[Samba] kerberos nfs4's principals and root access
Bruno MACADRÉ
bruno.macadre at univ-rouen.fr
Tue Aug 2 08:45:57 UTC 2016
Hi Louis,
I read your script and changed my configuration accordingly, but it
still does not work.
Here are my conf files :
----- NFS SERVER SIDE (Ubuntu Server 14.04 x64) -----
/etc/fstab:
...
/home /nfs4export/homes none bind 0 0
...
/etc/exports:
...
/nfs4export NETWORK/24(ro,fsid=0,no_subtree_check,sync,sec=krb5)
/nfs4export/homes
NETWORK/24(rw,sync,no_root_squash,no_subtree_check,sec=krb5)
...
/etc/default/nfs-kernel-server:
RPCNFSDCOUNT=8
RPCNFSDPRIORITY=0
RPCMOUNTDOPTS="--manage-gids --debug all"
NEED_SVCGSSD="yes"
RPCSVCGSSDOPTS="-vvv"
RPCNFSDOPTS="--debug"
/etc/idmapd.conf:
[General]
Verbosity = 5
Pipefs-Directory = /run/rpc_pipefs
Domain = domain
Local-Realm = DOMAIN
[Mapping]
Nobody-User = nobody
Nobody-Group = nogroup
[Translation]
Method = nsswitch
/etc/smb.conf (compiled samba 4.2.3):
[global]
netbios name = FILSRV
workgroup = WKG
security = ADS
realm = DOMAIN
encrypt passwords = yes
log level = 3
log file = /var/log/samba/log.%m
idmap config *:backend = tdb
idmap config *:range = 70000-80000
idmap config WKG:backend = ad
idmap config WKG:schema = rfc2307
idmap config WKG:range = 10000-60000
winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = yes
winbind expand groups = 10
...
kerberos method = system keytab
FILSRV joined fine the DC.
- Adding SPN by the use of 'net ads keytab' => net ads keytab add
nfs -U administrator
klist of FILSRV (klist -kt) :
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal
---- -------------------
------------------------------------------------------
54 01/08/2016 10:31:59 host/filsrv.domain at DOMAIN
54 01/08/2016 10:31:59 host/filsrv.domain at DOMAIN
54 01/08/2016 10:31:59 host/filsrv.domain at DOMAIN
54 01/08/2016 10:31:59 host/filsrv.domain at DOMAIN
54 01/08/2016 10:31:59 host/filsrv.domain at DOMAIN
54 01/08/2016 10:31:59 host/filsrv at DOMAIN
54 01/08/2016 10:31:59 host/filsrv at DOMAIN
54 01/08/2016 10:31:59 host/filsrv at DOMAIN
54 01/08/2016 10:31:59 host/filsrv at DOMAIN
54 01/08/2016 10:31:59 host/filsrv at DOMAIN
54 01/08/2016 10:31:59 nfs/filsrv.domain at DOMAIN
54 01/08/2016 10:31:59 nfs/filsrv.domain at DOMAIN
54 01/08/2016 10:31:59 nfs/filsrv.domain at DOMAIN
54 01/08/2016 10:31:59 nfs/filsrv.domain at DOMAIN
54 01/08/2016 10:31:59 nfs/filsrv.domain at DOMAIN
54 01/08/2016 10:31:59 nfs/filsrv at DOMAIN
54 01/08/2016 10:31:59 nfs/filsrv at DOMAIN
54 01/08/2016 10:31:59 nfs/filsrv at DOMAIN
54 01/08/2016 10:31:59 nfs/filsrv at DOMAIN
54 01/08/2016 10:31:59 nfs/filsrv at DOMAIN
54 01/08/2016 10:31:59 FILSRV$@DOMAIN
54 01/08/2016 10:31:59 FILSRV$@DOMAIN
54 01/08/2016 10:31:59 FILSRV$@DOMAIN
54 01/08/2016 10:31:59 FILSRV$@DOMAIN
54 01/08/2016 10:31:59 FILSRV$@DOMAIN
----- CLIENT SIDE (XUbuntu 16.04 x64) -----
/etc/fstab:
...
filsrv:/homes /home nfs4 sec=krb5 0 0
...
