[Samba] FW: kerberos nfs4's principals and root access
Bruno MACADRÉ
bruno.macadre at univ-rouen.fr
Tue Aug 2 14:02:41 UTC 2016
** I truncate my initial mail below for size reason **
I've tried your tips but nothing better.... AD users can still accessing
share (ouf !!), but local users not more.
I can't find where it blocks....
Thanks for your help Louis,
Greetz,
Bruno
Le 02/08/2016 à 15:33, L.P.H. van Belle a écrit :
>
> You keep 2 ranges.
>
> One for the “local (linux) users”
>
> idmap config *:backend = tdb
>
> idmap config *:range = 11-9999
>
> One for the “AD users”
>
> idmap config YOURDOMAIN :backend = ad
>
> idmap config YOURDOMAIN : range = 10000-99999
>
> (source : https://wiki.samba.org/index.php/Idmap_config_ad )
>
> >But the idmap range modification apply only on server-side ?
>
> Yes, correct only server side. and after changing it run net cache
> flush and/or net imap flush
>
> Greetings,
>
> Louis
>
> ------------------------------------------------------------------------
>
> *Van:*Bruno MACADRÉ [mailto:bruno.macadre at univ-rouen.fr]
> *Verzonden:* dinsdag 2 augustus 2016 14:59
> *Aan:* L.P.H. van Belle
> *Onderwerp:* Re: FW: [Samba] kerberos nfs4's principals and root access
>
> Ok, I understand !!
>
> But the idmap range modification apply only on server-side ? Or must I
> reflect this on clients (by changing WKS:range to 11-60000) ?
>
> Regards,
> Bruno
>
> Le 02/08/2016 à 13:24, L.P.H. van Belle a écrit :
>
> man smb.conf
>
> · system keytab - use only the system keytab for ticket verification
>
> · dedicated keytab - use a dedicated keytab for ticket verification
>
> · secrets and keytab - use the secrets.tdb first, then the
> system keytab
>
> Add a windows group to www-data and set the needed rights in
> /var/www/
>
> I do that for my ssh groups. ( one local group for system
> admins, one windows group for remote access)
>
> When ad is down systems admins can login, but the windows clients
> can not.
>
> How it influance
>
> ## map id's outside to domain to tdb files.
>
> idmap config *:backend = tdb
>
> idmap config *:range = 11-9999
>
> ( NO 0-9999 ) or root mapping fails to work.
>
> Here www-data gets mapped to tdb files ( secrets from above )
>
> you need to change that range to www-data hits in tdb.
>
> But I havent tried that, i just set a windows group right on the
> /var/www/domain/SITE_Folders.
>
> My website have the following layout.
>
> /var/www/localhost ( set all know ips for localhost here. )
>
> /var/www/hostname ( set all know ips for hostname here. )
>
> /var/www/noaccess ( set no ip or hostname here just * like
> debian default site ) (trap for script kiddies)
>
> /var/www/domain1/SITE_Folder ( set only the know hostnames here )
>
> /var/www/domain2/SITE_Folder ( set only the know hostnames here )
>
> Layout like this works only good if you define ALL know ips and
> names correct .
>
> and i add acl_xattr:ignore system acl = yes to the share where i
> share www-data
>
> and only /var/www/domain1 get a windows group access list.
>
> Greetz,
>
> Louis
>
> ------------------------------------------------------------------------
>
> *Van:*Bruno MACADRÉ [mailto:bruno.macadre at univ-rouen.fr]
> *Verzonden:* dinsdag 2 augustus 2016 12:47
> *Aan:* L.P.H. van Belle
> *Onderwerp:* Re: FW: [Samba] kerberos nfs4's principals and root
> access
>
> Thanks for this, I will answer later on the list when mail will be
> in it
>
> I will try your advices but there's two things that I don't
> understand :
>
> - Why delete 'no_root_squash' on homes share is it why it's
> default behaviour ?
> - I don't understand the difference between 'system keytab' and
> 'secrets and keytab' method for kerberos and how it influes on
> root access to NFS
>
> Actually my set up works fine for all AD users :
> - Login against Kerberos
> - Receiving valid ticket
> - Browsing NFS share (according to permissions) and accessing
> their home perfectly.
>
> My real problem resides in access to this share by client-local
> users (mostly root and www-data in the future)
>
> Thanks again, I will try this modifications and come back !
>
> Greetz,
> Bruno
>
>
> Le 02/08/2016 à 12:05, L.P.H. van Belle a écrit :
>
> A copy in advance, the mail is getting big so it takes time
> before its in the samba list.
