[Samba] kerberos nfs4's principals and root access

L.P.H. van Belle belle at bazuin.nl
Fri Oct 9 13:42:54 UTC 2015 

Hai Batiste, 

Ok, thanks for these, i'll test that also. 

And the "why" is a bit more explained here. 
http://www.citi.umich.edu/projects/nfsv4/crossrealm/libnfsidmap_config.html 
and per example, 
http://www.citi.umich.edu/projects/nfsv4/crossrealm/ldap_server_setup.html 

First my work here, but this is a good one which i also need to adjust in my scripts, so thank you for asking this on the samba list ;-) 

Gr, 

Louis 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Prunk Dump
> Verzonden: vrijdag 9 oktober 2015 14:11
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] kerberos nfs4's principals and root access
> 
> Thanks Louis  ! Very interesting !
> 
> Maybe the simplest method is to set a static translation.
> 
> 1) Enabling the no_root_squash option in /etc/exports
> 
> 2) Set the translation in /etc/idmapd.conf
> 
> ------------------------
> /etc/idmap.conf
> ------------------------
> 
> ...
> [Translation]
> 
> Method = static,nsswitch
> 
> [Static]
> 
> MYCLIENT$@SAMDOM.COM = root
> 
> ------------------------
> 
> But I don't understand why, with samba, we can't authenticate as
> client with nfs/myclient.samdom.com or root/myclient.samdom.com. It
> seem that it is because we can't kinit them. But I don't understand
> why...
> 
> Thanks again !
> 
> Baptiste.
> 
> 
> 2015-10-09 13:39 GMT+02:00 L.P.H. van Belle <belle at bazuin.nl>:
> > Ok, now its clear to me.
> >
> > We need to set UMICH_SCHEMA in idmap.conf
> > Read : http://linux.die.net/man/5/idmapd.conf
> >
> > Working on it now.
> >
> > Greetz,
> >
> > Louis
> >
> >
> >> -----Oorspronkelijk bericht-----
> >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens L.P.H. van
> Belle
> >> Verzonden: vrijdag 9 oktober 2015 13:34
> >> Aan: samba at lists.samba.org
> >> Onderwerp: Re: [Samba] kerberos nfs4's principals and root access
> >>
> >> Ok, not working...
> >>
> >> But found this...
> >>
> >> ( http://users.suse.com/~sjayaraman/nfs4_howto.txt )
> >>
> >> 4.5 A known issue using NFS with kerberos
> >> _________________________________________
> >>
> >> Even if "no_root_squash" option is used, while exporting a filesystem
> at
> >> the
> >> server, root on the client gets a "Permission denied"  error when
> creating
> >> files on the mount point.
> >>
> >> This is because there is no proper mapping between root and the
> >> GSSAuthName.
> >>
> >> Note: Trying to set 777 permission is not correct as it is not secure.
> >> Also,
> >> any file created on the mountpoint will have "nobody" as owner.
> >>
> >> There is a work around for this if both NFS server and client use
> >> umich_ldap
> >> methods to authenticate. If the idmapd on both server and client is
> >> configured
> >> to use umich_ldap modules then having GSSAuthName
> (<nfs/hostname at realm>)
> >> parameter map to root user, on the ldap server will solve this problem.
> >>
> >>
> >> Still reading, but should be solveable..
> >>
> >> Greetz,
> >>
> >> Louis
> >>
> >>
> >> > -----Oorspronkelijk bericht-----
> >> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens L.P.H. van
> >> Belle
> >> > Verzonden: vrijdag 9 oktober 2015 13:17
> >> > Aan: samba at lists.samba.org
> >> > Onderwerp: Re: [Samba] kerberos nfs4's principals and root access
> >> >
> >> > Hai Baptiste,
> >> >
> >> > I re-checked my setup and your totaly correct.
> >> > I can not enter the nfsV4 mounted directory as root.
> >> >
> >> > What i've added in idmap.conf
> >> > Is this :
> >> > Domain = your_DNS_domain.tld
> >> >
> >> > [Translation]
> >> >
> >> > Method = nsswitch
> >> >
> >> > And i found this link.
> >> >
> >> > http://serverfault.com/questions/526762/root-access-to-kerberized-
> nfsv4-
> >> > host-on-ubuntu
> >> >
> >> > im testing this now.
> >> >
> >> > Greetz,
