[Samba] nfs4 mounted homedir and kerberos tickets
L.P.H. van Belle
belle at bazuin.nl
Wed Sep 9 07:54:44 UTC 2015
Hai Marcel, thank you for responce.. im pulling my hair out here...
So i hope you get a idea what im missing.
I'll post you as many as i can.
I used this as base :
https://wiki.samba.org/index.php/OpenSSH_Single_sign-on
When connection from my windows 7 pc to the print server, i dont get a password prompt, and i automatictly logged in but i get :
Could not chdir to home directory /home/users/someuser: Permission denied
And
cd /home/users
-bash: cd: /home/users: Permission denied
When i do the same on the server where the homedir exists,on the member server, I can login, without typing password, and the no errors and
i am in my user homedir.
pwd
/home/users/someuser
I dont use publickey for ssh logins, at least not on these servers,
And not on my pc.
> 1. different ssh client/server config on client/print/member server
Are the same, just checked.
> 2. ssh keys / ssh-agent on client but not on member server
Not using ssh-agent /keys
> 3. cached krb5 credentials on server side
Dont know, how can i see that, like ?
( login in with someuser on the print server )
klist
klist: Credentials cache file '/tmp/krb5cc_10002' not found
now the magic.. im logged in the member server, in my home dir.
Here I type :
ssh printserver
i must enter my password and im in my homedir.
There where i before (from the windows 7 pc) got :
Could not chdir to home directory /home/users/someuser: Permission denied
Now i logout of all servers, klik on putty to login on my print server again and now no errors, all fine, and im sure this is not a keyed.
Now i reboot the print server. Login again from the windows 7 pc.
Again : Could not chdir to home directory /home/users/someuser: Permission denied
Other trick to get access to my home dir..
sudo su -
[sudo] password for someuser:
Now i exit (the sudo)
Type cd ~
And im allowed in my home dir.
??
ssh -V
OpenSSH_6.7p1 Debian-5, OpenSSL 1.0.1k 8 Jan 2015
sshd_config (server and client)
# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
GSSAPIKeyExchange yes # If your version supports this
GSSAPIStoreCredentialsOnRekey yes # If your version supports this
ssh_config ( server and client )
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
GSSAPIKeyExchange yes # If your version supports this
GSSAPIRenewalForcesRekey yes # If your version supports this
GSSAPITrustDns yes
/etc/krb5.conf
[libdefaults]
default_realm = ROTTERDAM.BAZUIN.NL
dns_lookup_kdc = true
dns_lookup_realm = false
( as root , sudo-ed from someuser on the print server)
klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: someuser at INTERNAL.DOMAIN.TLD
Valid starting Expires Service principal
09/09/2015 09:44:45 09/09/2015 19:44:45 krbtgt/INTERNAL.DOMAIN.TLD at INTERNAL.DOMAIN.TLD
renew until 09/10/2015 09:44:45, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
09/09/2015 09:44:57 09/09/2015 19:44:45 nfs/member1.internal.domain.tld@
renew until 09/10/2015 09:44:45, Etype (skey, tkt): arcfour-hmac, arcfour-hmac
09/09/2015 09:44:57 09/09/2015 19:44:45 nfs/member1.internal.domain.tld at INTERNAL.DOMAIN.TLD
renew until 09/10/2015 09:44:45, Etype (skey, tkt): arcfour-hmac, arcfour-hmac
If you need more, let me know..
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: Ritter, Marcel (RRZE) [mailto:marcel.ritter at fau.de]
> Verzonden: woensdag 9 september 2015 8:39
> Aan: 'L.P.H. van Belle'; samba at lists.samba.org
> Onderwerp: AW: [Samba] nfs4 mounted homedir and kerberos tickets
>
> Hi Louis,
>
> please run "ssh -v" on client and member server and post the output.
>
> Did I get you right, that - when connection from your client to the print
> server -
> you do *not* get a password prompt?
>
> In that case I guess your client is trying to establish the connection not
> via
> kerberos/gssapi but publickey based: In that case the server cannot get
> a valid kerberos ticket (because the required password was never sent)
> and therefore will refuse access to the nfs share.
>
> The reason why this works on your member server may have several
> causes:
>
> 1. different ssh client/server config on client/print/member server
> 2. ssh keys / ssh-agent on client but not on member server
> 3. cached krb5 credentials on server side
>
> According to my experience the last one is the worst to debug,
> because the tickets used to access NFSv4 krb5 mounts need to be
> copied to kernel space in order to work.
