[Samba] nfs4 mounted homedir and kerberos tickets

L.P.H. van Belle belle at bazuin.nl
Wed Sep 9 12:37:13 UTC 2015



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
> Verzonden: woensdag 9 september 2015 14:18
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] nfs4 mounted homedir and kerberos tickets
> 
> On 09/09/15 09:01, L.P.H. van Belle wrote:
> > In addition
> > Reading : https://wiki.samba.org/index.php/OpenSSH_Single_sign-on
> >
> > At the end, i see the Lines :
> > for the console based logins and SSH failback to password to generate a
> Kerberos TGT ticket (as in if the passwordless login fails due to not
> having a suitable ticket on the calling machine). This is essential if
> using things like NFSv4 with Kerberos Authentication.
> >
> > I do have in smb.conf
> >      dedicated keytab file = /etc/krb5.keytab
> >      kerberos method = secrets and keytab
> >
> > and i did set
> > /etc/security/pam_winbind.conf :
> > krb5_auth = yes
> > krb5_ccache_type = FILE
> >
> >
> > greetz,
> >
> > Louis
> >
> >
> >
> >
> >> -----Oorspronkelijk bericht-----
> >> Van: Ritter, Marcel (RRZE) [mailto:marcel.ritter at fau.de]
> >> Verzonden: woensdag 9 september 2015 8:39
> >> Aan: 'L.P.H. van Belle'; samba at lists.samba.org
> >> Onderwerp: AW: [Samba] nfs4 mounted homedir and kerberos tickets
> >>
> >> Hi Louis,
> >>
> >> please run "ssh -v" on client and member server and post the output.
> >>
> >> Did I get you right, that - when connection from your client to the
> print
> >> server -
> >> you do *not* get a password prompt?
> >>
> >> In that case I guess your client is trying to establish the connection
> not
> >> via
> >> kerberos/gssapi but publickey based: In that case the server cannot get
> >> a valid kerberos ticket (because the required password was never sent)
> >> and therefore will refuse access to the nfs share.
> >>
> >> The reason why this works on your member server may have several
> >> causes:
> >>
> >>     1. different ssh client/server config on client/print/member server
> >>     2. ssh keys / ssh-agent on client but not on member server
> >>     3. cached krb5 credentials on server side
> >>
> >> According to my experience the last one is the worst to debug,
> >> because the tickets used to access NFSv4 krb5 mounts need to be
> >> copied to kernel space in order to work.
> >> So in your case it might also be possible that the kernel still has
> >> those valid tickets from a former login/kinit - even if you can't list
> >> them using "klist".
> >>
> >> BTW:
> >> If someone has an idea, how to locate and flush those keys in
> >> kernel space (keyutils? /proc/keys?) I'd really like to hear about
> >> that :-)
> >>
> >> Bye,
> >>     Marcel
> >>
> >>
> >> -----Ursprüngliche Nachricht-----
> >> Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von L.P.H.
> >> van Belle
> >> Gesendet: Dienstag, 8. September 2015 17:26
> >> An: samba at lists.samba.org
> >> Betreff: Re: [Samba] nfs4 mounted homedir and kerberos tickets
> >>
> >> Yes, i've seen steves blogs, but thats not my solution
> >>
> >> It has to do with ticket exchange and/or passing the key from pc to
> >> server.
> >> But thats a bit out of my scope, so im hoping on a responce from
> someone
> >> with good kerberos knowledge..
> >>
> >> I must be something im missing in /etc/krb5.conf or missing package.
> >> As shown, it works all but not direct.
> >>
> >> So if anyone has kerberos knowlegde, would be a big help.
> >>
> >> The host and clients Mounts are ok, its just the access for the first
> time
> >> on the print server ( with the nfs client Mount )
> >>
> >> But thanks anyway :-)
> >>
> >> Greetz,
> >>
> >> Louis
> >>
> >>
> >>
> >>> -----Oorspronkelijk bericht-----
> >>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
> >>> Verzonden: dinsdag 8 september 2015 16:55
> >>> Aan: samba at lists.samba.org
> >>> Onderwerp: Re: [Samba] nfs4 mounted homedir and kerberos tickets
> >>>
> >>> On 08/09/15 15:33, L.P.H. van Belle wrote:
> >>>> Hai,
> >>>>
> >>>>
> >>>>
> >>>> I have strange problem, i think its a simple thing, but im missing
> >>>> some
> >>> kerberos knowledge here..
> >>>>
> >>>>
> >>>> Situation.
> >>>>
> >>>>
> >>>>
> >>>> I login with my pc on the AD domain, (works fine).
> >>>>
> >>>> Now i login on my member server with ssh (putty), using the ssh
> >>>> single
> >>> sign-on on my server where my
> >>>> homedirs is  ( /home/users/username)  , this works fine.
> >>>>
> >>>>
> >>>>
> >>>> When i do the same to my print server, where the homedir is mounted
> >>>> with
> >>> nfsv4  kerberos base.
> >>>> I get an error that im unable to access my home dir.
> >>>>
> >>>> ( see also the samba list subject : Re: [Samba] nfs based shared
> >>>> home
> >>> dir question )
> >>>>
> >>>>
> >>>> When i do the following.
> >>>>
> >>>> I login to the member server, as described above, and then login to
> >>>> the
> >>> printserver from the member server,
> >>>> I need to type my password and i DO have access to my home dir.
> >>>>
> >>>>
> >>>>
> >>>> Now i logout of both servers, test again from my pc with putty to my
> >>> print server without type-ing passwords
> >>>> and ? now it works as is should.
> >>>>
> >>>>
> >>>>
> >>>> What is missing here ?? must be something simple, but this i cant
> >>>> find
> >>> it.
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> And Rowland, ? now i know what you did mean about systemd? still
> >>>> lots of
> >>> bugs,
> >>>> found serveral bugs, combined with nfs, due to above problems, and
> >>>> not
> >>> auto mounting my nfs based homedir etc.
> >>>> but got that all fixed.
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> /offtopic.
> >>>>
> >>>> On debian Jessie with nfs4 kerberos setup.
> >>>>
> >>>>
> >>>>
> >>>> On the server nfs server in fstab,
> >>>>
> >>>> Add the following after the bind option:
> >>>>
> >>>> bind,x-systemd.automount
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> Client : with nfs4 kerberos when using fstab.
> >>>>
> >>>> Create the folder : /etc/systemd/system/nfs-common.service.d/
> >>>>
> >>>> And add this file with content : remote-fs-pre.conf
> >>>>
> >>>> [Unit]
> >>>>
> >>>> Before=remote-fs-pre.target
> >>>>
> >>>> Wants=remote-fs-pre.target
> >>>>
> >>>>
> >>>>
> >>>> This makes sure your mount really mounts at the end of starting up
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> Greetz,
> >>>>
> >>>>
> >>>>
> >>>> Louis
> >>>>
> >>>>
> >>> Hi Louis, I don't use NFS myself, but I think your problem is that you
> >>> are using nfs4, try using nfs3 instead
> >>>
> >>> Steve, who used to post on here, wrote a blog on it, start reading
> here:
> >>> http://linuxcostablanca.blogspot.co.uk/2012/02/samba4-shares.html
> >>>
> >>> I think he moved onto using nfs4, but not sure, just browse his blog
> >>>
> >>> Rowland
> >>>
> >>> --
> >>> To unsubscribe from this list go to the following URL and read the
> >>> instructions:  https://lists.samba.org/mailman/options/samba
> >>
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/options/samba
> >
> 
> Hi Louis, could this be something as simple as the users homedir not
> getting created when the user first logs into the nfs4 kerberos based
> machine ? i.e. the kerberos login is not running pam_mkhomedir
> 
> Rowland
> 
> 
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

No thats not the problem, all my user homedir are already created throug the MS RATS tools. 

As far i now understand, because of the login when typing the password ( or the sudo command ) the TGT ticket is created correctly.. ( i think ) 
Which gives the access to the nfs4 kerberos shared homedir. 

At least i have 2 workarounds now, which gives me some extra time to get this fixed. 

Can be a bug also somewhere, but i think its still something im missing. 
Looks like the host TGT ticket thingy goes wrong somewere somehow.. 

Greetz, 

Louis






More information about the samba mailing list