[Samba] nfs4 mounted homedir and kerberos tickets

Rowland Penny rowlandpenny241155 at gmail.com
Wed Sep 9 12:18:01 UTC 2015 

On 09/09/15 09:01, L.P.H. van Belle wrote:
> In addition
> Reading : https://wiki.samba.org/index.php/OpenSSH_Single_sign-on
>
> At the end, i see the Lines :
> for the console based logins and SSH failback to password to generate a Kerberos TGT ticket (as in if the passwordless login fails due to not having a suitable ticket on the calling machine). This is essential if using things like NFSv4 with Kerberos Authentication.
>
> I do have in smb.conf
>      dedicated keytab file = /etc/krb5.keytab
>      kerberos method = secrets and keytab
>
> and i did set
> /etc/security/pam_winbind.conf :
> krb5_auth = yes
> krb5_ccache_type = FILE
>
>
> greetz,
>
> Louis
>
>
>
>
>> -----Oorspronkelijk bericht-----
>> Van: Ritter, Marcel (RRZE) [mailto:marcel.ritter at fau.de]
>> Verzonden: woensdag 9 september 2015 8:39
>> Aan: 'L.P.H. van Belle'; samba at lists.samba.org
>> Onderwerp: AW: [Samba] nfs4 mounted homedir and kerberos tickets
>>
>> Hi Louis,
>>
>> please run "ssh -v" on client and member server and post the output.
>>
>> Did I get you right, that - when connection from your client to the print
>> server -
>> you do *not* get a password prompt?
>>
>> In that case I guess your client is trying to establish the connection not
>> via
>> kerberos/gssapi but publickey based: In that case the server cannot get
>> a valid kerberos ticket (because the required password was never sent)
>> and therefore will refuse access to the nfs share.
>>
>> The reason why this works on your member server may have several
>> causes:
>>
>>     1. different ssh client/server config on client/print/member server
>>     2. ssh keys / ssh-agent on client but not on member server
>>     3. cached krb5 credentials on server side
>>
>> According to my experience the last one is the worst to debug,
>> because the tickets used to access NFSv4 krb5 mounts need to be
>> copied to kernel space in order to work.
>> So in your case it might also be possible that the kernel still has
>> those valid tickets from a former login/kinit - even if you can't list
>> them using "klist".
>>
>> BTW:
>> If someone has an idea, how to locate and flush those keys in
>> kernel space (keyutils? /proc/keys?) I'd really like to hear about
>> that :-)
>>
>> Bye,
>>     Marcel
>>
>>
>> -----Ursprüngliche Nachricht-----
>> Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von L.P.H.
>> van Belle
>> Gesendet: Dienstag, 8. September 2015 17:26
>> An: samba at lists.samba.org
>> Betreff: Re: [Samba] nfs4 mounted homedir and kerberos tickets
>>
>> Yes, i've seen steves blogs, but thats not my solution
>>
>> It has to do with ticket exchange and/or passing the key from pc to
>> server.
>> But thats a bit out of my scope, so im hoping on a responce from someone
>> with good kerberos knowledge..
>>
>> I must be something im missing in /etc/krb5.conf or missing package.
>> As shown, it works all but not direct.
>>
>> So if anyone has kerberos knowlegde, would be a big help.
>>
>> The host and clients Mounts are ok, its just the access for the first time
>> on the print server ( with the nfs client Mount )
>>
>> But thanks anyway :-)
>>
>> Greetz,
>>
>> Louis
>>
>>
>>
>>> -----Oorspronkelijk bericht-----
>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
>>> Verzonden: dinsdag 8 september 2015 16:55
>>> Aan: samba at lists.samba.org
>>> Onderwerp: Re: [Samba] nfs4 mounted homedir and kerberos tickets
>>>
>>> On 08/09/15 15:33, L.P.H. van Belle wrote:
>>>> Hai,
>>>>
>>>>
>>>>
>>>> I have strange problem, i think its a simple thing, but im missing
>>>> some
>>> kerberos knowledge here..
>>>>
>>>>
>>>> Situation.
>>>>
>>>>
>>>>
>>>> I login with my pc on the AD domain, (works fine).
>>>>
>>>> Now i login on my member server with ssh (putty), using the ssh
>>>> single
>>> sign-on on my server where my
>>>> homedirs is  ( /home/users/username)  , this works fine.
>>>>
>>>>
>>>>
>>>> When i do the same to my print server, where the homedir is mounted
>>>> with
>>> nfsv4  kerberos base.
>>>> I get an error that im unable to access my home dir.
>>>>
>>>> ( see also the samba list subject : Re: [Samba] nfs based shared
>>>> home
>>> dir question )
>>>>
>>>>
>>>> When i do the following.
>>>>
>>>> I login to the member server, as described above, and then login to
>>>> the
>>> printserver from the member server,
>>>> I need to type my password and i DO have access to my home dir.
>>>>
>>>>
>>>>
>>>> Now i logout of both servers, test again from my pc with putty to my
>>> print server without type-ing passwords
>>>> and ? now it works as is should.
>>>>
>>>>
>>>>
>>>> What is missing here ?? must be something simple, but this i cant
>>>> find
>>> it.
>>>>
>>>>
>>>>
>>>>
>>>> And Rowland, ? now i know what you did mean about systemd? still
>>>> lots of
>>> bugs,
>>>> found serveral bugs, combined with nfs, due to above problems, and
>>>> not
>>> auto mounting my nfs based homedir etc.
>>>> but got that all fixed.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> /offtopic.
>>>>
>>>> On debian Jessie with nfs4 kerberos setup.
>>>>
>>>>
>>>>
>>>> On the server nfs server in fstab,
>>>>
>>>> Add the following after the bind option:
>>>>
>>>> bind,x-systemd.automount
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> Client : with nfs4 kerberos when using fstab.
>>>>
>>>> Create the folder : /etc/systemd/system/nfs-common.service.d/
>>>>
>>>> And add this file with content : remote-fs-pre.conf
>>>>
>>>> [Unit]
>>>>
>>>> Before=remote-fs-pre.target
>>>>
>>>> Wants=remote-fs-pre.target
>>>>
>>>>
>>>>
>>>> This makes sure your mount really mounts at the end of starting up
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> Greetz,
>>>>
>>>>
>>>>
>>>> Louis
>>>>
>>>>
>>> Hi Louis, I don't use NFS myself, but I think your problem is that you
>>> are using nfs4, try using nfs3 instead
>>>
>>> Steve, who used to post on here, wrote a blog on it, start reading here:
>>> http://linuxcostablanca.blogspot.co.uk/2012/02/samba4-shares.html
>>>
>>> I think he moved onto using nfs4, but not sure, just browse his blog
>>>
>>> Rowland
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>

Hi Louis, could this be something as simple as the users homedir not 
getting created when the user first logs into the nfs4 kerberos based 
machine ? i.e. the kerberos login is not running pam_mkhomedir

Rowland

More information about the samba mailing list