[Samba] nfs4 mounted homedir and kerberos tickets
L.P.H. van Belle
belle at bazuin.nl
Wed Sep 9 12:57:08 UTC 2015
Hai marcel,
I commented in you mail.
Pff, im learning a lot today.. hard stuff..
> -----Oorspronkelijk bericht-----
> Van: Ritter, Marcel (RRZE) [mailto:marcel.ritter at fau.de]
> Verzonden: woensdag 9 september 2015 14:38
> Aan: 'L.P.H. van Belle'; samba at lists.samba.org
> Onderwerp: AW: [Samba] nfs4 mounted homedir and kerberos tickets
>
> Hi Louis,
>
> sorry but I'm still having some trouble to unterstand your environment:
>
> According to your previous mails here's what I put together:
>
> The "member server" has local (not NFS mounted) home directories
> that are exported to the printserver using sec=krb5, right?
[L.P.H. van Belle] Yes, correct
>
> The print server is one NFS client mounting this directory, right?
[L.P.H. van Belle] Yes, correct
>
> All further comments are based on these assumptions:
>
>
> > When connection from my windows 7 pc to the print server, i dont get a
> password prompt, and i automatictly logged in but i get :
> > Could not chdir to home directory /home/users/someuser: Permission
> denied And cd /home/users
> > -bash: cd: /home/users: Permission denied
>
> Looks like you can successfully login, but you do not have a valid
> kerberos ticket to access the NFS home directory.
[L.P.H. van Belle] yes, thats totaly my problem
>
> Check output of "klist" - maybe windows ssh client (putty?) does not
> forward ticket, and only uses it to authenticate?
[L.P.H. van Belle] Ok, how can i check this?
>
> > When i do the same on the server where the homedir exists,on the member
> server, I can login, without typing password, and the no errors and i am
> in my user homedir.
>
> For accessing a local filesystem you do not require a kerberos ticket,
> so that's why it works here.
[L.P.H. van Belle] ok im understanding this.
>
> > > 3. cached krb5 credentials on server side
> > Dont know, how can i see that, like ?
> > ( login in with someuser on the print server ) klist
> > klist: Credentials cache file '/tmp/krb5cc_10002' not found
>
> Looks like you don't have a kerberos ticket after login at all,
> this may be caused by a passwordless login (without forwarding
> ticket) or simply a broken pam_krb5/pam_winbind config.
[L.P.H. van Belle] ok, a possibilty of a faulty pam config, im using
pam-auth-update to configure it.
This is the pam config:
cat samba
@include common-auth
@include common-account
@include common-session
Common-auth:
auth [success=3 default=ignore] pam_krb5.so minimum_uid=1000
auth [success=2 default=ignore] pam_unix.so nullok_secure try_first_pass
auth [success=1 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth optional pam_cap.so
Common-account
account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
account [success=1 new_authtok_reqd=done default=ignore] pam_winbind.so
# here's the fallback if no module succeeds
account requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
account required pam_permit.so
# and here are more per-package modules (the "Additional" block)
account required pam_krb5.so minimum_uid=1000
Common-password
password [success=3 default=ignore] pam_krb5.so minimum_uid=1000
password [success=2 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512
password [success=1 default=ignore] pam_winbind.so use_authtok try_first_pass
# here's the fallback if no module succeeds
password requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
password required pam_permit.so
>
> You don't need to bother about the kernel, if you don't even have
> a ticket in your cache (as "klist" tells you).
>
> > now the magic.. im logged in the member server, in my home dir.
> > Here I type :
> > ssh printserver
> > i must enter my password and im in my homedir.
> > There where i before (from the windows 7 pc) got :
> > Could not chdir to home directory /home/users/someuser: Permission
> denied
>
> It's not magic: by entering your password the login host can request a
> valid kerberos ticket, that is used to access the NFS home.
