[Samba] nfs4 mounted homedir and kerberos tickets

Rowland Penny rowlandpenny241155 at gmail.com
Wed Sep 9 13:15:43 UTC 2015 

On 09/09/15 13:37, L.P.H. van Belle wrote:
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
>> Verzonden: woensdag 9 september 2015 14:18
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] nfs4 mounted homedir and kerberos tickets
>>
>> On 09/09/15 09:01, L.P.H. van Belle wrote:
>>> In addition
>>> Reading : https://wiki.samba.org/index.php/OpenSSH_Single_sign-on
>>>
>>> At the end, i see the Lines :
>>> for the console based logins and SSH failback to password to generate a
>> Kerberos TGT ticket (as in if the passwordless login fails due to not
>> having a suitable ticket on the calling machine). This is essential if
>> using things like NFSv4 with Kerberos Authentication.
>>> I do have in smb.conf
>>>       dedicated keytab file = /etc/krb5.keytab
>>>       kerberos method = secrets and keytab
>>>
>>> and i did set
>>> /etc/security/pam_winbind.conf :
>>> krb5_auth = yes
>>> krb5_ccache_type = FILE
>>>
>>>
>>> greetz,
>>>
>>> Louis
>>>
>>>
>>>
>>>
>>>> -----Oorspronkelijk bericht-----
>>>> Van: Ritter, Marcel (RRZE) [mailto:marcel.ritter at fau.de]
>>>> Verzonden: woensdag 9 september 2015 8:39
>>>> Aan: 'L.P.H. van Belle'; samba at lists.samba.org
>>>> Onderwerp: AW: [Samba] nfs4 mounted homedir and kerberos tickets
>>>>
>>>> Hi Louis,
>>>>
>>>> please run "ssh -v" on client and member server and post the output.
>>>>
>>>> Did I get you right, that - when connection from your client to the
>> print
>>>> server -
>>>> you do *not* get a password prompt?
>>>>
>>>> In that case I guess your client is trying to establish the connection
>> not
>>>> via
>>>> kerberos/gssapi but publickey based: In that case the server cannot get
>>>> a valid kerberos ticket (because the required password was never sent)
>>>> and therefore will refuse access to the nfs share.
>>>>
>>>> The reason why this works on your member server may have several
>>>> causes:
>>>>
>>>>      1. different ssh client/server config on client/print/member server
>>>>      2. ssh keys / ssh-agent on client but not on member server
>>>>      3. cached krb5 credentials on server side
>>>>
>>>> According to my experience the last one is the worst to debug,
>>>> because the tickets used to access NFSv4 krb5 mounts need to be
>>>> copied to kernel space in order to work.
>>>> So in your case it might also be possible that the kernel still has
>>>> those valid tickets from a former login/kinit - even if you can't list
>>>> them using "klist".
>>>>
>>>> BTW:
>>>> If someone has an idea, how to locate and flush those keys in
>>>> kernel space (keyutils? /proc/keys?) I'd really like to hear about
>>>> that :-)
>>>>
>>>> Bye,
>>>>      Marcel
>>>>
>>>>
>>>> -----Ursprüngliche Nachricht-----
>>>> Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von L.P.H.
>>>> van Belle
>>>> Gesendet: Dienstag, 8. September 2015 17:26
>>>> An: samba at lists.samba.org
>>>> Betreff: Re: [Samba] nfs4 mounted homedir and kerberos tickets
>>>>
>>>> Yes, i've seen steves blogs, but thats not my solution
>>>>
>>>> It has to do with ticket exchange and/or passing the key from pc to
>>>> server.
>>>> But thats a bit out of my scope, so im hoping on a responce from
>> someone
>>>> with good kerberos knowledge..
>>>>
>>>> I must be something im missing in /etc/krb5.conf or missing package.
>>>> As shown, it works all but not direct.
>>>>
>>>> So if anyone has kerberos knowlegde, would be a big help.
>>>>
>>>> The host and clients Mounts are ok, its just the access for the first
>> time
>>>> on the print server ( with the nfs client Mount )
>>>>
>>>> But thanks anyway :-)
>>>>
>>>> Greetz,
>>>>
>>>> Louis
>>>>
>>>>
>>>>
>>>>> -----Oorspronkelijk bericht-----
>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
>>>>> Verzonden: dinsdag 8 september 2015 16:55
>>>>> Aan: samba at lists.samba.org
>>>>> Onderwerp: Re: [Samba] nfs4 mounted homedir and kerberos tickets
>>>>>
>>>>> On 08/09/15 15:33, L.P.H. van Belle wrote:
>>>>>> Hai,
>>>>>>
>>>>>>
>>>>>>
>>>>>> I have strange problem, i think its a simple thing, but im missing
>>>>>> some
>>>>> kerberos knowledge here..
>>>>>>
>>>>>> Situation.
>>>>>>
>>>>>>
>>>>>>
>>>>>> I login with my pc on the AD domain, (works fine).
>>>>>>
>>>>>> Now i login on my member server with ssh (putty), using the ssh
>>>>>> single
>>>>> sign-on on my server where my
