[Samba] kerberos nfs4's principals and root access
rpenny at samba.org
Mon Aug 1 16:03:04 UTC 2016
On 01/08/16 16:16, Bruno MACADRÉ wrote:
> Sorry for this necrobump.... But I'm still can't use my local root
> user to browse content of my NFSv4/Krb5 share...... (others permission
> are checked when root use this share)
> So a lot of questions appeared during my tests :
> - Must i have same idmap.conf on both client and server ?
> - Why rpc.idmapd only use 'nsswitch' method even if 'static' is
> placed before it in 'Method' and 'GSS-Methods' list ?
> - Must root user use kinit before exploring ?
> And the most important question : Is there anybody who sucess to
> access (in a real root behaviour !!) to a nfsv4/krb5 share in a
> Samba4/Krb5/NFSv4 setup ?
> Thanks by advance,
> Best regards,
> PS: I sent this morning a mail about access to this share from local
> user (www-data), but I think that granting access to root may be a
> good start point !!
I scanned through the rest of what you posted and I think you have Samba
4 running as a DC with Unix clients joined to it, is this correct ?
If so, then the only way to get the same UIDs & GIDs on all of them, is
to use RFC2307 attributes and the winbind 'ad' backend on the clients.
Now we come to the root user, this user is somewhat similar to the
'Local Administrator' on windows and as such shouldn't be in AD. On the
DC, 'Administrator' is automatically mapped to 'root':
root at dc1:~# getent passwd Administrator
This doesn't happen on a Samba Unix domain member, but what you can do
is do the mapping in smb.conf. Add the line
username map = /etcl/samba/user.map
Then create the map file /etc/samba/user.map with this content:
!root = SAMDOM\Administrator SAMDOM\administrator Administrator
Restart Samba and then 'Administrator' should be mapped to 'root'. The
'root' user should never be in AD.
More information about the samba