this setup all my domain users can write to the share. But
> when
> > I
> > > >> try with the root account it use the machine keytab (that's normal,
> > > >> root is not a domain user but he have access to the keytab) :
> > > >>
> > > >> -> on the client as root
> > > >> $ touch /myshare/testfile
> > > >>
> > > >> -> on the server
> > > >> $ ls -al /srv/nfs4/myshare/testfile
> > > >> -rw-r--r--     SAMDOM\MYCLIENT$     SAMDOM\Domain Controllers  ....
> > > >> /nfs4/myshare/tesfile
> > > >>
> > > >> But I need root access !
> > > >>
> > > >> ----------
> > > >> I have tried with a root/myclient service principal name
> > > >> ----------
> > > >>
> > > >> -> on the client I create an root/myclient spn and export to keytab
> > > >> $ samba-tool user add root-myclient --random-password
> > > >> $ samba-tool spn add root/myclient.samdom.com root-myclient
> > > >> $ samba-tool domain exportkeytab --
> principal=root/myclient.samdom.com
> > > >> /etc/krb5.keytab
> > > >>
> > > >> But nothings change when I access the share. I tried to kinit this
> > > >> principal but it fail. However kinit with the machine principal
> > works.
> > > >>
> > > >> $ kinit -k  root/myclient.samdom.com
> > > >> kinit: Client 'root/myclient.samdom.com at SAMDOM.COM' not found in
> > > >> kerberos database while getting initial credentials
> > > >>
> > > >> $ kinit -k MYCLIENT$
> > > >> ok
> > > >>
> > > >> ---------
> > > >> I tried creating a samba root user.
> > > >> ---------
> > > >>
> > > >> -> on the client I create a root user and export to keytab
> > > >> $ samba-tool user add root
> > > >> $ samba-tool domain exportkeytab --principal=root /etc/krb5.keytab
> > > >>
> > > >> Same problem but here "kinit -k root" works.
> > > >>
> > > >> $ kinit -k root
> > > >> ok
> > > >>
> > > >>
> > > >> ------
> > > >> I tried to kinit anather samba user
> > > >> ------
> > > >>
> > > >> -> on the client I kinit a valid user and write to the share
> > > >>
> > > >> $  kinit validuser
> > > >> $ touch /myshare/testfile2
> > > >>
> > > >> Here the nfs4 connection is not made with the validuser's
> principal.
> > > >> Always with the machine's principal.
> > > >>
> > > >>
> > > >> -------
> > > >> So
> > > >> -------
> > > >>
> > > >> I don't understand why in can "kinit root" but not "kinit
> > > >> root/myclient.samdom.com". What's the difference between there
> > > >> principals ?
> > > >>
> > > >> I don't understand how the nfs4 client choose the principal used to
> > > >> make the connection to the nfs4 share. Why the root user can only
> use
> > > >> the machine's principal ?
> > > >>
> > > >> I don't know if the problem come from the creation of kerberos
> > > >> principals or come from the nfs4 client not choosing the correct
> > > >> principal...
> > > >>
> > > >> Can someone give me a tips ?
> > > >>
> > > >> Thanks !
> > > >>
> > > >> Baptiste.
> > > >>
> > > >> --
> > > >> To unsubscribe from this list go to the following URL and read the
> > > >> instructions:  https://lists.samba.org/mailman/options/samba
> > > >
> > > >
> > > >
> > > > --
> > > > To unsubscribe from this list go to the following URL and read the
> > > > instructions:  https://lists.samba.org/mailman/options/samba
> > >
> > > --
> > > To unsubscribe from this list go to the following URL and read the
> > > instructions:  https://lists.samba.org/mailman/options/samba
> >
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> 
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list