[Samba] kerberos nfs4's principals and root access

[Rowland penny]

On 01/08/16 16:16, Bruno MACADRÉ wrote:
> Hi,
>
>     Sorry for this necrobump.... But I'm still can't use my local root 
> user to browse content of my NFSv4/Krb5 share...... (others permission 
> are checked when root use this share)
>
>     So a lot of questions appeared during my tests :
>
>     - Must i have same idmap.conf on both client and server ?
>     - Why rpc.idmapd only use 'nsswitch' method even if 'static' is 
> placed before it in 'Method' and 'GSS-Methods' list ?
>     - Must root user use kinit before exploring ?
>
>     And the most important question : Is there anybody who sucess to 
> access (in a real root behaviour !!) to a nfsv4/krb5 share in a 
> Samba4/Krb5/NFSv4 setup ?
>
>     Thanks by advance,
>     Best regards,
>     Bruno
>
> PS: I sent this morning a mail about access to this share from local 
> user (www-data), but I think that granting access to root may be a 
> good start point !!

I scanned through the rest of what you posted and I think you have Samba 
4 running as a DC with Unix clients joined to it, is this correct ?

If so, then the only way to get the same UIDs & GIDs on all of them, is 
to use RFC2307 attributes and the winbind 'ad' backend on the clients.

Now we come to the root user, this user is somewhat similar to the 
'Local Administrator' on windows and as such shouldn't be in AD. On the 
DC, 'Administrator' is automatically mapped to 'root':

root at dc1:~# getent passwd Administrator
SAMDOM\administrator:*:0:10000::/home/administrator:/bin/bash

This doesn't happen on a Samba Unix domain member, but what you can do 
is do the mapping in smb.conf. Add the line

  username map = /etcl/samba/user.map

Then create the map file /etc/samba/user.map with this content:

!root = SAMDOM\Administrator SAMDOM\administrator Administrator 
administrator

Restart Samba and then 'Administrator' should be mapped to 'root'. The 
'root' user should never be in AD.

Rowland