[Samba] kerberos nfs4's principals and root access
Bruno MACADRÉ
bruno.macadre at univ-rouen.fr
Mon Aug 1 15:16:05 UTC 2016
Hi,
Sorry for this necrobump.... But I'm still can't use my local root
user to browse content of my NFSv4/Krb5 share...... (others permission
are checked when root use this share)
So a lot of questions appeared during my tests :
- Must i have same idmap.conf on both client and server ?
- Why rpc.idmapd only use 'nsswitch' method even if 'static' is
placed before it in 'Method' and 'GSS-Methods' list ?
- Must root user use kinit before exploring ?
And the most important question : Is there anybody who sucess to
access (in a real root behaviour !!) to a nfsv4/krb5 share in a
Samba4/Krb5/NFSv4 setup ?
Thanks by advance,
Best regards,
Bruno
PS: I sent this morning a mail about access to this share from local
user (www-data), but I think that granting access to root may be a good
start point !!
Le 09/10/2015 à 15:42, L.P.H. van Belle a écrit :
> Hai Batiste,
>
> Ok, thanks for these, i'll test that also.
>
> And the "why" is a bit more explained here.
> http://www.citi.umich.edu/projects/nfsv4/crossrealm/libnfsidmap_config.html
> and per example,
> http://www.citi.umich.edu/projects/nfsv4/crossrealm/ldap_server_setup.html
>
> First my work here, but this is a good one which i also need to adjust in my scripts, so thank you for asking this on the samba list ;-)
>
> Gr,
>
> Louis
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Prunk Dump
>> Verzonden: vrijdag 9 oktober 2015 14:11
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] kerberos nfs4's principals and root access
>>
>> Thanks Louis ! Very interesting !
>>
>> Maybe the simplest method is to set a static translation.
>>
>> 1) Enabling the no_root_squash option in /etc/exports
>>
>> 2) Set the translation in /etc/idmapd.conf
>>
>> ------------------------
>> /etc/idmap.conf
>> ------------------------
>>
>> ...
>> [Translation]
>>
>> Method = static,nsswitch
>>
>> [Static]
>>
>> MYCLIENT$@SAMDOM.COM = root
>>
>> ------------------------
>>
>> But I don't understand why, with samba, we can't authenticate as
>> client with nfs/myclient.samdom.com or root/myclient.samdom.com. It
>> seem that it is because we can't kinit them. But I don't understand
>> why...
>>
>> Thanks again !
>>
>> Baptiste.
>>
>>
>> 2015-10-09 13:39 GMT+02:00 L.P.H. van Belle <belle at bazuin.nl>:
>>> Ok, now its clear to me.
>>>
>>> We need to set UMICH_SCHEMA in idmap.conf
>>> Read : http://linux.die.net/man/5/idmapd.conf
>>>
>>> Working on it now.
>>>
>>> Greetz,
>>>
>>> Louis
>>>
>>>
>>>> -----Oorspronkelijk bericht-----
>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens L.P.H. van
>> Belle
>>>> Verzonden: vrijdag 9 oktober 2015 13:34
>>>> Aan: samba at lists.samba.org
>>>> Onderwerp: Re: [Samba] kerberos nfs4's principals and root access
>>>>
>>>> Ok, not working...
>>>>
>>>> But found this...
>>>>
>>>> ( http://users.suse.com/~sjayaraman/nfs4_howto.txt )
>>>>
>>>> 4.5 A known issue using NFS with kerberos
>>>> _________________________________________
>>>>
>>>> Even if "no_root_squash" option is used, while exporting a filesystem
>> at
>>>> the
>>>> server, root on the client gets a "Permission denied" error when
>> creating
>>>> files on the mount point.
>>>>
>>>> This is because there is no proper mapping between root and the
>>>> GSSAuthName.
>>>>
>>>> Note: Trying to set 777 permission is not correct as it is not secure.
>>>> Also,
>>>> any file created on the mountpoint will have "nobody" as owner.
>>>>
>>>> There is a work around for this if both NFS server and client use
>>>> umich_ldap
>>>> methods to authenticate. If the idmapd on both server and client is
>>>> configured
>>>> to use umich_ldap modules then having GSSAuthName
>> (<nfs/hostname at realm>)
>>>> parameter map to root user, on the ldap server will solve this problem.
>>>>
>>>>
>>>> Still reading, but should be solveable..
>>>>
>>>> Greetz,
>>>>
>>>> Louis
>>>>
>>>>
>>>>> -----Oorspronkelijk bericht-----
>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens L.P.H. van
>>>> Belle
>>>>> Verzonden: vrijdag 9 oktober 2015 13:17
>>>>> Aan: samba at lists.samba.org
>>>>> Onderwerp: Re: [Samba] kerberos nfs4's principals and root access
>>>>>
>>>>> Hai Baptiste,
>>>>>
>>>>> I re-checked my setup and your totaly correct.
>>>>> I can not enter the nfsV4 mounted directory as root.