> (Once again: "klist" is your friend if you're trying to figure out why
> somehting works and something else doesn't)
[L.P.H. van Belle] after a login or through ssh or sudo (so a password typed login)
klist
Ticket cache: FILE:/tmp/krb5cc_10002_5UGp3pJp88
Default principal: someuser at INTERNAL.DOMAIN.TLD
Valid starting Expires Service principal
09/09/2015 14:45:22 09/10/2015 00:45:22 krbtgt/INTERNAL.DOMAIN.TLD@ INTERNAL.DOMAIN.TLD
renew until 09/10/2015 14:45:22
>
> > Now i logout of all servers, klik on putty to login on my print server
> again and now no errors, all fine, and im sure this is not a keyed.
>
> By logging in the last time (with password) a credential cache is
> created for your user. If not erased on logout it will be valid for
> a few hours and will be used to access the NFS home.
> (And even if the cache was removed, it's copy within the kernel
> might still be valid and used to access the NFS directory)
>
> > Now i reboot the print server. Login again from the windows 7 pc.
> > Again : Could not chdir to home directory /home/users/someuser:
> Permission denied
>
> Because usually during reboot /tmp get's cleaned. And that's
> the localtion of the credential cache mentioned above
> ("/tmp/krb5cc_10002")
>
> > Other trick to get access to my home dir..
> > sudo su -
> > [sudo] password for someuser:
> >
> > Now i exit (the sudo)
> > Type cd ~
> > And im allowed in my home dir.
>
> Depending on your pam config it's quite possible, that "su" uses your
> password to create a new credential cache for "someuser". Just
> check the output of "klist" (run as user "someuser") before and after
> the sudo command ...
>
> > Greetz,
> >
> > Louis
>
> Bye,
> Marcel
[L.P.H. van Belle]
As extra,
These are the pam modules of the member server
ii libpam-cap:amd64 1:2.24-8 amd64 POSIX 1003.1e capabilities (PAM module)
ii libpam-krb5:amd64 4.6-3+b1 amd64 PAM module for MIT Kerberos
ii libpam-modules:amd64 1.1.8-3.1 amd64 Pluggable Authentication Modules for PAM
ii libpam-modules-bin 1.1.8-3.1 amd64 Pluggable Authentication Modules for PAM - helper binaries
ii libpam-runtime 1.1.8-3.1 all Runtime support for the PAM library
ii libpam-systemd:amd64 215-17+deb8u2 amd64 system and service manager - PAM module
ii libpam-winbind:amd64 2:4.1.17+dfsg-2 amd64 Windows domain authentication integration plugin
ii libpam0g:amd64 1.1.8-3.1 amd64 Pluggable Authentication Modules library
and these of the print server.
ii libpam-cap:amd64 1:2.24-8 amd64 POSIX 1003.1e capabilities (PAM module)
ii libpam-krb5:amd64 4.6-3+b1 amd64 PAM module for MIT Kerberos
ii libpam-modules:amd64 1.1.8-3.1 amd64 Pluggable Authentication Modules for PAM
ii libpam-modules-bin 1.1.8-3.1 amd64 Pluggable Authentication Modules for PAM - helper binaries
ii libpam-runtime 1.1.8-3.1 all Runtime support for the PAM library
ii libpam-systemd:amd64 215-17+deb8u2 amd64 system and service manager - PAM module
ii libpam-winbind:amd64 2:4.1.17+dfsg-2 amd64 Windows domain authentication integration plugin
ii libpam0g:amd64 1.1.8-3.1 amd64 Pluggable Authentication Modules library
You see a missing libpam-winbind, thats correct, sernet-samba-winbindd does not provide the modules, but i created that one myself.
Which is just a copy of the by debian provided libpam-winbind, but i named it sernet-samba.
cat /usr/share/pam-configs/sernet-winbind
Name: Sernet Winbind NT/Active Directory authentication
Default: yes
Priority: 192
Auth-Type: Primary
Conflicts: winbind
Auth:
[success=end default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
Auth-Initial:
[success=end default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login
Account-Type: Primary
Account:
[success=end new_authtok_reqd=done default=ignore] pam_winbind.so
Password-Type: Primary
Password:
[success=end default=ignore] pam_winbind.so use_authtok try_first_pass
Password-Initial:
[success=end default=ignore] pam_winbind.so
Session-Type: Additional
Session:
optional pam_winbind.so
More information about the samba
mailing list