/etc/idmapd.conf:
[General]
Verbosity = 5
Pipefs-Directory = /run/rpc_pipefs
Domain = domain
Local-Realm = DOMAIN
[Mapping]
Nobody-User = nobody
Nobody-Group = nogroup
[Translation]
Method = static,nsswitch
GSS-Methods = static,nsswitch
[Static]
CLIENT1$@DOMAIN = root
host/client1.domain at DOMAIN = root
nfs/client1.domain at DOMAIN = root
nfs/client1.domain@ = root
/etc/smb.conf (Samba 4.3.9 from repos) :
[global]
netbios name = CLIENT1
workgroup = WKG
security = ADS
realm = DOMAIN
encrypt passwords = yes
idmap config *:backend = tdb
idmap config *:range = 70000-80000
idmap config WKG:backend = ad
idmap config WKG:schema = rfc2307
idmap config WKG:range = 10000-60000
winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = yes
winbind expand groups = 10
kerberos method = system keytab
- Joining : Ok
- Adding SPN by : net ads keytab add nfs : Ok
- Mounting NFS share : Ok
- Authenticating users against Kerberos (with libpam-krb5) : Ok
klist of Client1 (klist -kt) :
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal
---- -------------------
------------------------------------------------------
4 01/08/2016 10:31:59 host/client1.domain at DOMAIN
4 01/08/2016 10:31:59 host/client1.domain at DOMAIN
4 01/08/2016 10:31:59 host/client1.domain at DOMAIN
4 01/08/2016 10:31:59 host/client1.domain at DOMAIN
4 01/08/2016 10:31:59 host/client1.domain at DOMAIN
4 01/08/2016 10:31:59 host/client1 at DOMAIN
4 01/08/2016 10:31:59 host/client1 at DOMAIN
4 01/08/2016 10:31:59 host/client1 at DOMAIN
4 01/08/2016 10:31:59 host/client1 at DOMAIN
4 01/08/2016 10:31:59 host/client1 at DOMAIN
4 01/08/2016 10:31:59 nfs/client1.domain at DOMAIN
4 01/08/2016 10:31:59 nfs/client1.domain at DOMAIN
4 01/08/2016 10:31:59 nfs/client1.domain at DOMAIN
4 01/08/2016 10:31:59 nfs/client1.domain at DOMAIN
4 01/08/2016 10:31:59 nfs/client1.domain at DOMAIN
4 01/08/2016 10:31:59 nfs/client1 at DOMAIN
4 01/08/2016 10:31:59 nfs/client1 at DOMAIN
4 01/08/2016 10:31:59 nfs/client1 at DOMAIN
4 01/08/2016 10:31:59 nfs/client1 at DOMAIN
4 01/08/2016 10:31:59 nfs/client1 at DOMAIN
4 01/08/2016 10:31:59 root/client1.domain at DOMAIN
4 01/08/2016 10:31:59 root/client1.domain at DOMAIN
4 01/08/2016 10:31:59 root/client1.domain at DOMAIN
4 01/08/2016 10:31:59 root/client1.domain at DOMAIN
4 01/08/2016 10:31:59 root/client1 at DOMAIN
4 01/08/2016 10:31:59 root/client1 at DOMAIN
4 01/08/2016 10:31:59 root/client1 at DOMAIN
4 01/08/2016 10:31:59 root/client1 at DOMAIN
4 01/08/2016 10:31:59 root/client1 at DOMAIN
4 01/08/2016 10:31:59 CLIENT1$@DOMAIN
4 01/08/2016 10:31:59 CLIENT1$@DOMAIN
4 01/08/2016 10:31:59 CLIENT1$@DOMAIN
4 01/08/2016 10:31:59 CLIENT1$@DOMAIN
4 01/08/2016 10:31:59 CLIENT1$@DOMAIN
Testing root access on NFS share :
For testing purpose a tstroot directory was created on the share
with a 0777 mode on it. When I 'touch foo' in this directory the owner
of foo was nobody and his group : nogroup...
