[Samba] kerberos nfs4's principals and root access
Bruno Macadré
bruno.macadre at univ-rouen.fr
Tue Aug 2 06:24:28 UTC 2016
Thanks,
I'll see that today and come back !
Bruno
Le 02/08/2016 à 08:11, L.P.H. van Belle a écrit :
> Hai,
>
> Here you go..
>
> But all my settings are scripted.
> https://github.com/thctlo/samba4
> found here.
>
> Read the script : samba-with-nfsv4.sh
> Start it like ./ samba-with-nfsv4.sh (client or server)
>
> Its tested and works on debian jessie.
> I contains the nfs server settings and client settings.
>
> Greetz,
>
> Louis
>
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Bruno MACADRÉ
>> Verzonden: maandag 1 augustus 2016 17:16
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] kerberos nfs4's principals and root access
>>
>> Hi,
>>
>> Sorry for this necrobump.... But I'm still can't use my local root
>> user to browse content of my NFSv4/Krb5 share...... (others permission
>> are checked when root use this share)
>>
>> So a lot of questions appeared during my tests :
>>
>> - Must i have same idmap.conf on both client and server ?
>> - Why rpc.idmapd only use 'nsswitch' method even if 'static' is
>> placed before it in 'Method' and 'GSS-Methods' list ?
>> - Must root user use kinit before exploring ?
>>
>> And the most important question : Is there anybody who sucess to
>> access (in a real root behaviour !!) to a nfsv4/krb5 share in a
>> Samba4/Krb5/NFSv4 setup ?
>>
>> Thanks by advance,
>> Best regards,
>> Bruno
>>
>> PS: I sent this morning a mail about access to this share from local
>> user (www-data), but I think that granting access to root may be a good
>> start point !!
>>
>> Le 09/10/2015 à 15:42, L.P.H. van Belle a écrit :
>>> Hai Batiste,
>>>
>>> Ok, thanks for these, i'll test that also.
>>>
>>> And the "why" is a bit more explained here.
>>>
>> http://www.citi.umich.edu/projects/nfsv4/crossrealm/libnfsidmap_config.htm
>> l
>>> and per example,
>>>
>> http://www.citi.umich.edu/projects/nfsv4/crossrealm/ldap_server_setup.html
>>> First my work here, but this is a good one which i also need to adjust
>> in my scripts, so thank you for asking this on the samba list ;-)
>>> Gr,
>>>
>>> Louis
>>>
>>>> -----Oorspronkelijk bericht-----
>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Prunk Dump
>>>> Verzonden: vrijdag 9 oktober 2015 14:11
>>>> Aan: samba at lists.samba.org
>>>> Onderwerp: Re: [Samba] kerberos nfs4's principals and root access
>>>>
>>>> Thanks Louis ! Very interesting !
>>>>
>>>> Maybe the simplest method is to set a static translation.
>>>>
>>>> 1) Enabling the no_root_squash option in /etc/exports
>>>>
>>>> 2) Set the translation in /etc/idmapd.conf
>>>>
>>>> ------------------------
>>>> /etc/idmap.conf
>>>> ------------------------
>>>>
>>>> ...
>>>> [Translation]
>>>>
>>>> Method = static,nsswitch
>>>>
>>>> [Static]
>>>>
>>>> MYCLIENT$@SAMDOM.COM = root
>>>>
>>>> ------------------------
>>>>
>>>> But I don't understand why, with samba, we can't authenticate as
>>>> client with nfs/myclient.samdom.com or root/myclient.samdom.com. It
>>>> seem that it is because we can't kinit them. But I don't understand
>>>> why...
>>>>
>>>> Thanks again !
>>>>
>>>> Baptiste.
>>>>
>>>>
>>>> 2015-10-09 13:39 GMT+02:00 L.P.H. van Belle <belle at bazuin.nl>:
>>>>> Ok, now its clear to me.
>>>>>
>>>>> We need to set UMICH_SCHEMA in idmap.conf
>>>>> Read : http://linux.die.net/man/5/idmapd.conf
>>>>>
>>>>> Working on it now.
>>>>>
>>>>> Greetz,
>>>>>
>>>>> Louis
>>>>>
>>>>>
>>>>>> -----Oorspronkelijk bericht-----
>>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens L.P.H. van
>>>> Belle
>>>>>> Verzonden: vrijdag 9 oktober 2015 13:34
>>>>>> Aan: samba at lists.samba.org
>>>>>> Onderwerp: Re: [Samba] kerberos nfs4's principals and root access
>>>>>>
>>>>>> Ok, not working...