> >> >
> >> > Louis
> >> >
> >> >
> >> >
> >> > > -----Oorspronkelijk bericht-----
> >> > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Prunk Dump
> >> > > Verzonden: vrijdag 9 oktober 2015 11:34
> >> > > Aan: samba at lists.samba.org
> >> > > Onderwerp: Re: [Samba] kerberos nfs4's principals and root access
> >> > >
> >> > > Thanks you very much Louis !
> >> > >
> >> > > I have tried your setup and I can't mount the share neither from
> the
> >> > > server itself or the client.
> >> > >
> >> > > On /var/log/syslog I have :
> >> > >
> >> > > rpc.gssd : ERROR : no credentials found for connecting to server
> >> > myserver
> >> > >
> >> > > This is because the machine principal is not present in the keytab
> :
> >> > >
> >> > > $ klist -k
> >> > > 1 nfs/myclient.samdom.com at SAMDOM.COM
> >> > > 1 nfs/myclient.samdom.com at SAMDOM.COM
> >> > > 1 nfs/myclient.samdom.com at SAMDOM.COM
> >> > >
> >> > > If I add the machine principal. I can mount the share but root user
> >> > > write as "machine" not as "root".
> >> > >
> >> > > Can you check your setup ? Do you have your machine credential in
> >> > > /etc/krb5.keytab ? (with klist -k)
> >> > >
> >> > > Do you do something related with kerberos when you login as root ?
> >> > >
> >> > > Do you have additional options in "/etc/idmap.conf" ?
> >> > >
> >> > > Can you give me the result of :
> >> > >
> >> > > $klist
> >> > > $klist -k
> >> > >
> >> > > When you are logged as root ?
> >> > >
> >> > > Thanks you again !
> >> > >
> >> > > Baptiste.
> >> > >
> >> > >
> >> > > 2015-10-09 9:13 GMT+02:00 L.P.H. van Belle <belle at bazuin.nl>:
> >> > > > Hai,
> >> > > >
> >> > > > I had it the other way around. Only root acces.
> >> > > >
> >> > > > I have scripted my setup and tested on debian.
> >> > > > Look here
> >> > > > https://secure.bazuin.nl/scripts/these_are_experimental_scripts/
> >> > > > setup-nfsv4-kerberos.sh
> >> > > >
> >> > > > If you get the file, setup-nfsv4-kerberos.sh  and compair it to
> your
> >> > > setup.
> >> > > > If you can read the bash script maybe you see something you
> missed.
> >> > > >
> >> > > > When i write as "root" its root and not the machine account who
> owns
> >> > the
> >> > > file.
> >> > > >
> >> > > >
> >> > > > How is your exports file on the server configured?
> >> > > >
> >> > > > Greetz,
> >> > > >
> >> > > > Louis
> >> > > >
> >> > > >
> >> > > >
> >> > > >> -----Oorspronkelijk bericht-----
> >> > > >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Prunk
> Dump
> >> > > >> Verzonden: vrijdag 9 oktober 2015 8:59
> >> > > >> Aan: samba at lists.samba.org
> >> > > >> Onderwerp: [Samba] kerberos nfs4's principals and root access
> >> > > >>
> >> > > >> Hello samba team !
> >> > > >>
> >> > > >> I have some NFS4 exports managed by a Samba's Kerberos realm.
> All
> >> the
> >> > > >> standard user accesses work fine.
> >> > > >>
> >> > > >> I try now to setup an NFS4 root access to administer the share
> from
> >> > > >> another server (the two host are DC, one PDC  and one SDC). But
> I
> >> > have
> >> > > >> trouble understanding the kerberos/principals layer.
> >> > > >>
> >> > > >> ------------
> >> > > >> Actually I do
> >> > > >> -------------
> >> > > >>
> >> > > >> -> on the server I create an nfs principal and export it to the
> >> > keytab
> >> > > >> $ samba-tool user add nfs-myserver --random-password
> >> > > >> $ samba-tool spn add nfs/myserver.samdom.com nfs-myserver
> >> > > >> $ samba-tool domain exportkeytab --
> >> principal=nfs/myserver.samdom.com
> >> > > >> /etc/krb5.keytab
> >> > > >>
> >> > > >> -> on the client I use the machine keytab.
> >> > > >> $ samba-tool domain exportkeytab --principal=MYCLIENT$
> >> > /etc/krb5.keytab
> >> > > >>
> >> > > >> With this setup all my domain users can write to the share. But
> >> when
> >> > I
> >> > > >> try with the root account it use the machine keytab (that's