When I see logs, something sounds strange for me : rpc.idmapd
(server side) and nfsidmap (client side -- rpc.idmapd not needed anymore
on client apparently) never use static method even if static was
specified (client side)...
Parts of syslog :
...
rpc.gssd: libnfsidmap: using domain: domain
rpc.gssd: libnfsidmap: Realms list: 'DOMAIN'
rpc.gssd: libnfsidmap: processing 'Method' list
rpc.gssd: libnfsidmap: loaded plugin
/lib/x86_64-linux-gnu/libnfsidmap/static.so for method static
rpc.gssd: libnfsidmap: loaded plugin
/lib/x86_64-linux-gnu/libnfsidmap/nsswitch.so for method nsswitch
rpc.gssd: Expiration time is 600 seconds.
...
nfsidmap: nfsdcb: authbuf=gss/krb5 authtype=user
nfsidmap: nfs4_uid_to_name: calling nsswitch->uid_to_name
nfsidmap: nfs4_uid_to_name: nsswitch->uid_to_name returned 0
nfsidmap: nfs4_uid_to_name: final return value is 0
nfsidmap: Server : (user) id "65534" -> name "nobody at domain"
nfsidmap: nfsdcb: authbuf=gss/krb5 authtype=group
nfsidmap: nfs4_gid_to_name: calling nsswitch->gid_to_name
nfsidmap: nfs4_gid_to_name: nsswitch->gid_to_name returned 0
nfsidmap: nfs4_gid_to_name: final return value is 0
nfsidmap: Server : (group) id "65534" -> name "nogroup at domain"
...
That's all for the moment.... sorry for this enormous mail, but
it's so strange that i can't choose what show or not....
Greetz,
Bruno
Le 02/08/2016 à 08:11, L.P.H. van Belle a écrit :
> Hai,
>
> Here you go..
>
> But all my settings are scripted.
> https://github.com/thctlo/samba4
> found here.
>
> Read the script : samba-with-nfsv4.sh
> Start it like ./ samba-with-nfsv4.sh (client or server)
>
> Its tested and works on debian jessie.
> I contains the nfs server settings and client settings.
>
> Greetz,
>
> Louis
>
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Bruno MACADRÉ
>> Verzonden: maandag 1 augustus 2016 17:16
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] kerberos nfs4's principals and root access
>>
>> Hi,
>>
>> Sorry for this necrobump.... But I'm still can't use my local root
>> user to browse content of my NFSv4/Krb5 share...... (others permission
>> are checked when root use this share)
>>
>> So a lot of questions appeared during my tests :
>>
>> - Must i have same idmap.conf on both client and server ?
>> - Why rpc.idmapd only use 'nsswitch' method even if 'static' is
>> placed before it in 'Method' and 'GSS-Methods' list ?
>> - Must root user use kinit before exploring ?
>>
>> And the most important question : Is there anybody who sucess to
>> access (in a real root behaviour !!) to a nfsv4/krb5 share in a
>> Samba4/Krb5/NFSv4 setup ?
>>
>> Thanks by advance,
>> Best regards,
>> Bruno
>>
>> PS: I sent this morning a mail about access to this share from local
>> user (www-data), but I think that granting access to root may be a good
>> start point !!
>>
>> Le 09/10/2015 à 15:42, L.P.H. van Belle a écrit :
>>> Hai Batiste,
>>>
>>> Ok, thanks for these, i'll test that also.
>>>
>>> And the "why" is a bit more explained here.
