[Samba] kerberos nfs4's principals and root access

Prunk Dump prunkdump at gmail.com
Fri Oct 9 12:10:57 UTC 2015 

Thanks Louis  ! Very interesting !

Maybe the simplest method is to set a static translation.

1) Enabling the no_root_squash option in /etc/exports

2) Set the translation in /etc/idmapd.conf

------------------------
/etc/idmap.conf
------------------------

...
[Translation]

Method = static,nsswitch

[Static]

MYCLIENT$@SAMDOM.COM = root

------------------------

But I don't understand why, with samba, we can't authenticate as
client with nfs/myclient.samdom.com or root/myclient.samdom.com. It
seem that it is because we can't kinit them. But I don't understand
why...

Thanks again !

Baptiste.


2015-10-09 13:39 GMT+02:00 L.P.H. van Belle <belle at bazuin.nl>:
> Ok, now its clear to me.
>
> We need to set UMICH_SCHEMA in idmap.conf
> Read : http://linux.die.net/man/5/idmapd.conf
>
> Working on it now.
>
> Greetz,
>
> Louis
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens L.P.H. van Belle
>> Verzonden: vrijdag 9 oktober 2015 13:34
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] kerberos nfs4's principals and root access
>>
>> Ok, not working...
>>
>> But found this...
>>
>> ( http://users.suse.com/~sjayaraman/nfs4_howto.txt )
>>
>> 4.5 A known issue using NFS with kerberos
>> _________________________________________
>>
>> Even if "no_root_squash" option is used, while exporting a filesystem at
>> the
>> server, root on the client gets a "Permission denied"  error when creating
>> files on the mount point.
>>
>> This is because there is no proper mapping between root and the
>> GSSAuthName.
>>
>> Note: Trying to set 777 permission is not correct as it is not secure.
>> Also,
>> any file created on the mountpoint will have "nobody" as owner.
>>
>> There is a work around for this if both NFS server and client use
>> umich_ldap
>> methods to authenticate. If the idmapd on both server and client is
>> configured
>> to use umich_ldap modules then having GSSAuthName (<nfs/hostname at realm>)
>> parameter map to root user, on the ldap server will solve this problem.
>>
>>
>> Still reading, but should be solveable..
>>
>> Greetz,
>>
>> Louis
>>
>>
>> > -----Oorspronkelijk bericht-----
>> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens L.P.H. van
>> Belle
>> > Verzonden: vrijdag 9 oktober 2015 13:17
>> > Aan: samba at lists.samba.org
>> > Onderwerp: Re: [Samba] kerberos nfs4's principals and root access
>> >
>> > Hai Baptiste,
>> >
>> > I re-checked my setup and your totaly correct.
>> > I can not enter the nfsV4 mounted directory as root.
>> >
>> > What i've added in idmap.conf
>> > Is this :
>> > Domain = your_DNS_domain.tld
>> >
>> > [Translation]
>> >
>> > Method = nsswitch
>> >
>> > And i found this link.
>> >
>> > http://serverfault.com/questions/526762/root-access-to-kerberized-nfsv4-
>> > host-on-ubuntu
>> >
>> > im testing this now.
>> >
>> > Greetz,
>> >
>> > Louis
>> >
>> >
>> >
>> > > -----Oorspronkelijk bericht-----
>> > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Prunk Dump
>> > > Verzonden: vrijdag 9 oktober 2015 11:34
>> > > Aan: samba at lists.samba.org
>> > > Onderwerp: Re: [Samba] kerberos nfs4's principals and root access
>> > >
>> > > Thanks you very much Louis !
>> > >
>> > > I have tried your setup and I can't mount the share neither from the
>> > > server itself or the client.
>> > >
>> > > On /var/log/syslog I have :
>> > >
>> > > rpc.gssd : ERROR : no credentials found for connecting to server
>> > myserver
>> > >
>> > > This is because the machine principal is not present in the keytab :
>> > >
>> > > $ klist -k
>> > > 1 nfs/myclient.samdom.com at SAMDOM.COM
>> > > 1 nfs/myclient.samdom.com at SAMDOM.COM
>> > > 1 nfs/myclient.samdom.com at SAMDOM.COM
>> > >
>> > > If I add the machine principal. I can mount the share but root user
>> > > write as "machine" not as "root".
>> > >
>> > > Can you check your setup ? Do you have your machine credential in
>> > > /etc/krb5.keytab ? (with klist -k)
>> > >
>> > > Do you do something related with kerberos when you login as root ?
>> > >
>> > > Do you have additional options in "/etc/idmap.conf" ?
>> > >
>> > > Can you give me the result of :
>> > >
>> > > $klist
>> > > $klist -k
>> > >
>> > > When you are logged as root ?
>> > >
>> > > Thanks you again !
>> > >
>> > > Baptiste.
>> > >
>> > >
>> > > 2015-10-09 9:13 GMT+02:00 L.P.H. van Belle <belle at bazuin.nl>:
>> > > > Hai,
>> > > >
>> > > > I had it the other way around. Only root acces.
>> > > >
>> > > > I have scripted my setup and tested on debian.
>> > > > Look here
>> > > > https://secure.bazuin.nl/scripts/these_are_experimental_scripts/
>> > > > setup-nfsv4-kerberos.sh
>> > > >
>> > > > If you get the file, setup-nfsv4-kerberos.sh  and compair it to your
>> > > setup.
>> > > > If you can read the bash script maybe you see something you missed.
>> > > >
>> > > > When i write as "root" its root and not the machine account who owns
>> > the
>> > > file.
>> > > >
>> > > >
>> > > > How is your exports file on the server configured?