>
> You mist a few small things, see below.
>
> Greetz,
>
> Louis
>
> ------------------------------------------------------------------------
>
> *Van:*L.P.H. van Belle [mailto:belle at bazuin.nl]
> *Verzonden:* dinsdag 2 augustus 2016 11:53
> *Aan:* 'samba at lists.samba.org <mailto:samba at lists.samba.org>'
> *Onderwerp:* RE: [Samba] kerberos nfs4's principals and root
> access
>
> Most looks ok,
>
> Sometimes the nfs mount isnt mounted, i have that on 2 server
> ( out of 15 )
>
> But that where the first 2 i tested with, a mount –a resolves
> that, havent time to review it.
>
> But if that happens.
>
> For the server : add ,x-systemd.automount to fstab.
>
> /home /nfs4export/homes none bind,x-systemd.automount 0 0
>
> For the exports add crossmnt depending on your setup ( man
> exports )
>
> And adjust like below. Your current setting is not correct.
>
> Try setting the server like below.
>
> # NFSv4 Root (/exports)
>
> /exports
> 192.168.0.0/24(ro,sync,fsid=0,no_subtree_check,crossmnt,sec=krb5)
>
> # NFSv4 (/exports/users)
>
> /exports/users 192.168.0.0/24(rw,sync,no_subtree_check,sec=krb5)
>
> This is about the nouser/nogroup
>
> root_squash: Map requests from uid/gid 0 to the anonymous uid/gid.
>
> ( Server ) /etc/samba/smb.conf
>
> Add/change :
>
> dedicated keytab file = /etc/krb5.keytab
>
> kerberos method = secrets and keytab
>
> #and very important one. Must have !!!
>
> # renew the kerberos ticket
>
> winbind refresh tickets = yes
>
> That covers it i think, try the suggestions above and reboot
> both servers.
>
> Login with a “NON” nfs user account and check if the mounts
> are done.
>
> If so, test with a nfs user AD account see if you can access
> your own user dir.
>
> If not, kinit username , cd ~ . does it work now.
>
> Check if
>
> /etc/systemd/system/nfs-common.service.d/remote-fs-pre.conf
>
> exists with content
>
> [Unit]
>
> Before=remote-fs-pre.target
>
> Wants=remote-fs-pre.target
>
> Also, thats needed for mounts.
>
> Greetz,
>
> Louis
>
> > -----Oorspronkelijk bericht-----
>
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Bruno MACADRÉ
>
> > Verzonden: dinsdag 2 augustus 2016 10:46
>
> > Aan: samba at lists.samba.org <mailto:samba at lists.samba.org>
>
> > Onderwerp: Re: [Samba] kerberos nfs4's principals and root access
>
> >
>
> > Hi Louis,
>
> >
>
> > I read your script and changed my configuration accordingly,
> but it
>
> > still does not work.
>
> >
>
truncate ...
>
> > - Joining : Ok
>
> > - Adding SPN by : net ads keytab add nfs : Ok
>
> > - Mounting NFS share : Ok
>
> > - Authenticating users against Kerberos (with
> libpam-krb5) : Ok
>
> >
>
> >
>
> > klist of Client1 (klist -kt) :
>
> >
>
> > Keytab name: FILE:/etc/krb5.keytab
> <FILE:///%5C%5C%5C%5Cetc%5Ckrb5.keytab>
>
> > KVNO Timestamp Principal
>
> > ---- -------------------
>
> > ------------------------------------------------------
>
> > 4 01/08/2016 10:31:59 host/client1.domain at DOMAIN
>
> > 4 01/08/2016 10:31:59 host/client1.domain at DOMAIN
>
> > 4 01/08/2016 10:31:59 host/client1.domain at DOMAIN
>
> > 4 01/08/2016 10:31:59 host/client1.domain at DOMAIN
>
> > 4 01/08/2016 10:31:59 host/client1.domain at DOMAIN
>
> > 4 01/08/2016 10:31:59 host/client1 at DOMAIN
>
> > 4 01/08/2016 10:31:59 host/client1 at DOMAIN
>
> > 4 01/08/2016 10:31:59 host/client1 at DOMAIN
>
> > 4 01/08/2016 10:31:59 host/client1 at DOMAIN
