[Samba] nfs4 mounted homedir and kerberos tickets

L.P.H. van Belle belle at bazuin.nl
Wed Sep 9 13:26:57 UTC 2015


Ah, yes good find, i did read that one also, my user is in 6 groups, 
(and counting )..  

I think i found the problem/solution, see next mail. 


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
> Verzonden: woensdag 9 september 2015 15:16
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] nfs4 mounted homedir and kerberos tickets
> 
> On 09/09/15 13:37, L.P.H. van Belle wrote:
> >
> >> -----Oorspronkelijk bericht-----
> >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
> >> Verzonden: woensdag 9 september 2015 14:18
> >> Aan: samba at lists.samba.org
> >> Onderwerp: Re: [Samba] nfs4 mounted homedir and kerberos tickets
> >>
> >> On 09/09/15 09:01, L.P.H. van Belle wrote:
> >>> In addition
> >>> Reading : https://wiki.samba.org/index.php/OpenSSH_Single_sign-on
> >>>
> >>> At the end, i see the Lines :
> >>> for the console based logins and SSH failback to password to generate
> a
> >> Kerberos TGT ticket (as in if the passwordless login fails due to not
> >> having a suitable ticket on the calling machine). This is essential if
> >> using things like NFSv4 with Kerberos Authentication.
> >>> I do have in smb.conf
> >>>       dedicated keytab file = /etc/krb5.keytab
> >>>       kerberos method = secrets and keytab
> >>>
> >>> and i did set
> >>> /etc/security/pam_winbind.conf :
> >>> krb5_auth = yes
> >>> krb5_ccache_type = FILE
> >>>
> >>>
> >>> greetz,
> >>>
> >>> Louis
> >>>
> >>>
> >>>
> >>>
> >>>> -----Oorspronkelijk bericht-----
> >>>> Van: Ritter, Marcel (RRZE) [mailto:marcel.ritter at fau.de]
> >>>> Verzonden: woensdag 9 september 2015 8:39
> >>>> Aan: 'L.P.H. van Belle'; samba at lists.samba.org
> >>>> Onderwerp: AW: [Samba] nfs4 mounted homedir and kerberos tickets
> >>>>
> >>>> Hi Louis,
> >>>>
> >>>> please run "ssh -v" on client and member server and post the output.
> >>>>
> >>>> Did I get you right, that - when connection from your client to the
> >> print
> >>>> server -
> >>>> you do *not* get a password prompt?
> >>>>
> >>>> In that case I guess your client is trying to establish the
> connection
> >> not
> >>>> via
> >>>> kerberos/gssapi but publickey based: In that case the server cannot
> get
> >>>> a valid kerberos ticket (because the required password was never
> sent)
> >>>> and therefore will refuse access to the nfs share.
> >>>>
> >>>> The reason why this works on your member server may have several
> >>>> causes:
> >>>>
> >>>>      1. different ssh client/server config on client/print/member
> server
> >>>>      2. ssh keys / ssh-agent on client but not on member server
> >>>>      3. cached krb5 credentials on server side
> >>>>
> >>>> According to my experience the last one is the worst to debug,
> >>>> because the tickets used to access NFSv4 krb5 mounts need to be
> >>>> copied to kernel space in order to work.
> >>>> So in your case it might also be possible that the kernel still has
> >>>> those valid tickets from a former login/kinit - even if you can't
> list
> >>>> them using "klist".
> >>>>
> >>>> BTW:
> >>>> If someone has an idea, how to locate and flush those keys in
> >>>> kernel space (keyutils? /proc/keys?) I'd really like to hear about
> >>>> that :-)
> >>>>
> >>>> Bye,
> >>>>      Marcel
> >>>>
> >>>>
> >>>> -----Urspr√ľngliche Nachricht-----
> >>>> Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von
> L.P.H.
> >>>> van Belle
> >>>> Gesendet: Dienstag, 8. September 2015 17:26
> >>>> An: samba at lists.samba.org
> >>>> Betreff: Re: [Samba] nfs4 mounted homedir and kerberos tickets
> >>>>
> >>>> Yes, i've seen steves blogs, but thats not my solution
> >>>>
> >>>> It has to do with ticket exchange and/or passing the key from pc to
> >>>> server.
> >>>> But thats a bit out of my scope, so im hoping on a responce from
> >> someone
> >>>> with good kerberos knowledge..
> >>>>
> >>>> I must be something im missing in /etc/krb5.conf or missing package.
> >>>> As shown, it works all but not direct.
> >>>>
> >>>> So if anyone has kerberos knowlegde, would be a big help.
> >>>>
> >>>> The host and clients Mounts are ok, its just the access for the first
> >> time
> >>>> on the print server ( with the nfs client Mount )
> >>>>
> >>>> But thanks anyway :-)
> >>>>
> >>>> Greetz,
> >>>>
> >>>> Louis
> >>>>
> >>>>
> >>>>
> >>>>> -----Oorspronkelijk bericht-----
> >>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland
> Penny
> >>>>> Verzonden: dinsdag 8 september 2015 16:55
> >>>>> Aan: samba at lists.samba.org
> >>>>> Onderwerp: Re: [Samba] nfs4 mounted homedir and kerberos tickets
> >>>>>
> >>>>> On 08/09/15 15:33, L.P.H. van Belle wrote:
> >>>>>> Hai,
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> I have strange problem, i think its a simple thing, but im missing
> >>>>>> some
> >>>>> kerberos knowledge here..
> >>>>>>
> >>>>>> Situation.
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> I login with my pc on the AD domain, (works fine).
> >>>>>>
> >>>>>> Now i login on my member server with ssh (putty), using the ssh