>>>>>>
>>>>>> But found this...
>>>>>>
>>>>>> ( http://users.suse.com/~sjayaraman/nfs4_howto.txt )
>>>>>>
>>>>>> 4.5 A known issue using NFS with kerberos
>>>>>> _________________________________________
>>>>>>
>>>>>> Even if "no_root_squash" option is used, while exporting a filesystem
>>>> at
>>>>>> the
>>>>>> server, root on the client gets a "Permission denied" error when
>>>> creating
>>>>>> files on the mount point.
>>>>>>
>>>>>> This is because there is no proper mapping between root and the
>>>>>> GSSAuthName.
>>>>>>
>>>>>> Note: Trying to set 777 permission is not correct as it is not
>> secure.
>>>>>> Also,
>>>>>> any file created on the mountpoint will have "nobody" as owner.
>>>>>>
>>>>>> There is a work around for this if both NFS server and client use
>>>>>> umich_ldap
>>>>>> methods to authenticate. If the idmapd on both server and client is
>>>>>> configured
>>>>>> to use umich_ldap modules then having GSSAuthName
>>>> (<nfs/hostname at realm>)
>>>>>> parameter map to root user, on the ldap server will solve this
>> problem.
>>>>>>
>>>>>> Still reading, but should be solveable..
>>>>>>
>>>>>> Greetz,
>>>>>>
>>>>>> Louis
>>>>>>
>>>>>>
>>>>>>> -----Oorspronkelijk bericht-----
>>>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens L.P.H. van
>>>>>> Belle
>>>>>>> Verzonden: vrijdag 9 oktober 2015 13:17
>>>>>>> Aan: samba at lists.samba.org
>>>>>>> Onderwerp: Re: [Samba] kerberos nfs4's principals and root access
>>>>>>>
>>>>>>> Hai Baptiste,
>>>>>>>
>>>>>>> I re-checked my setup and your totaly correct.
>>>>>>> I can not enter the nfsV4 mounted directory as root.
>>>>>>>
>>>>>>> What i've added in idmap.conf
>>>>>>> Is this :
>>>>>>> Domain = your_DNS_domain.tld
>>>>>>>
>>>>>>> [Translation]
>>>>>>>
>>>>>>> Method = nsswitch
>>>>>>>
>>>>>>> And i found this link.
>>>>>>>
>>>>>>> http://serverfault.com/questions/526762/root-access-to-kerberized-
>>>> nfsv4-
>>>>>>> host-on-ubuntu
>>>>>>>
>>>>>>> im testing this now.
>>>>>>>
>>>>>>> Greetz,
>>>>>>>
>>>>>>> Louis
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> -----Oorspronkelijk bericht-----
>>>>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Prunk Dump
>>>>>>>> Verzonden: vrijdag 9 oktober 2015 11:34
>>>>>>>> Aan: samba at lists.samba.org
>>>>>>>> Onderwerp: Re: [Samba] kerberos nfs4's principals and root access
>>>>>>>>
>>>>>>>> Thanks you very much Louis !
>>>>>>>>
>>>>>>>> I have tried your setup and I can't mount the share neither from
>>>> the
>>>>>>>> server itself or the client.
>>>>>>>>
>>>>>>>> On /var/log/syslog I have :
>>>>>>>>
>>>>>>>> rpc.gssd : ERROR : no credentials found for connecting to server
>>>>>>> myserver
>>>>>>>> This is because the machine principal is not present in the keytab
>>>> :
>>>>>>>> $ klist -k
>>>>>>>> 1 nfs/myclient.samdom.com at SAMDOM.COM
>>>>>>>> 1 nfs/myclient.samdom.com at SAMDOM.COM
>>>>>>>> 1 nfs/myclient.samdom.com at SAMDOM.COM
>>>>>>>>
>>>>>>>> If I add the machine principal. I can mount the share but root user
>>>>>>>> write as "machine" not as "root".
>>>>>>>>
>>>>>>>> Can you check your setup ? Do you have your machine credential in
>>>>>>>> /etc/krb5.keytab ? (with klist -k)
>>>>>>>>
>>>>>>>> Do you do something related with kerberos when you login as root ?