>>>
>> http://www.citi.umich.edu/projects/nfsv4/crossrealm/libnfsidmap_config.htm
>> l
>>> and per example,
>>>
>> http://www.citi.umich.edu/projects/nfsv4/crossrealm/ldap_server_setup.html
>>> First my work here, but this is a good one which i also need to adjust
>> in my scripts, so thank you for asking this on the samba list ;-)
>>> Gr,
>>>
>>> Louis
>>>
>>>> -----Oorspronkelijk bericht-----
>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Prunk Dump
>>>> Verzonden: vrijdag 9 oktober 2015 14:11
>>>> Aan: samba at lists.samba.org
>>>> Onderwerp: Re: [Samba] kerberos nfs4's principals and root access
>>>>
>>>> Thanks Louis ! Very interesting !
>>>>
>>>> Maybe the simplest method is to set a static translation.
>>>>
>>>> 1) Enabling the no_root_squash option in /etc/exports
>>>>
>>>> 2) Set the translation in /etc/idmapd.conf
>>>>
>>>> ------------------------
>>>> /etc/idmap.conf
>>>> ------------------------
>>>>
>>>> ...
>>>> [Translation]
>>>>
>>>> Method = static,nsswitch
>>>>
>>>> [Static]
>>>>
>>>> MYCLIENT$@SAMDOM.COM = root
>>>>
>>>> ------------------------
>>>>
>>>> But I don't understand why, with samba, we can't authenticate as
>>>> client with nfs/myclient.samdom.com or root/myclient.samdom.com. It
>>>> seem that it is because we can't kinit them. But I don't understand
>>>> why...
>>>>
>>>> Thanks again !
>>>>
>>>> Baptiste.
>>>>
>>>>
>>>> 2015-10-09 13:39 GMT+02:00 L.P.H. van Belle <belle at bazuin.nl>:
>>>>> Ok, now its clear to me.
>>>>>
>>>>> We need to set UMICH_SCHEMA in idmap.conf
>>>>> Read : http://linux.die.net/man/5/idmapd.conf
>>>>>
>>>>> Working on it now.
>>>>>
>>>>> Greetz,
>>>>>
>>>>> Louis
>>>>>
>>>>>
>>>>>> -----Oorspronkelijk bericht-----
>>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens L.P.H. van
>>>> Belle
>>>>>> Verzonden: vrijdag 9 oktober 2015 13:34
>>>>>> Aan: samba at lists.samba.org
>>>>>> Onderwerp: Re: [Samba] kerberos nfs4's principals and root access
>>>>>>
>>>>>> Ok, not working...
>>>>>>
>>>>>> But found this...
>>>>>>
>>>>>> ( http://users.suse.com/~sjayaraman/nfs4_howto.txt )
>>>>>>
>>>>>> 4.5 A known issue using NFS with kerberos
>>>>>> _________________________________________
>>>>>>
>>>>>> Even if "no_root_squash" option is used, while exporting a filesystem
>>>> at
>>>>>> the
>>>>>> server, root on the client gets a "Permission denied" error when
>>>> creating
>>>>>> files on the mount point.
>>>>>>
>>>>>> This is because there is no proper mapping between root and the
>>>>>> GSSAuthName.
>>>>>>
>>>>>> Note: Trying to set 777 permission is not correct as it is not
>> secure.
>>>>>> Also,
>>>>>> any file created on the mountpoint will have "nobody" as owner.
>>>>>>
>>>>>> There is a work around for this if both NFS server and client use
>>>>>> umich_ldap
>>>>>> methods to authenticate. If the idmapd on both server and client is
>>>>>> configured
>>>>>> to use umich_ldap modules then having GSSAuthName
>>>> (<nfs/hostname at realm>)
>>>>>> parameter map to root user, on the ldap server will solve this
>> problem.
>>>>>>
>>>>>> Still reading, but should be solveable..
>>>>>>
>>>>>> Greetz,
>>>>>>
>>>>>> Louis
>>>>>>
>>>>>>
>>>>>>> -----Oorspronkelijk bericht-----
>>>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens L.P.H. van
>>>>>> Belle
>>>>>>> Verzonden: vrijdag 9 oktober 2015 13:17
>>>>>>> Aan: samba at lists.samba.org
>>>>>>> Onderwerp: Re: [Samba] kerberos nfs4's principals and root access
>>>>>>>
>>>>>>> Hai Baptiste,
>>>>>>>
>>>>>>> I re-checked my setup and your totaly correct.