>> > > >
>> > > > Greetz,
>> > > >
>> > > > Louis
>> > > >
>> > > >
>> > > >
>> > > >> -----Oorspronkelijk bericht-----
>> > > >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Prunk Dump
>> > > >> Verzonden: vrijdag 9 oktober 2015 8:59
>> > > >> Aan: samba at lists.samba.org
>> > > >> Onderwerp: [Samba] kerberos nfs4's principals and root access
>> > > >>
>> > > >> Hello samba team !
>> > > >>
>> > > >> I have some NFS4 exports managed by a Samba's Kerberos realm. All
>> the
>> > > >> standard user accesses work fine.
>> > > >>
>> > > >> I try now to setup an NFS4 root access to administer the share from
>> > > >> another server (the two host are DC, one PDC  and one SDC). But I
>> > have
>> > > >> trouble understanding the kerberos/principals layer.
>> > > >>
>> > > >> ------------
>> > > >> Actually I do
>> > > >> -------------
>> > > >>
>> > > >> -> on the server I create an nfs principal and export it to the
>> > keytab
>> > > >> $ samba-tool user add nfs-myserver --random-password
>> > > >> $ samba-tool spn add nfs/myserver.samdom.com nfs-myserver
>> > > >> $ samba-tool domain exportkeytab --
>> principal=nfs/myserver.samdom.com
>> > > >> /etc/krb5.keytab
>> > > >>
>> > > >> -> on the client I use the machine keytab.
>> > > >> $ samba-tool domain exportkeytab --principal=MYCLIENT$
>> > /etc/krb5.keytab
>> > > >>
>> > > >> With this setup all my domain users can write to the share. But
>> when
>> > I
>> > > >> try with the root account it use the machine keytab (that's normal,
>> > > >> root is not a domain user but he have access to the keytab) :
>> > > >>
>> > > >> -> on the client as root
>> > > >> $ touch /myshare/testfile
>> > > >>
>> > > >> -> on the server
>> > > >> $ ls -al /srv/nfs4/myshare/testfile
>> > > >> -rw-r--r--     SAMDOM\MYCLIENT$     SAMDOM\Domain Controllers  ....
>> > > >> /nfs4/myshare/tesfile
>> > > >>
>> > > >> But I need root access !
>> > > >>
>> > > >> ----------
>> > > >> I have tried with a root/myclient service principal name
>> > > >> ----------
>> > > >>
>> > > >> -> on the client I create an root/myclient spn and export to keytab
>> > > >> $ samba-tool user add root-myclient --random-password
>> > > >> $ samba-tool spn add root/myclient.samdom.com root-myclient
>> > > >> $ samba-tool domain exportkeytab --
>> principal=root/myclient.samdom.com
>> > > >> /etc/krb5.keytab
>> > > >>
>> > > >> But nothings change when I access the share. I tried to kinit this
>> > > >> principal but it fail. However kinit with the machine principal
>> > works.
>> > > >>
>> > > >> $ kinit -k  root/myclient.samdom.com
>> > > >> kinit: Client 'root/myclient.samdom.com at SAMDOM.COM' not found in
>> > > >> kerberos database while getting initial credentials
>> > > >>
>> > > >> $ kinit -k MYCLIENT$
>> > > >> ok
>> > > >>
>> > > >> ---------
>> > > >> I tried creating a samba root user.
>> > > >> ---------
>> > > >>
>> > > >> -> on the client I create a root user and export to keytab
>> > > >> $ samba-tool user add root
>> > > >> $ samba-tool domain exportkeytab --principal=root /etc/krb5.keytab
>> > > >>
>> > > >> Same problem but here "kinit -k root" works.
>> > > >>
>> > > >> $ kinit -k root
>> > > >> ok
>> > > >>
>> > > >>
>> > > >> ------
>> > > >> I tried to kinit anather samba user
>> > > >> ------
>> > > >>
>> > > >> -> on the client I kinit a valid user and write to the share
>> > > >>
>> > > >> $  kinit validuser
>> > > >> $ touch /myshare/testfile2
>> > > >>
>> > > >> Here the nfs4 connection is not made with the validuser's
>> principal.
>> > > >> Always with the machine's principal.
>> > > >>
>> > > >>
>> > > >> -------
>> > > >> So
>> > > >> -------
>> > > >>
>> > > >> I don't understand why in can "kinit root" but not "kinit
>> > > >> root/myclient.samdom.com". What's the difference between there
>> > > >> principals ?
>> > > >>
>> > > >> I don't understand how the nfs4 client choose the principal used to
>> > > >> make the connection to the nfs4 share. Why the root user can only
>> use
>> > > >> the machine's principal ?
>> > > >>
>> > > >> I don't know if the problem come from the creation of kerberos
>> > > >> principals or come from the nfs4 client not choosing the correct
>> > > >> principal...
>> > > >>
>> > > >> Can someone give me a tips ?
>> > > >>
>> > > >> Thanks !
>> > > >>
>> > > >> Baptiste.
>> > > >>
>> > > >> --
>> > > >> To unsubscribe from this list go to the following URL and read the
>> > > >> instructions:  https://lists.samba.org/mailman/options/samba
>> > > >
>> > > >
>> > > >
>> > > > --
>> > > > To unsubscribe from this list go to the following URL and read the
>> > > > instructions:  https://lists.samba.org/mailman/options/samba
>> > >
>> > > --
>> > > To unsubscribe from this list go to the following URL and read the
>> > > instructions:  https://lists.samba.org/mailman/options/samba
>> >
>> >
>> >
>> > --
>> > To unsubscribe from this list go to the following URL and read the
>> > instructions:  https://lists.samba.org/mailman/options/samba
>>
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list