> normal,
> >> > > >> root is not a domain user but he have access to the keytab) :
> >> > > >>
> >> > > >> -> on the client as root
> >> > > >> $ touch /myshare/testfile
> >> > > >>
> >> > > >> -> on the server
> >> > > >> $ ls -al /srv/nfs4/myshare/testfile
> >> > > >> -rw-r--r--     SAMDOM\MYCLIENT$     SAMDOM\Domain Controllers
> ....
> >> > > >> /nfs4/myshare/tesfile
> >> > > >>
> >> > > >> But I need root access !
> >> > > >>
> >> > > >> ----------
> >> > > >> I have tried with a root/myclient service principal name
> >> > > >> ----------
> >> > > >>
> >> > > >> -> on the client I create an root/myclient spn and export to
> keytab
> >> > > >> $ samba-tool user add root-myclient --random-password
> >> > > >> $ samba-tool spn add root/myclient.samdom.com root-myclient
> >> > > >> $ samba-tool domain exportkeytab --
> >> principal=root/myclient.samdom.com
> >> > > >> /etc/krb5.keytab
> >> > > >>
> >> > > >> But nothings change when I access the share. I tried to kinit
> this
> >> > > >> principal but it fail. However kinit with the machine principal
> >> > works.
> >> > > >>
> >> > > >> $ kinit -k  root/myclient.samdom.com
> >> > > >> kinit: Client 'root/myclient.samdom.com at SAMDOM.COM' not found in
> >> > > >> kerberos database while getting initial credentials
> >> > > >>
> >> > > >> $ kinit -k MYCLIENT$
> >> > > >> ok
> >> > > >>
> >> > > >> ---------
> >> > > >> I tried creating a samba root user.
> >> > > >> ---------
> >> > > >>
> >> > > >> -> on the client I create a root user and export to keytab
> >> > > >> $ samba-tool user add root
> >> > > >> $ samba-tool domain exportkeytab --principal=root
> /etc/krb5.keytab
> >> > > >>
> >> > > >> Same problem but here "kinit -k root" works.
> >> > > >>
> >> > > >> $ kinit -k root
> >> > > >> ok
> >> > > >>
> >> > > >>
> >> > > >> ------
> >> > > >> I tried to kinit anather samba user
> >> > > >> ------
> >> > > >>
> >> > > >> -> on the client I kinit a valid user and write to the share
> >> > > >>
> >> > > >> $  kinit validuser
> >> > > >> $ touch /myshare/testfile2
> >> > > >>
> >> > > >> Here the nfs4 connection is not made with the validuser's
> >> principal.
> >> > > >> Always with the machine's principal.
> >> > > >>
> >> > > >>
> >> > > >> -------
> >> > > >> So
> >> > > >> -------
> >> > > >>
> >> > > >> I don't understand why in can "kinit root" but not "kinit
> >> > > >> root/myclient.samdom.com". What's the difference between there
> >> > > >> principals ?
> >> > > >>
> >> > > >> I don't understand how the nfs4 client choose the principal used
> to
> >> > > >> make the connection to the nfs4 share. Why the root user can
> only
> >> use
> >> > > >> the machine's principal ?
> >> > > >>
> >> > > >> I don't know if the problem come from the creation of kerberos
> >> > > >> principals or come from the nfs4 client not choosing the correct
> >> > > >> principal...
> >> > > >>
> >> > > >> Can someone give me a tips ?
> >> > > >>
> >> > > >> Thanks !
> >> > > >>
> >> > > >> Baptiste.
> >> > > >>
> >> > > >> --
> >> > > >> To unsubscribe from this list go to the following URL and read
> the
> >> > > >> instructions:  https://lists.samba.org/mailman/options/samba
> >> > > >
> >> > > >
> >> > > >
> >> > > > --
> >> > > > To unsubscribe from this list go to the following URL and read
> the
> >> > > > instructions:  https://lists.samba.org/mailman/options/samba
> >> > >
> >> > > --
> >> > > To unsubscribe from this list go to the following URL and read the
> >> > > instructions:  https://lists.samba.org/mailman/options/samba
> >> >
> >> >
> >> >
> >> > --
> >> > To unsubscribe from this list go to the following URL and read the
> >> > instructions:  https://lists.samba.org/mailman/options/samba
> >>
> >>
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/options/samba
> >
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list