> >>>>>> single
> >>>>> sign-on on my server where my
> >>>>>> homedirs is  ( /home/users/username)  , this works fine.
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> When i do the same to my print server, where the homedir is mounted
> >>>>>> with
> >>>>> nfsv4  kerberos base.
> >>>>>> I get an error that im unable to access my home dir.
> >>>>>>
> >>>>>> ( see also the samba list subject : Re: [Samba] nfs based shared
> >>>>>> home
> >>>>> dir question )
> >>>>>>
> >>>>>> When i do the following.
> >>>>>>
> >>>>>> I login to the member server, as described above, and then login to
> >>>>>> the
> >>>>> printserver from the member server,
> >>>>>> I need to type my password and i DO have access to my home dir.
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> Now i logout of both servers, test again from my pc with putty to
> my
> >>>>> print server without type-ing passwords
> >>>>>> and ? now it works as is should.
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> What is missing here ?? must be something simple, but this i cant
> >>>>>> find
> >>>>> it.
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> And Rowland, ? now i know what you did mean about systemd? still
> >>>>>> lots of
> >>>>> bugs,
> >>>>>> found serveral bugs, combined with nfs, due to above problems, and
> >>>>>> not
> >>>>> auto mounting my nfs based homedir etc.
> >>>>>> but got that all fixed.
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> /offtopic.
> >>>>>>
> >>>>>> On debian Jessie with nfs4 kerberos setup.
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> On the server nfs server in fstab,
> >>>>>>
> >>>>>> Add the following after the bind option:
> >>>>>>
> >>>>>> bind,x-systemd.automount
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> Client : with nfs4 kerberos when using fstab.
> >>>>>>
> >>>>>> Create the folder : /etc/systemd/system/nfs-common.service.d/
> >>>>>>
> >>>>>> And add this file with content : remote-fs-pre.conf
> >>>>>>
> >>>>>> [Unit]
> >>>>>>
> >>>>>> Before=remote-fs-pre.target
> >>>>>>
> >>>>>> Wants=remote-fs-pre.target
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> This makes sure your mount really mounts at the end of starting up
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> Greetz,
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> Louis
> >>>>>>
> >>>>>>
> >>>>> Hi Louis, I don't use NFS myself, but I think your problem is that
> you
> >>>>> are using nfs4, try using nfs3 instead
> >>>>>
> >>>>> Steve, who used to post on here, wrote a blog on it, start reading
> >> here:
> >>>>> http://linuxcostablanca.blogspot.co.uk/2012/02/samba4-shares.html
> >>>>>
> >>>>> I think he moved onto using nfs4, but not sure, just browse his blog
> >>>>>
> >>>>> Rowland
> >>>>>
> >>>>> --
> >>>>> To unsubscribe from this list go to the following URL and read the
> >>>>> instructions:  https://lists.samba.org/mailman/options/samba
> >>>>
> >>>> --
> >>>> To unsubscribe from this list go to the following URL and read the
> >>>> instructions:  https://lists.samba.org/mailman/options/samba
> >> Hi Louis, could this be something as simple as the users homedir not
> >> getting created when the user first logs into the nfs4 kerberos based
> >> machine ? i.e. the kerberos login is not running pam_mkhomedir
> >>
> >> Rowland
> >>
> >>
> >>
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/options/samba
> > No thats not the problem, all my user homedir are already created throug
> the MS RATS tools.
> >
> > As far i now understand, because of the login when typing the password (
> or the sudo command ) the TGT ticket is created correctly.. ( i think )
> > Which gives the access to the nfs4 kerberos shared homedir.
> >
> > At least i have 2 workarounds now, which gives me some extra time to get
> this fixed.
> >
> > Can be a bug also somewhere, but i think its still something im missing.
> > Looks like the host TGT ticket thingy goes wrong somewere somehow..
> >
> > Greetz,
> >
> > Louis
> >
> >
> >
> >
> 
> I did a bit of googling and found this:
> 
> http://grokbase.com/t/centos/centos/1365qnen7k/samba4-and-nvsv4
> 
> The OP seemed to be having a similar problem and down near the bottom of
> the page, there is this:
> 
> Is it possible that Samba4 includes a large PAC on the kerberos
> credential and you're going over the limit in kernel? Against AD you
> have to disable this PAC inclusion via the userAccountControl attribute
> to make kerberised NFSv4 work correctly. You /sometimes/ find that
> testing with a user who is a member of as close to no groups as possible
> works in this case, but users in many groups fail.
> 
> It is closely followed by this:
> 
> Five minutes later: holy crap! That is it. I took a user in only one
> group: permission denied. I set the NO_AUTH_DATA_REQUIRED flag in
> userAccountControl (via ldbedit), and hey presto NFSv4+krb5 now works. You
> sir are a steely-eyed missile man!
> 
> Rowland
> 
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba





More information about the samba mailing list