[Samba] nfs4 mounted homedir and kerberos tickets

L.P.H. van Belle belle at bazuin.nl
Wed Sep 9 08:01:05 UTC 2015 

In addition 
Reading : https://wiki.samba.org/index.php/OpenSSH_Single_sign-on 

At the end, i see the Lines : 
for the console based logins and SSH failback to password to generate a Kerberos TGT ticket (as in if the passwordless login fails due to not having a suitable ticket on the calling machine). This is essential if using things like NFSv4 with Kerberos Authentication.

I do have in smb.conf
    dedicated keytab file = /etc/krb5.keytab
    kerberos method = secrets and keytab

and i did set 
/etc/security/pam_winbind.conf : 
krb5_auth = yes
krb5_ccache_type = FILE


greetz, 

Louis




> -----Oorspronkelijk bericht-----
> Van: Ritter, Marcel (RRZE) [mailto:marcel.ritter at fau.de]
> Verzonden: woensdag 9 september 2015 8:39
> Aan: 'L.P.H. van Belle'; samba at lists.samba.org
> Onderwerp: AW: [Samba] nfs4 mounted homedir and kerberos tickets
> 
> Hi Louis,
> 
> please run "ssh -v" on client and member server and post the output.
> 
> Did I get you right, that - when connection from your client to the print
> server -
> you do *not* get a password prompt?
> 
> In that case I guess your client is trying to establish the connection not
> via
> kerberos/gssapi but publickey based: In that case the server cannot get
> a valid kerberos ticket (because the required password was never sent)
> and therefore will refuse access to the nfs share.
> 
> The reason why this works on your member server may have several
> causes:
> 
>    1. different ssh client/server config on client/print/member server
>    2. ssh keys / ssh-agent on client but not on member server
>    3. cached krb5 credentials on server side
> 
> According to my experience the last one is the worst to debug,
> because the tickets used to access NFSv4 krb5 mounts need to be
> copied to kernel space in order to work.
> So in your case it might also be possible that the kernel still has
> those valid tickets from a former login/kinit - even if you can't list
> them using "klist".
> 
> BTW:
> If someone has an idea, how to locate and flush those keys in
> kernel space (keyutils? /proc/keys?) I'd really like to hear about
> that :-)
> 
> Bye,
>    Marcel
> 
> 
> -----Ursprüngliche Nachricht-----
> Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von L.P.H.
> van Belle
> Gesendet: Dienstag, 8. September 2015 17:26
> An: samba at lists.samba.org
> Betreff: Re: [Samba] nfs4 mounted homedir and kerberos tickets
> 
> Yes, i've seen steves blogs, but thats not my solution
> 
> It has to do with ticket exchange and/or passing the key from pc to
> server.
> But thats a bit out of my scope, so im hoping on a responce from someone
> with good kerberos knowledge..
> 
> I must be something im missing in /etc/krb5.conf or missing package.
> As shown, it works all but not direct.
> 
> So if anyone has kerberos knowlegde, would be a big help.
> 
> The host and clients Mounts are ok, its just the access for the first time
> on the print server ( with the nfs client Mount )
> 
> But thanks anyway :-)
> 
> Greetz,
> 
> Louis
> 
> 
> 
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
> > Verzonden: dinsdag 8 september 2015 16:55
> > Aan: samba at lists.samba.org
> > Onderwerp: Re: [Samba] nfs4 mounted homedir and kerberos tickets
> >
> > On 08/09/15 15:33, L.P.H. van Belle wrote:
> > > Hai,
> > >
> > >
> > >
> > > I have strange problem, i think its a simple thing, but im missing
> > > some
> > kerberos knowledge here..
> > >
> > >
> > >
> > > Situation.
> > >
> > >
> > >
> > > I login with my pc on the AD domain, (works fine).
> > >
> > > Now i login on my member server with ssh (putty), using the ssh
> > > single
> > sign-on on my server where my
> > >
> > > homedirs is  ( /home/users/username)  , this works fine.
> > >
> > >
> > >
> > > When i do the same to my print server, where the homedir is mounted
> > > with
> > nfsv4  kerberos base.
> > >
> > > I get an error that im unable to access my home dir.
> > >
> > > ( see also the samba list subject : Re: [Samba] nfs based shared
> > > home
> > dir question )
> > >
> > >
> > >
> > > When i do the following.
> > >
> > > I login to the member server, as described above, and then login to
> > > the
> > printserver from the member server,
> > >
> > > I need to type my password and i DO have access to my home dir.
> > >
> > >
> > >
> > > Now i logout of both servers, test again from my pc with putty to my
> > print server without type-ing passwords
> > >
> > > and ? now it works as is should.
> > >
> > >
> > >
> > > What is missing here ?? must be something simple, but this i cant
> > > find
> > it.
> > >
> > >
> > >
> > >
> > >
> > > And Rowland, ? now i know what you did mean about systemd? still
> > > lots of
> > bugs,
> > >
> > > found serveral bugs, combined with nfs, due to above problems, and
> > > not
> > auto mounting my nfs based homedir etc.
> > >
> > > but got that all fixed.
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > /offtopic.
> > >
> > > On debian Jessie with nfs4 kerberos setup.
> > >
> > >
> > >
> > > On the server nfs server in fstab,
> > >
> > > Add the following after the bind option:
> > >
> > > bind,x-systemd.automount
> > >
> > >
> > >
> > >
> > >
> > > Client : with nfs4 kerberos when using fstab.
> > >
> > > Create the folder : /etc/systemd/system/nfs-common.service.d/
> > >
> > > And add this file with content : remote-fs-pre.conf
> > >
> > > [Unit]
> > >
> > > Before=remote-fs-pre.target
> > >
> > > Wants=remote-fs-pre.target
> > >
> > >
> > >
> > > This makes sure your mount really mounts at the end of starting up
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > Greetz,
> > >
> > >
> > >
> > > Louis
> > >
> > >
> >
> > Hi Louis, I don't use NFS myself, but I think your problem is that you
> > are using nfs4, try using nfs3 instead
> >
> > Steve, who used to post on here, wrote a blog on it, start reading here:
> > http://linuxcostablanca.blogspot.co.uk/2012/02/samba4-shares.html
> >
> > I think he moved onto using nfs4, but not sure, just browse his blog
> >
> > Rowland
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> 
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list