>>>>>
>>>>> What i've added in idmap.conf
>>>>> Is this :
>>>>> Domain = your_DNS_domain.tld
>>>>>
>>>>> [Translation]
>>>>>
>>>>> Method = nsswitch
>>>>>
>>>>> And i found this link.
>>>>>
>>>>> http://serverfault.com/questions/526762/root-access-to-kerberized-
>> nfsv4-
>>>>> host-on-ubuntu
>>>>>
>>>>> im testing this now.
>>>>>
>>>>> Greetz,
>>>>>
>>>>> Louis
>>>>>
>>>>>
>>>>>
>>>>>> -----Oorspronkelijk bericht-----
>>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Prunk Dump
>>>>>> Verzonden: vrijdag 9 oktober 2015 11:34
>>>>>> Aan: samba at lists.samba.org
>>>>>> Onderwerp: Re: [Samba] kerberos nfs4's principals and root access
>>>>>>
>>>>>> Thanks you very much Louis !
>>>>>>
>>>>>> I have tried your setup and I can't mount the share neither from
>> the
>>>>>> server itself or the client.
>>>>>>
>>>>>> On /var/log/syslog I have :
>>>>>>
>>>>>> rpc.gssd : ERROR : no credentials found for connecting to server
>>>>> myserver
>>>>>> This is because the machine principal is not present in the keytab
>> :
>>>>>> $ klist -k
>>>>>> 1 nfs/myclient.samdom.com at SAMDOM.COM
>>>>>> 1 nfs/myclient.samdom.com at SAMDOM.COM
>>>>>> 1 nfs/myclient.samdom.com at SAMDOM.COM
>>>>>>
>>>>>> If I add the machine principal. I can mount the share but root user
>>>>>> write as "machine" not as "root".
>>>>>>
>>>>>> Can you check your setup ? Do you have your machine credential in
>>>>>> /etc/krb5.keytab ? (with klist -k)
>>>>>>
>>>>>> Do you do something related with kerberos when you login as root ?
>>>>>>
>>>>>> Do you have additional options in "/etc/idmap.conf" ?
>>>>>>
>>>>>> Can you give me the result of :
>>>>>>
>>>>>> $klist
>>>>>> $klist -k
>>>>>>
>>>>>> When you are logged as root ?
>>>>>>
>>>>>> Thanks you again !
>>>>>>
>>>>>> Baptiste.
>>>>>>
>>>>>>
>>>>>> 2015-10-09 9:13 GMT+02:00 L.P.H. van Belle <belle at bazuin.nl>:
>>>>>>> Hai,
>>>>>>>
>>>>>>> I had it the other way around. Only root acces.
>>>>>>>
>>>>>>> I have scripted my setup and tested on debian.
>>>>>>> Look here
>>>>>>> https://secure.bazuin.nl/scripts/these_are_experimental_scripts/
>>>>>>> setup-nfsv4-kerberos.sh
>>>>>>>
>>>>>>> If you get the file, setup-nfsv4-kerberos.sh and compair it to
>> your
>>>>>> setup.
>>>>>>> If you can read the bash script maybe you see something you
>> missed.
>>>>>>> When i write as "root" its root and not the machine account who
>> owns
>>>>> the
>>>>>> file.
>>>>>>>
>>>>>>> How is your exports file on the server configured?
>>>>>>>
>>>>>>> Greetz,
>>>>>>>
>>>>>>> Louis
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> -----Oorspronkelijk bericht-----
>>>>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Prunk
>> Dump
>>>>>>>> Verzonden: vrijdag 9 oktober 2015 8:59
>>>>>>>> Aan: samba at lists.samba.org
>>>>>>>> Onderwerp: [Samba] kerberos nfs4's principals and root access
>>>>>>>>
>>>>>>>> Hello samba team !
>>>>>>>>
>>>>>>>> I have some NFS4 exports managed by a Samba's Kerberos realm.
>> All
>>>> the
>>>>>>>> standard user accesses work fine.
>>>>>>>>
>>>>>>>> I try now to setup an NFS4 root access to administer the share
>> from
>>>>>>>> another server (the two host are DC, one PDC and one SDC). But
>> I
>>>>> have
>>>>>>>> trouble understanding the kerberos/principals layer.
>>>>>>>>
>>>>>>>> ------------
>>>>>>>> Actually I do
>>>>>>>> -------------
>>>>>>>>
>>>>>>>> -> on the server I create an nfs principal and export it to the
>>>>> keytab
>>>>>>>> $ samba-tool user add nfs-myserver --random-password
>>>>>>>> $ samba-tool spn add nfs/myserver.samdom.com nfs-myserver
>>>>>>>> $ samba-tool domain exportkeytab --
>>>> principal=nfs/myserver.samdom.com
>>>>>>>> /etc/krb5.keytab
>>>>>>>>
>>>>>>>> -> on the client I use the machine keytab.