>>>>>>>>
>>>>>>>> Do you have additional options in "/etc/idmap.conf" ?
>>>>>>>>
>>>>>>>> Can you give me the result of :
>>>>>>>>
>>>>>>>> $klist
>>>>>>>> $klist -k
>>>>>>>>
>>>>>>>> When you are logged as root ?
>>>>>>>>
>>>>>>>> Thanks you again !
>>>>>>>>
>>>>>>>> Baptiste.
>>>>>>>>
>>>>>>>>
>>>>>>>> 2015-10-09 9:13 GMT+02:00 L.P.H. van Belle <belle at bazuin.nl>:
>>>>>>>>> Hai,
>>>>>>>>>
>>>>>>>>> I had it the other way around. Only root acces.
>>>>>>>>>
>>>>>>>>> I have scripted my setup and tested on debian.
>>>>>>>>> Look here
>>>>>>>>> https://secure.bazuin.nl/scripts/these_are_experimental_scripts/
>>>>>>>>> setup-nfsv4-kerberos.sh
>>>>>>>>>
>>>>>>>>> If you get the file, setup-nfsv4-kerberos.sh and compair it to
>>>> your
>>>>>>>> setup.
>>>>>>>>> If you can read the bash script maybe you see something you
>>>> missed.
>>>>>>>>> When i write as "root" its root and not the machine account who
>>>> owns
>>>>>>> the
>>>>>>>> file.
>>>>>>>>> How is your exports file on the server configured?
>>>>>>>>>
>>>>>>>>> Greetz,
>>>>>>>>>
>>>>>>>>> Louis
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> -----Oorspronkelijk bericht-----
>>>>>>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Prunk
>>>> Dump
>>>>>>>>>> Verzonden: vrijdag 9 oktober 2015 8:59
>>>>>>>>>> Aan: samba at lists.samba.org
>>>>>>>>>> Onderwerp: [Samba] kerberos nfs4's principals and root access
>>>>>>>>>>
>>>>>>>>>> Hello samba team !
>>>>>>>>>>
>>>>>>>>>> I have some NFS4 exports managed by a Samba's Kerberos realm.
>>>> All
>>>>>> the
>>>>>>>>>> standard user accesses work fine.
>>>>>>>>>>
>>>>>>>>>> I try now to setup an NFS4 root access to administer the share
>>>> from
>>>>>>>>>> another server (the two host are DC, one PDC and one SDC). But
>>>> I
>>>>>>> have
>>>>>>>>>> trouble understanding the kerberos/principals layer.
>>>>>>>>>>
>>>>>>>>>> ------------
>>>>>>>>>> Actually I do
>>>>>>>>>> -------------
>>>>>>>>>>
>>>>>>>>>> -> on the server I create an nfs principal and export it to the
>>>>>>> keytab
>>>>>>>>>> $ samba-tool user add nfs-myserver --random-password
>>>>>>>>>> $ samba-tool spn add nfs/myserver.samdom.com nfs-myserver
>>>>>>>>>> $ samba-tool domain exportkeytab --
>>>>>> principal=nfs/myserver.samdom.com
>>>>>>>>>> /etc/krb5.keytab
>>>>>>>>>>
>>>>>>>>>> -> on the client I use the machine keytab.
>>>>>>>>>> $ samba-tool domain exportkeytab --principal=MYCLIENT$
>>>>>>> /etc/krb5.keytab
>>>>>>>>>> With this setup all my domain users can write to the share. But
>>>>>> when
>>>>>>> I
>>>>>>>>>> try with the root account it use the machine keytab (that's
>>>> normal,
>>>>>>>>>> root is not a domain user but he have access to the keytab) :
>>>>>>>>>>
>>>>>>>>>> -> on the client as root
>>>>>>>>>> $ touch /myshare/testfile
>>>>>>>>>>
>>>>>>>>>> -> on the server
>>>>>>>>>> $ ls -al /srv/nfs4/myshare/testfile
>>>>>>>>>> -rw-r--r-- SAMDOM\MYCLIENT$ SAMDOM\Domain Controllers
>>>> ....
>>>>>>>>>> /nfs4/myshare/tesfile
>>>>>>>>>>
>>>>>>>>>> But I need root access !