>>>>>>> I can not enter the nfsV4 mounted directory as root.
>>>>>>>
>>>>>>> What i've added in idmap.conf
>>>>>>> Is this :
>>>>>>> Domain = your_DNS_domain.tld
>>>>>>>
>>>>>>> [Translation]
>>>>>>>
>>>>>>> Method = nsswitch
>>>>>>>
>>>>>>> And i found this link.
>>>>>>>
>>>>>>> http://serverfault.com/questions/526762/root-access-to-kerberized-
>>>> nfsv4-
>>>>>>> host-on-ubuntu
>>>>>>>
>>>>>>> im testing this now.
>>>>>>>
>>>>>>> Greetz,
>>>>>>>
>>>>>>> Louis
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> -----Oorspronkelijk bericht-----
>>>>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Prunk Dump
>>>>>>>> Verzonden: vrijdag 9 oktober 2015 11:34
>>>>>>>> Aan: samba at lists.samba.org
>>>>>>>> Onderwerp: Re: [Samba] kerberos nfs4's principals and root access
>>>>>>>>
>>>>>>>> Thanks you very much Louis !
>>>>>>>>
>>>>>>>> I have tried your setup and I can't mount the share neither from
>>>> the
>>>>>>>> server itself or the client.
>>>>>>>>
>>>>>>>> On /var/log/syslog I have :
>>>>>>>>
>>>>>>>> rpc.gssd : ERROR : no credentials found for connecting to server
>>>>>>> myserver
>>>>>>>> This is because the machine principal is not present in the keytab
>>>> :
>>>>>>>> $ klist -k
>>>>>>>> 1 nfs/myclient.samdom.com at SAMDOM.COM
>>>>>>>> 1 nfs/myclient.samdom.com at SAMDOM.COM
>>>>>>>> 1 nfs/myclient.samdom.com at SAMDOM.COM
>>>>>>>>
>>>>>>>> If I add the machine principal. I can mount the share but root user
>>>>>>>> write as "machine" not as "root".
>>>>>>>>
>>>>>>>> Can you check your setup ? Do you have your machine credential in
>>>>>>>> /etc/krb5.keytab ? (with klist -k)
>>>>>>>>
>>>>>>>> Do you do something related with kerberos when you login as root ?
>>>>>>>>
>>>>>>>> Do you have additional options in "/etc/idmap.conf" ?
>>>>>>>>
>>>>>>>> Can you give me the result of :
>>>>>>>>
>>>>>>>> $klist
>>>>>>>> $klist -k
>>>>>>>>
>>>>>>>> When you are logged as root ?
>>>>>>>>
>>>>>>>> Thanks you again !
>>>>>>>>
>>>>>>>> Baptiste.
>>>>>>>>
>>>>>>>>
>>>>>>>> 2015-10-09 9:13 GMT+02:00 L.P.H. van Belle <belle at bazuin.nl>:
>>>>>>>>> Hai,
>>>>>>>>>
>>>>>>>>> I had it the other way around. Only root acces.
>>>>>>>>>
>>>>>>>>> I have scripted my setup and tested on debian.
>>>>>>>>> Look here
>>>>>>>>> https://secure.bazuin.nl/scripts/these_are_experimental_scripts/
>>>>>>>>> setup-nfsv4-kerberos.sh
>>>>>>>>>
>>>>>>>>> If you get the file, setup-nfsv4-kerberos.sh and compair it to
>>>> your
>>>>>>>> setup.
>>>>>>>>> If you can read the bash script maybe you see something you
>>>> missed.
>>>>>>>>> When i write as "root" its root and not the machine account who
>>>> owns
>>>>>>> the
>>>>>>>> file.