> So in your case it might also be possible that the kernel still has
> those valid tickets from a former login/kinit - even if you can't list
> them using "klist".
>
> BTW:
> If someone has an idea, how to locate and flush those keys in
> kernel space (keyutils? /proc/keys?) I'd really like to hear about
> that :-)
>
> Bye,
> Marcel
>
>
> -----Ursprüngliche Nachricht-----
> Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von L.P.H.
> van Belle
> Gesendet: Dienstag, 8. September 2015 17:26
> An: samba at lists.samba.org
> Betreff: Re: [Samba] nfs4 mounted homedir and kerberos tickets
>
> Yes, i've seen steves blogs, but thats not my solution
>
> It has to do with ticket exchange and/or passing the key from pc to
> server.
> But thats a bit out of my scope, so im hoping on a responce from someone
> with good kerberos knowledge..
>
> I must be something im missing in /etc/krb5.conf or missing package.
> As shown, it works all but not direct.
>
> So if anyone has kerberos knowlegde, would be a big help.
>
> The host and clients Mounts are ok, its just the access for the first time
> on the print server ( with the nfs client Mount )
>
> But thanks anyway :-)
>
> Greetz,
>
> Louis
>
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
> > Verzonden: dinsdag 8 september 2015 16:55
> > Aan: samba at lists.samba.org
> > Onderwerp: Re: [Samba] nfs4 mounted homedir and kerberos tickets
> >
> > On 08/09/15 15:33, L.P.H. van Belle wrote:
> > > Hai,
> > >
> > >
> > >
> > > I have strange problem, i think its a simple thing, but im missing
> > > some
> > kerberos knowledge here..
> > >
> > >
> > >
> > > Situation.
> > >
> > >
> > >
> > > I login with my pc on the AD domain, (works fine).
> > >
> > > Now i login on my member server with ssh (putty), using the ssh
> > > single
> > sign-on on my server where my
> > >
> > > homedirs is ( /home/users/username) , this works fine.
> > >
> > >
> > >
> > > When i do the same to my print server, where the homedir is mounted
> > > with
> > nfsv4 kerberos base.
> > >
> > > I get an error that im unable to access my home dir.
> > >
> > > ( see also the samba list subject : Re: [Samba] nfs based shared
> > > home
> > dir question )
> > >
> > >
> > >
> > > When i do the following.
> > >
> > > I login to the member server, as described above, and then login to
> > > the
> > printserver from the member server,
> > >
> > > I need to type my password and i DO have access to my home dir.
> > >
> > >
> > >
> > > Now i logout of both servers, test again from my pc with putty to my
> > print server without type-ing passwords
> > >
> > > and ? now it works as is should.
> > >
> > >
> > >
> > > What is missing here ?? must be something simple, but this i cant
> > > find
> > it.
> > >
> > >
> > >
> > >
> > >
> > > And Rowland, ? now i know what you did mean about systemd? still
> > > lots of
> > bugs,
> > >
> > > found serveral bugs, combined with nfs, due to above problems, and
> > > not
> > auto mounting my nfs based homedir etc.
> > >
> > > but got that all fixed.
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > /offtopic.
> > >
> > > On debian Jessie with nfs4 kerberos setup.
> > >
> > >
> > >
> > > On the server nfs server in fstab,
> > >
> > > Add the following after the bind option:
> > >
> > > bind,x-systemd.automount
> > >
> > >
> > >
> > >
> > >
> > > Client : with nfs4 kerberos when using fstab.
> > >
> > > Create the folder : /etc/systemd/system/nfs-common.service.d/
> > >
> > > And add this file with content : remote-fs-pre.conf
> > >
> > > [Unit]
> > >
> > > Before=remote-fs-pre.target
> > >
> > > Wants=remote-fs-pre.target
> > >
> > >
> > >
> > > This makes sure your mount really mounts at the end of starting up
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > Greetz,
> > >
> > >
> > >
> > > Louis
> > >
> > >
> >
> > Hi Louis, I don't use NFS myself, but I think your problem is that you
> > are using nfs4, try using nfs3 instead
> >
> > Steve, who used to post on here, wrote a blog on it, start reading here:
> > http://linuxcostablanca.blogspot.co.uk/2012/02/samba4-shares.html
> >
> > I think he moved onto using nfs4, but not sure, just browse his blog
> >
> > Rowland
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list