>>>>>>>> $ samba-tool domain exportkeytab --principal=MYCLIENT$
>>>>> /etc/krb5.keytab
>>>>>>>> With this setup all my domain users can write to the share. But
>>>> when
>>>>> I
>>>>>>>> try with the root account it use the machine keytab (that's
>> normal,
>>>>>>>> root is not a domain user but he have access to the keytab) :
>>>>>>>>
>>>>>>>> -> on the client as root
>>>>>>>> $ touch /myshare/testfile
>>>>>>>>
>>>>>>>> -> on the server
>>>>>>>> $ ls -al /srv/nfs4/myshare/testfile
>>>>>>>> -rw-r--r-- SAMDOM\MYCLIENT$ SAMDOM\Domain Controllers
>> ....
>>>>>>>> /nfs4/myshare/tesfile
>>>>>>>>
>>>>>>>> But I need root access !
>>>>>>>>
>>>>>>>> ----------
>>>>>>>> I have tried with a root/myclient service principal name
>>>>>>>> ----------
>>>>>>>>
>>>>>>>> -> on the client I create an root/myclient spn and export to
>> keytab
>>>>>>>> $ samba-tool user add root-myclient --random-password
>>>>>>>> $ samba-tool spn add root/myclient.samdom.com root-myclient
>>>>>>>> $ samba-tool domain exportkeytab --
>>>> principal=root/myclient.samdom.com
>>>>>>>> /etc/krb5.keytab
>>>>>>>>
>>>>>>>> But nothings change when I access the share. I tried to kinit
>> this
>>>>>>>> principal but it fail. However kinit with the machine principal
>>>>> works.
>>>>>>>> $ kinit -k root/myclient.samdom.com
>>>>>>>> kinit: Client 'root/myclient.samdom.com at SAMDOM.COM' not found in
>>>>>>>> kerberos database while getting initial credentials
>>>>>>>>
>>>>>>>> $ kinit -k MYCLIENT$
>>>>>>>> ok
>>>>>>>>
>>>>>>>> ---------
>>>>>>>> I tried creating a samba root user.
>>>>>>>> ---------
>>>>>>>>
>>>>>>>> -> on the client I create a root user and export to keytab
>>>>>>>> $ samba-tool user add root
>>>>>>>> $ samba-tool domain exportkeytab --principal=root
>> /etc/krb5.keytab
>>>>>>>> Same problem but here "kinit -k root" works.
>>>>>>>>
>>>>>>>> $ kinit -k root
>>>>>>>> ok
>>>>>>>>
>>>>>>>>
>>>>>>>> ------
>>>>>>>> I tried to kinit anather samba user
>>>>>>>> ------
>>>>>>>>
>>>>>>>> -> on the client I kinit a valid user and write to the share
>>>>>>>>
>>>>>>>> $ kinit validuser
>>>>>>>> $ touch /myshare/testfile2
>>>>>>>>
>>>>>>>> Here the nfs4 connection is not made with the validuser's
>>>> principal.
>>>>>>>> Always with the machine's principal.
>>>>>>>>
>>>>>>>>
>>>>>>>> -------
>>>>>>>> So
>>>>>>>> -------
>>>>>>>>
>>>>>>>> I don't understand why in can "kinit root" but not "kinit
>>>>>>>> root/myclient.samdom.com". What's the difference between there
>>>>>>>> principals ?
>>>>>>>>
>>>>>>>> I don't understand how the nfs4 client choose the principal used
>> to
>>>>>>>> make the connection to the nfs4 share. Why the root user can
>> only
>>>> use
>>>>>>>> the machine's principal ?
>>>>>>>>
>>>>>>>> I don't know if the problem come from the creation of kerberos
>>>>>>>> principals or come from the nfs4 client not choosing the correct
>>>>>>>> principal...
>>>>>>>>
>>>>>>>> Can someone give me a tips ?
>>>>>>>>
>>>>>>>> Thanks !
>>>>>>>>
>>>>>>>> Baptiste.
>>>>>>>>
>>>>>>>> --
>>>>>>>> To unsubscribe from this list go to the following URL and read
>> the
>>>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> To unsubscribe from this list go to the following URL and read
>> the
>>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>> --
>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>
>>>>>
>>>>> --
>>>>> To unsubscribe from this list go to the following URL and read the
>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>
>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/options/samba
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>
>
--
Bruno MACADRE
-------------------------------------------------------------------
Ingénieur Systèmes et Réseau | Systems and Network Engineer
Département Informatique | Department of computer science
Responsable Info SER | SER IT Manager
Université de Rouen | University of Rouen
-------------------------------------------------------------------
Coordonnées / Contact :
Université de Rouen
Faculté des Sciences et Techniques - Madrillet
Avenue de l'Université
CS 70012
76801 St Etienne du Rouvray CEDEX
FRANCE
Tél : +33 (0)2-32-95-51-86
Mob : +33 (0)6-74-71-45-64
-------------------------------------------------------------------
More information about the samba
mailing list