>>>>>>>>>>
>>>>>>>>>> ----------
>>>>>>>>>> I have tried with a root/myclient service principal name
>>>>>>>>>> ----------
>>>>>>>>>>
>>>>>>>>>> -> on the client I create an root/myclient spn and export to
>>>> keytab
>>>>>>>>>> $ samba-tool user add root-myclient --random-password
>>>>>>>>>> $ samba-tool spn add root/myclient.samdom.com root-myclient
>>>>>>>>>> $ samba-tool domain exportkeytab --
>>>>>> principal=root/myclient.samdom.com
>>>>>>>>>> /etc/krb5.keytab
>>>>>>>>>>
>>>>>>>>>> But nothings change when I access the share. I tried to kinit
>>>> this
>>>>>>>>>> principal but it fail. However kinit with the machine principal
>>>>>>> works.
>>>>>>>>>> $ kinit -k root/myclient.samdom.com
>>>>>>>>>> kinit: Client 'root/myclient.samdom.com at SAMDOM.COM' not found in
>>>>>>>>>> kerberos database while getting initial credentials
>>>>>>>>>>
>>>>>>>>>> $ kinit -k MYCLIENT$
>>>>>>>>>> ok
>>>>>>>>>>
>>>>>>>>>> ---------
>>>>>>>>>> I tried creating a samba root user.
>>>>>>>>>> ---------
>>>>>>>>>>
>>>>>>>>>> -> on the client I create a root user and export to keytab
>>>>>>>>>> $ samba-tool user add root
>>>>>>>>>> $ samba-tool domain exportkeytab --principal=root
>>>> /etc/krb5.keytab
>>>>>>>>>> Same problem but here "kinit -k root" works.
>>>>>>>>>>
>>>>>>>>>> $ kinit -k root
>>>>>>>>>> ok
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> ------
>>>>>>>>>> I tried to kinit anather samba user
>>>>>>>>>> ------
>>>>>>>>>>
>>>>>>>>>> -> on the client I kinit a valid user and write to the share
>>>>>>>>>>
>>>>>>>>>> $ kinit validuser
>>>>>>>>>> $ touch /myshare/testfile2
>>>>>>>>>>
>>>>>>>>>> Here the nfs4 connection is not made with the validuser's
>>>>>> principal.
>>>>>>>>>> Always with the machine's principal.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> -------
>>>>>>>>>> So
>>>>>>>>>> -------
>>>>>>>>>>
>>>>>>>>>> I don't understand why in can "kinit root" but not "kinit
>>>>>>>>>> root/myclient.samdom.com". What's the difference between there
>>>>>>>>>> principals ?
>>>>>>>>>>
>>>>>>>>>> I don't understand how the nfs4 client choose the principal used
>>>> to
>>>>>>>>>> make the connection to the nfs4 share. Why the root user can
>>>> only
>>>>>> use
>>>>>>>>>> the machine's principal ?
>>>>>>>>>>
>>>>>>>>>> I don't know if the problem come from the creation of kerberos
>>>>>>>>>> principals or come from the nfs4 client not choosing the correct
>>>>>>>>>> principal...
>>>>>>>>>>
>>>>>>>>>> Can someone give me a tips ?
>>>>>>>>>>
>>>>>>>>>> Thanks !
>>>>>>>>>>
>>>>>>>>>> Baptiste.
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> To unsubscribe from this list go to the following URL and read
>>>> the
>>>>>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> To unsubscribe from this list go to the following URL and read
>>>> the
>>>>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>>>> --
>>>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>>>
>>>>>>> --
>>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>>
>>>>>> --
>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>
>>>>> --
>>>>> To unsubscribe from this list go to the following URL and read the
>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>
>> --
>>
>> Bruno MACADRE
>> -------------------------------------------------------------------
>> Ingénieur Systèmes et Réseau | Systems and Network Engineer
>> Département Informatique | Department of computer science
>> Responsable Info SER | SER IT Manager
>> Université de Rouen | University of Rouen
>> -------------------------------------------------------------------
>> Coordonnées / Contact :
>> Université de Rouen
>> Faculté des Sciences et Techniques - Madrillet
>> Avenue de l'Université
>> CS 70012
>> 76801 St Etienne du Rouvray CEDEX
>> FRANCE
>>
>> Tél : +33 (0)2-32-95-51-86
>> Mob : +33 (0)6-74-71-45-64
>> -------------------------------------------------------------------
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list