[Samba] nfs4 mounted homedir and kerberos tickets

Ritter, Marcel (RRZE) marcel.ritter at fau.de
Wed Sep 9 06:39:20 UTC 2015 

Hi Louis,

please run "ssh -v" on client and member server and post the output.

Did I get you right, that - when connection from your client to the print server -
you do *not* get a password prompt?

In that case I guess your client is trying to establish the connection not via
kerberos/gssapi but publickey based: In that case the server cannot get
a valid kerberos ticket (because the required password was never sent)
and therefore will refuse access to the nfs share.

The reason why this works on your member server may have several
causes:

   1. different ssh client/server config on client/print/member server
   2. ssh keys / ssh-agent on client but not on member server
   3. cached krb5 credentials on server side

According to my experience the last one is the worst to debug,
because the tickets used to access NFSv4 krb5 mounts need to be
copied to kernel space in order to work.
So in your case it might also be possible that the kernel still has
those valid tickets from a former login/kinit - even if you can't list
them using "klist".

BTW:
If someone has an idea, how to locate and flush those keys in
kernel space (keyutils? /proc/keys?) I'd really like to hear about
that :-)

Bye,
   Marcel


-----Ursprüngliche Nachricht-----
Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von L.P.H. van Belle
Gesendet: Dienstag, 8. September 2015 17:26
An: samba at lists.samba.org
Betreff: Re: [Samba] nfs4 mounted homedir and kerberos tickets

Yes, i've seen steves blogs, but thats not my solution

It has to do with ticket exchange and/or passing the key from pc to server. 
But thats a bit out of my scope, so im hoping on a responce from someone with good kerberos knowledge.. 

I must be something im missing in /etc/krb5.conf or missing package. 
As shown, it works all but not direct. 

So if anyone has kerberos knowlegde, would be a big help. 

The host and clients Mounts are ok, its just the access for the first time on the print server ( with the nfs client Mount ) 

But thanks anyway :-) 

Greetz, 

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
> Verzonden: dinsdag 8 september 2015 16:55
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] nfs4 mounted homedir and kerberos tickets
> 
> On 08/09/15 15:33, L.P.H. van Belle wrote:
> > Hai,
> >
> >
> >
> > I have strange problem, i think its a simple thing, but im missing 
> > some
> kerberos knowledge here..
> >
> >
> >
> > Situation.
> >
> >
> >
> > I login with my pc on the AD domain, (works fine).
> >
> > Now i login on my member server with ssh (putty), using the ssh 
> > single
> sign-on on my server where my
> >
> > homedirs is  ( /home/users/username)  , this works fine.
> >
> >
> >
> > When i do the same to my print server, where the homedir is mounted 
> > with
> nfsv4  kerberos base.
> >
> > I get an error that im unable to access my home dir.
> >
> > ( see also the samba list subject : Re: [Samba] nfs based shared 
> > home
> dir question )
> >
> >
> >
> > When i do the following.
> >
> > I login to the member server, as described above, and then login to 
> > the
> printserver from the member server,
> >
> > I need to type my password and i DO have access to my home dir.
> >
> >
> >
> > Now i logout of both servers, test again from my pc with putty to my
> print server without type-ing passwords
> >
> > and … now it works as is should.
> >
> >
> >
> > What is missing here ?? must be something simple, but this i cant 
> > find
> it.
> >
> >
> >
> >
> >
> > And Rowland, … now i know what you did mean about systemd… still 
> > lots of
> bugs,
> >
> > found serveral bugs, combined with nfs, due to above problems, and 
> > not
> auto mounting my nfs based homedir etc.
> >
> > but got that all fixed.
> >
> >
> >
> >
> >
> >
> >
> > /offtopic.
> >
> > On debian Jessie with nfs4 kerberos setup.
> >
> >
> >
> > On the server nfs server in fstab,
> >
> > Add the following after the bind option:
> >
> > bind,x-systemd.automount
> >
> >
> >
> >
> >
> > Client : with nfs4 kerberos when using fstab.
> >
> > Create the folder : /etc/systemd/system/nfs-common.service.d/
> >
> > And add this file with content : remote-fs-pre.conf
> >
> > [Unit]
> >
> > Before=remote-fs-pre.target
> >
> > Wants=remote-fs-pre.target
> >
> >
> >
> > This makes sure your mount really mounts at the end of starting up
> >
> >
> >
> >
> >
> >
> >
> > Greetz,
> >
> >
> >
> > Louis
> >
> >
> 
> Hi Louis, I don't use NFS myself, but I think your problem is that you 
> are using nfs4, try using nfs3 instead
> 
> Steve, who used to post on here, wrote a blog on it, start reading here:
> http://linuxcostablanca.blogspot.co.uk/2012/02/samba4-shares.html
> 
> I think he moved onto using nfs4, but not sure, just browse his blog
> 
> Rowland
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list