>>>>>>>>> How is your exports file on the server configured?
>>>>>>>>>
>>>>>>>>> Greetz,
>>>>>>>>>
>>>>>>>>> Louis
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> -----Oorspronkelijk bericht-----
>>>>>>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Prunk
>>>> Dump
>>>>>>>>>> Verzonden: vrijdag 9 oktober 2015 8:59
>>>>>>>>>> Aan: samba at lists.samba.org
>>>>>>>>>> Onderwerp: [Samba] kerberos nfs4's principals and root access
>>>>>>>>>>
>>>>>>>>>> Hello samba team !
>>>>>>>>>>
>>>>>>>>>> I have some NFS4 exports managed by a Samba's Kerberos realm.
>>>> All
>>>>>> the
>>>>>>>>>> standard user accesses work fine.
>>>>>>>>>>
>>>>>>>>>> I try now to setup an NFS4 root access to administer the share
>>>> from
>>>>>>>>>> another server (the two host are DC, one PDC and one SDC). But
>>>> I
>>>>>>> have
>>>>>>>>>> trouble understanding the kerberos/principals layer.
>>>>>>>>>>
>>>>>>>>>> ------------
>>>>>>>>>> Actually I do
>>>>>>>>>> -------------
>>>>>>>>>>
>>>>>>>>>> -> on the server I create an nfs principal and export it to the
>>>>>>> keytab
>>>>>>>>>> $ samba-tool user add nfs-myserver --random-password
>>>>>>>>>> $ samba-tool spn add nfs/myserver.samdom.com nfs-myserver
>>>>>>>>>> $ samba-tool domain exportkeytab --
>>>>>> principal=nfs/myserver.samdom.com
>>>>>>>>>> /etc/krb5.keytab
>>>>>>>>>>
>>>>>>>>>> -> on the client I use the machine keytab.
>>>>>>>>>> $ samba-tool domain exportkeytab --principal=MYCLIENT$
>>>>>>> /etc/krb5.keytab
>>>>>>>>>> With this setup all my domain users can write to the share. But
>>>>>> when
>>>>>>> I
>>>>>>>>>> try with the root account it use the machine keytab (that's
>>>> normal,
>>>>>>>>>> root is not a domain user but he have access to the keytab) :
>>>>>>>>>>
>>>>>>>>>> -> on the client as root
>>>>>>>>>> $ touch /myshare/testfile
>>>>>>>>>>
>>>>>>>>>> -> on the server
>>>>>>>>>> $ ls -al /srv/nfs4/myshare/testfile
>>>>>>>>>> -rw-r--r-- SAMDOM\MYCLIENT$ SAMDOM\Domain Controllers
>>>> ....
>>>>>>>>>> /nfs4/myshare/tesfile
>>>>>>>>>>
>>>>>>>>>> But I need root access !
>>>>>>>>>>
>>>>>>>>>> ----------
>>>>>>>>>> I have tried with a root/myclient service principal name
>>>>>>>>>> ----------
>>>>>>>>>>
>>>>>>>>>> -> on the client I create an root/myclient spn and export to
>>>> keytab
>>>>>>>>>> $ samba-tool user add root-myclient --random-password
>>>>>>>>>> $ samba-tool spn add root/myclient.samdom.com root-myclient
>>>>>>>>>> $ samba-tool domain exportkeytab --
>>>>>> principal=root/myclient.samdom.com
>>>>>>>>>> /etc/krb5.keytab
>>>>>>>>>>
>>>>>>>>>> But nothings change when I access the share. I tried to kinit
>>>> this
>>>>>>>>>> principal but it fail. However kinit with the machine principal
>>>>>>> works.
>>>>>>>>>> $ kinit -k root/myclient.samdom.com
>>>>>>>>>> kinit: Client 'root/myclient.samdom.com at SAMDOM.COM' not found in
>>>>>>>>>> kerberos database while getting initial credentials
>>>>>>>>>>
>>>>>>>>>> $ kinit -k MYCLIENT$
>>>>>>>>>> ok
>>>>>>>>>>
>>>>>>>>>> ---------
>>>>>>>>>> I tried creating a samba root user.
