[Samba] nfs4 mounted homedir and kerberos tickets

L.P.H. van Belle belle at bazuin.nl
Wed Sep 9 07:54:44 UTC 2015 

Hai Marcel, thank you for responce.. im pulling my hair out here... 
So i hope you get a idea what im missing. 

I'll post you as many as i can.

I used this as base : 
https://wiki.samba.org/index.php/OpenSSH_Single_sign-on 

When connection from my windows 7 pc to the print server, i dont get a password prompt, and i automatictly logged in but i get : 
Could not chdir to home directory /home/users/someuser: Permission denied
And 
cd /home/users
-bash: cd: /home/users: Permission denied

When i do the same on the server where the homedir exists,on the member server, I can login, without typing password, and the no errors and 
i am in my user homedir. 

pwd
/home/users/someuser

I dont use publickey for ssh logins, at least not on these servers,
And not on my pc.

>    1. different ssh client/server config on client/print/member server
Are the same, just checked. 
>    2. ssh keys / ssh-agent on client but not on member server
Not using ssh-agent /keys 
>    3. cached krb5 credentials on server side
Dont know, how can i see that, like ? 
( login in with someuser on the print server ) 
klist
klist: Credentials cache file '/tmp/krb5cc_10002' not found

now the magic.. im logged in the member server, in my home dir. 
Here I type : 
ssh printserver
i must enter my password and im in my homedir.
There where i before (from the windows 7 pc) got :
Could not chdir to home directory /home/users/someuser: Permission denied

Now i logout of all servers, klik on putty to login on my print server again and now no errors, all fine, and im sure this is not a keyed. 

Now i reboot the print server. Login again from the windows 7 pc. 
Again : Could not chdir to home directory /home/users/someuser: Permission denied

Other trick to get access to my home dir.. 
sudo su -
[sudo] password for someuser:

Now i exit (the sudo) 
Type cd ~
And im allowed in my home dir. 

?? 

ssh -V 
OpenSSH_6.7p1 Debian-5, OpenSSL 1.0.1k 8 Jan 2015 

sshd_config (server and client) 
# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
GSSAPIKeyExchange yes                # If your version supports this
GSSAPIStoreCredentialsOnRekey yes    # If your version supports this


ssh_config ( server and client ) 
    GSSAPIAuthentication yes
    GSSAPIDelegateCredentials yes
    GSSAPIKeyExchange yes         # If your version supports this
    GSSAPIRenewalForcesRekey yes  # If your version supports this
    GSSAPITrustDns yes

/etc/krb5.conf
[libdefaults]
    default_realm = ROTTERDAM.BAZUIN.NL
    dns_lookup_kdc = true
    dns_lookup_realm = false


( as root , sudo-ed from someuser on the print server)
klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: someuser at INTERNAL.DOMAIN.TLD

Valid starting       Expires              Service principal
09/09/2015 09:44:45  09/09/2015 19:44:45  krbtgt/INTERNAL.DOMAIN.TLD at INTERNAL.DOMAIN.TLD
        renew until 09/10/2015 09:44:45, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
09/09/2015 09:44:57  09/09/2015 19:44:45  nfs/member1.internal.domain.tld@
        renew until 09/10/2015 09:44:45, Etype (skey, tkt): arcfour-hmac, arcfour-hmac
09/09/2015 09:44:57  09/09/2015 19:44:45  nfs/member1.internal.domain.tld at INTERNAL.DOMAIN.TLD
        renew until 09/10/2015 09:44:45, Etype (skey, tkt): arcfour-hmac, arcfour-hmac


If you need more, let me know.. 

Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: Ritter, Marcel (RRZE) [mailto:marcel.ritter at fau.de]
> Verzonden: woensdag 9 september 2015 8:39
> Aan: 'L.P.H. van Belle'; samba at lists.samba.org
> Onderwerp: AW: [Samba] nfs4 mounted homedir and kerberos tickets
> 
> Hi Louis,
> 
> please run "ssh -v" on client and member server and post the output.
> 
> Did I get you right, that - when connection from your client to the print
> server -
> you do *not* get a password prompt?
> 
> In that case I guess your client is trying to establish the connection not
> via
> kerberos/gssapi but publickey based: In that case the server cannot get
> a valid kerberos ticket (because the required password was never sent)
> and therefore will refuse access to the nfs share.
> 
> The reason why this works on your member server may have several
> causes:
> 
>    1. different ssh client/server config on client/print/member server
>    2. ssh keys / ssh-agent on client but not on member server
>    3. cached krb5 credentials on server side
> 
> According to my experience the last one is the worst to debug,
> because the tickets used to access NFSv4 krb5 mounts need to be
> copied to kernel space in order to work.
> So in your case it might also be possible that the kernel still has
> those valid tickets from a former login/kinit - even if you can't list
> them using "klist".
> 
> BTW:
> If someone has an idea, how to locate and flush those keys in
> kernel space (keyutils? /proc/keys?) I'd really like to hear about
> that :-)
> 
> Bye,
>    Marcel
> 
> 
> -----Ursprüngliche Nachricht-----
> Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von L.P.H.
> van Belle
> Gesendet: Dienstag, 8. September 2015 17:26
> An: samba at lists.samba.org
> Betreff: Re: [Samba] nfs4 mounted homedir and kerberos tickets
> 
> Yes, i've seen steves blogs, but thats not my solution
> 
> It has to do with ticket exchange and/or passing the key from pc to
> server.
> But thats a bit out of my scope, so im hoping on a responce from someone
> with good kerberos knowledge..
> 
> I must be something im missing in /etc/krb5.conf or missing package.
> As shown, it works all but not direct.
> 
> So if anyone has kerberos knowlegde, would be a big help.
> 
> The host and clients Mounts are ok, its just the access for the first time
> on the print server ( with the nfs client Mount )
> 
> But thanks anyway :-)
> 
> Greetz,
> 
> Louis
> 
> 
> 
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
> > Verzonden: dinsdag 8 september 2015 16:55
> > Aan: samba at lists.samba.org
> > Onderwerp: Re: [Samba] nfs4 mounted homedir and kerberos tickets
> >
> > On 08/09/15 15:33, L.P.H. van Belle wrote:
> > > Hai,
> > >
> > >
> > >
> > > I have strange problem, i think its a simple thing, but im missing
> > > some
> > kerberos knowledge here..
> > >
> > >
> > >
> > > Situation.
> > >
> > >
> > >
> > > I login with my pc on the AD domain, (works fine).
> > >
> > > Now i login on my member server with ssh (putty), using the ssh
> > > single
> > sign-on on my server where my
> > >
> > > homedirs is  ( /home/users/username)  , this works fine.
> > >
> > >
> > >
> > > When i do the same to my print server, where the homedir is mounted
> > > with
> > nfsv4  kerberos base.
> > >
> > > I get an error that im unable to access my home dir.
> > >
> > > ( see also the samba list subject : Re: [Samba] nfs based shared
> > > home
> > dir question )
> > >
> > >
> > >
> > > When i do the following.
> > >
> > > I login to the member server, as described above, and then login to
> > > the
> > printserver from the member server,
> > >
> > > I need to type my password and i DO have access to my home dir.
> > >
> > >
> > >
> > > Now i logout of both servers, test again from my pc with putty to my
> > print server without type-ing passwords
> > >
> > > and ? now it works as is should.
> > >
> > >
> > >
> > > What is missing here ?? must be something simple, but this i cant
> > > find
> > it.
> > >
> > >
> > >
> > >
> > >
> > > And Rowland, ? now i know what you did mean about systemd? still
> > > lots of
> > bugs,
> > >
> > > found serveral bugs, combined with nfs, due to above problems, and
> > > not
> > auto mounting my nfs based homedir etc.
> > >
> > > but got that all fixed.
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > /offtopic.
> > >
> > > On debian Jessie with nfs4 kerberos setup.
> > >
> > >
> > >
> > > On the server nfs server in fstab,
> > >
> > > Add the following after the bind option:
> > >
> > > bind,x-systemd.automount
> > >
> > >
> > >
> > >
> > >
> > > Client : with nfs4 kerberos when using fstab.
> > >
> > > Create the folder : /etc/systemd/system/nfs-common.service.d/
> > >
> > > And add this file with content : remote-fs-pre.conf
> > >
> > > [Unit]
> > >
> > > Before=remote-fs-pre.target
> > >
> > > Wants=remote-fs-pre.target
> > >
> > >
> > >
> > > This makes sure your mount really mounts at the end of starting up
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > Greetz,
> > >
> > >
> > >
> > > Louis
> > >
> > >
> >
> > Hi Louis, I don't use NFS myself, but I think your problem is that you
> > are using nfs4, try using nfs3 instead
> >
> > Steve, who used to post on here, wrote a blog on it, start reading here:
> > http://linuxcostablanca.blogspot.co.uk/2012/02/samba4-shares.html
> >
> > I think he moved onto using nfs4, but not sure, just browse his blog
> >
> > Rowland
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> 
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list