>>>>>> homedirs is  ( /home/users/username)  , this works fine.
>>>>>>
>>>>>>
>>>>>>
>>>>>> When i do the same to my print server, where the homedir is mounted
>>>>>> with
>>>>> nfsv4  kerberos base.
>>>>>> I get an error that im unable to access my home dir.
>>>>>>
>>>>>> ( see also the samba list subject : Re: [Samba] nfs based shared
>>>>>> home
>>>>> dir question )
>>>>>>
>>>>>> When i do the following.
>>>>>>
>>>>>> I login to the member server, as described above, and then login to
>>>>>> the
>>>>> printserver from the member server,
>>>>>> I need to type my password and i DO have access to my home dir.
>>>>>>
>>>>>>
>>>>>>
>>>>>> Now i logout of both servers, test again from my pc with putty to my
>>>>> print server without type-ing passwords
>>>>>> and ? now it works as is should.
>>>>>>
>>>>>>
>>>>>>
>>>>>> What is missing here ?? must be something simple, but this i cant
>>>>>> find
>>>>> it.
>>>>>>
>>>>>>
>>>>>>
>>>>>> And Rowland, ? now i know what you did mean about systemd? still
>>>>>> lots of
>>>>> bugs,
>>>>>> found serveral bugs, combined with nfs, due to above problems, and
>>>>>> not
>>>>> auto mounting my nfs based homedir etc.
>>>>>> but got that all fixed.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> /offtopic.
>>>>>>
>>>>>> On debian Jessie with nfs4 kerberos setup.
>>>>>>
>>>>>>
>>>>>>
>>>>>> On the server nfs server in fstab,
>>>>>>
>>>>>> Add the following after the bind option:
>>>>>>
>>>>>> bind,x-systemd.automount
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> Client : with nfs4 kerberos when using fstab.
>>>>>>
>>>>>> Create the folder : /etc/systemd/system/nfs-common.service.d/
>>>>>>
>>>>>> And add this file with content : remote-fs-pre.conf
>>>>>>
>>>>>> [Unit]
>>>>>>
>>>>>> Before=remote-fs-pre.target
>>>>>>
>>>>>> Wants=remote-fs-pre.target
>>>>>>
>>>>>>
>>>>>>
>>>>>> This makes sure your mount really mounts at the end of starting up
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> Greetz,
>>>>>>
>>>>>>
>>>>>>
>>>>>> Louis
>>>>>>
>>>>>>
>>>>> Hi Louis, I don't use NFS myself, but I think your problem is that you
>>>>> are using nfs4, try using nfs3 instead
>>>>>
>>>>> Steve, who used to post on here, wrote a blog on it, start reading
>> here:
>>>>> http://linuxcostablanca.blogspot.co.uk/2012/02/samba4-shares.html
>>>>>
>>>>> I think he moved onto using nfs4, but not sure, just browse his blog
>>>>>
>>>>> Rowland
>>>>>
>>>>> --
>>>>> To unsubscribe from this list go to the following URL and read the
>>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions:  https://lists.samba.org/mailman/options/samba
>> Hi Louis, could this be something as simple as the users homedir not
>> getting created when the user first logs into the nfs4 kerberos based
>> machine ? i.e. the kerberos login is not running pam_mkhomedir
>>
>> Rowland
>>
>>
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
> No thats not the problem, all my user homedir are already created throug the MS RATS tools.
>
> As far i now understand, because of the login when typing the password ( or the sudo command ) the TGT ticket is created correctly.. ( i think )
> Which gives the access to the nfs4 kerberos shared homedir.
>
> At least i have 2 workarounds now, which gives me some extra time to get this fixed.
>
> Can be a bug also somewhere, but i think its still something im missing.
> Looks like the host TGT ticket thingy goes wrong somewere somehow..
>
> Greetz,
>
> Louis
>
>
>
>

I did a bit of googling and found this:

http://grokbase.com/t/centos/centos/1365qnen7k/samba4-and-nvsv4

The OP seemed to be having a similar problem and down near the bottom of 
the page, there is this:

Is it possible that Samba4 includes a large PAC on the kerberos 
credential and you're going over the limit in kernel? Against AD you 
have to disable this PAC inclusion via the userAccountControl attribute 
to make kerberised NFSv4 work correctly. You /sometimes/ find that 
testing with a user who is a member of as close to no groups as possible 
works in this case, but users in many groups fail.

It is closely followed by this:

Five minutes later: holy crap! That is it. I took a user in only one
group: permission denied. I set the NO_AUTH_DATA_REQUIRED flag in
userAccountControl (via ldbedit), and hey presto NFSv4+krb5 now works. You
sir are a steely-eyed missile man!

Rowland

More information about the samba mailing list