>>>>>>>>>> ---------
>>>>>>>>>>
>>>>>>>>>> -> on the client I create a root user and export to keytab
>>>>>>>>>> $ samba-tool user add root
>>>>>>>>>> $ samba-tool domain exportkeytab --principal=root
>>>> /etc/krb5.keytab
>>>>>>>>>> Same problem but here "kinit -k root" works.
>>>>>>>>>>
>>>>>>>>>> $ kinit -k root
>>>>>>>>>> ok
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> ------
>>>>>>>>>> I tried to kinit anather samba user
>>>>>>>>>> ------
>>>>>>>>>>
>>>>>>>>>> -> on the client I kinit a valid user and write to the share
>>>>>>>>>>
>>>>>>>>>> $ kinit validuser
>>>>>>>>>> $ touch /myshare/testfile2
>>>>>>>>>>
>>>>>>>>>> Here the nfs4 connection is not made with the validuser's
>>>>>> principal.
>>>>>>>>>> Always with the machine's principal.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> -------
>>>>>>>>>> So
>>>>>>>>>> -------
>>>>>>>>>>
>>>>>>>>>> I don't understand why in can "kinit root" but not "kinit
>>>>>>>>>> root/myclient.samdom.com". What's the difference between there
>>>>>>>>>> principals ?
>>>>>>>>>>
>>>>>>>>>> I don't understand how the nfs4 client choose the principal used
>>>> to
>>>>>>>>>> make the connection to the nfs4 share. Why the root user can
>>>> only
>>>>>> use
>>>>>>>>>> the machine's principal ?
>>>>>>>>>>
>>>>>>>>>> I don't know if the problem come from the creation of kerberos
>>>>>>>>>> principals or come from the nfs4 client not choosing the correct
>>>>>>>>>> principal...
>>>>>>>>>>
>>>>>>>>>> Can someone give me a tips ?
>>>>>>>>>>
>>>>>>>>>> Thanks !
>>>>>>>>>>
>>>>>>>>>> Baptiste.
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> To unsubscribe from this list go to the following URL and read
>>>> the
>>>>>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> To unsubscribe from this list go to the following URL and read
>>>> the
>>>>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>>>> --
>>>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>>>
>>>>>>> --
>>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>>
>>>>>> --
>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>
>>>>> --
>>>>> To unsubscribe from this list go to the following URL and read the
>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>
>> --
>>
>> Bruno MACADRE
>> -------------------------------------------------------------------
>> Ingénieur Systèmes et Réseau | Systems and Network Engineer
>> Département Informatique | Department of computer science
>> Responsable Info SER | SER IT Manager
>> Université de Rouen | University of Rouen
>> -------------------------------------------------------------------
>> Coordonnées / Contact :
>> Université de Rouen
>> Faculté des Sciences et Techniques - Madrillet
>> Avenue de l'Université
>> CS 70012
>> 76801 St Etienne du Rouvray CEDEX
>> FRANCE
>>
>> Tél : +33 (0)2-32-95-51-86
>> Mob : +33 (0)6-74-71-45-64
>> -------------------------------------------------------------------
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>
>
--
Bruno MACADRE
-------------------------------------------------------------------
Ingénieur Systèmes et Réseau | Systems and Network Engineer
Département Informatique | Department of computer science
Responsable Info SER | SER IT Manager
Université de Rouen | University of Rouen
-------------------------------------------------------------------
Coordonnées / Contact :
Université de Rouen
Faculté des Sciences et Techniques - Madrillet
Avenue de l'Université
CS 70012
76801 St Etienne du Rouvray CEDEX
FRANCE
Tél : +33 (0)2-32-95-51-86
Mob : +33 (0)6-74-71-45-64
-------------------------------------------------------------------
More information about the samba
mailing list