[Samba] kerberos nfs4's principals and root access

Bruno Macadré bruno.macadre at univ-rouen.fr
Tue Aug 2 06:21:30 UTC 2016

Thanks for your answer,

I already use Winbind AD backend with RFC2307. The only difference is 
when i use 'getent passwd' logins are never prefixed by domainname....

So, if I understand well your solution, I must :

1. Add unix attributes to my Administrator user (it's mandatory to show 
the account with getent)
2. Adding 'username map' option in the member smb.conf
3. Creating mapping file like you said

And after, when I want to access my kerberized NFS share, I just need to 
'kinit Administrator' before ?

Thanks a lot,

Le 01/08/2016 à 18:03, Rowland penny a écrit :
> On 01/08/16 16:16, Bruno MACADRÉ wrote:
>> Hi,
>>     Sorry for this necrobump.... But I'm still can't use my local 
>> root user to browse content of my NFSv4/Krb5 share...... (others 
>> permission are checked when root use this share)
>>     So a lot of questions appeared during my tests :
>>     - Must i have same idmap.conf on both client and server ?
>>     - Why rpc.idmapd only use 'nsswitch' method even if 'static' is 
>> placed before it in 'Method' and 'GSS-Methods' list ?
>>     - Must root user use kinit before exploring ?
>>     And the most important question : Is there anybody who sucess to 
>> access (in a real root behaviour !!) to a nfsv4/krb5 share in a 
>> Samba4/Krb5/NFSv4 setup ?
>>     Thanks by advance,
>>     Best regards,
>>     Bruno
>> PS: I sent this morning a mail about access to this share from local 
>> user (www-data), but I think that granting access to root may be a 
>> good start point !!
> I scanned through the rest of what you posted and I think you have 
> Samba 4 running as a DC with Unix clients joined to it, is this correct ?
> If so, then the only way to get the same UIDs & GIDs on all of them, 
> is to use RFC2307 attributes and the winbind 'ad' backend on the clients.
> Now we come to the root user, this user is somewhat similar to the 
> 'Local Administrator' on windows and as such shouldn't be in AD. On 
> the DC, 'Administrator' is automatically mapped to 'root':
> root at dc1:~# getent passwd Administrator
> SAMDOM\administrator:*:0:10000::/home/administrator:/bin/bash
> This doesn't happen on a Samba Unix domain member, but what you can do 
> is do the mapping in smb.conf. Add the line
>  username map = /etcl/samba/user.map
> Then create the map file /etc/samba/user.map with this content:
> !root = SAMDOM\Administrator SAMDOM\administrator Administrator 
> administrator
> Restart Samba and then 'Administrator' should be mapped to 'root'. The 
> 'root' user should never be in AD.
> Rowland

More information about the samba mailing list