>
> > 4 01/08/2016 10:31:59 host/client1 at DOMAIN
>
> > 4 01/08/2016 10:31:59 nfs/client1.domain at DOMAIN
>
> > 4 01/08/2016 10:31:59 nfs/client1.domain at DOMAIN
>
> > 4 01/08/2016 10:31:59 nfs/client1.domain at DOMAIN
>
> > 4 01/08/2016 10:31:59 nfs/client1.domain at DOMAIN
>
> > 4 01/08/2016 10:31:59 nfs/client1.domain at DOMAIN
>
> > 4 01/08/2016 10:31:59 nfs/client1 at DOMAIN
>
> > 4 01/08/2016 10:31:59 nfs/client1 at DOMAIN
>
> > 4 01/08/2016 10:31:59 nfs/client1 at DOMAIN
>
> > 4 01/08/2016 10:31:59 nfs/client1 at DOMAIN
>
> > 4 01/08/2016 10:31:59 nfs/client1 at DOMAIN
>
> > 4 01/08/2016 10:31:59 root/client1.domain at DOMAIN
>
> > 4 01/08/2016 10:31:59 root/client1.domain at DOMAIN
>
> > 4 01/08/2016 10:31:59 root/client1.domain at DOMAIN
>
> > 4 01/08/2016 10:31:59 root/client1.domain at DOMAIN
>
> > 4 01/08/2016 10:31:59 root/client1 at DOMAIN
>
> > 4 01/08/2016 10:31:59 root/client1 at DOMAIN
>
> > 4 01/08/2016 10:31:59 root/client1 at DOMAIN
>
> > 4 01/08/2016 10:31:59 root/client1 at DOMAIN
>
> > 4 01/08/2016 10:31:59 root/client1 at DOMAIN
>
> > 4 01/08/2016 10:31:59 CLIENT1$@DOMAIN
>
> > 4 01/08/2016 10:31:59 CLIENT1$@DOMAIN
>
> > 4 01/08/2016 10:31:59 CLIENT1$@DOMAIN
>
> > 4 01/08/2016 10:31:59 CLIENT1$@DOMAIN
>
> > 4 01/08/2016 10:31:59 CLIENT1$@DOMAIN
>
> >
>
> >
>
> > Testing root access on NFS share :
>
> >
>
> > For testing purpose a tstroot directory was created on
> the share
>
> > with a 0777 mode on it. When I 'touch foo' in this directory
> the owner
>
> > of foo was nobody and his group : nogroup...
>
> >
>
> > When I see logs, something sounds strange for me :
> rpc.idmapd
>
> > (server side) and nfsidmap (client side -- rpc.idmapd not
> needed anymore
>
> > on client apparently) never use static method even if static was
>
> > specified (client side)...
>
> >
>
> > Parts of syslog :
>
> > ...
>
> > rpc.gssd: libnfsidmap: using domain: domain
>
> > rpc.gssd: libnfsidmap: Realms list: 'DOMAIN'
>
> > rpc.gssd: libnfsidmap: processing 'Method' list
>
> > rpc.gssd: libnfsidmap: loaded plugin
>
> > /lib/x86_64-linux-gnu/libnfsidmap/static.so for method static
>
> > rpc.gssd: libnfsidmap: loaded plugin
>
> > /lib/x86_64-linux-gnu/libnfsidmap/nsswitch.so for method nsswitch
>
> > rpc.gssd: Expiration time is 600 seconds.
>
> > ...
>
> > nfsidmap: nfsdcb: authbuf=gss/krb5 authtype=user
>
> > nfsidmap: nfs4_uid_to_name: calling nsswitch->uid_to_name
>
> > nfsidmap: nfs4_uid_to_name: nsswitch->uid_to_name returned 0
>
> > nfsidmap: nfs4_uid_to_name: final return value is 0
>
> > nfsidmap: Server : (user) id "65534" -> name "nobody at domain"
>
> > nfsidmap: nfsdcb: authbuf=gss/krb5 authtype=group
>
> > nfsidmap: nfs4_gid_to_name: calling nsswitch->gid_to_name
>
> > nfsidmap: nfs4_gid_to_name: nsswitch->gid_to_name returned 0
>
> > nfsidmap: nfs4_gid_to_name: final return value is 0
>
> > nfsidmap: Server : (group) id "65534" -> name
> "nogroup at domain"
>
> > ...
>
> >
>
> > That's all for the moment.... sorry for this enormous
> mail, but
>
> > it's so strange that i can't choose what show or not....
>
> >
>
> > Greetz,
>
> > Bruno
>
> >
>
> > Le 02/08/2016 à 08:11, L.P.H. van Belle a écrit :
>
> > > Hai,
>
> > >
>
> > > Here you go..
>
> > >
>
> > > But all my settings are scripted.
>
> > > https://github.com/thctlo/samba4
>
> > > found here.
>
> > >
>
> > > Read the script : samba-with-nfsv4.sh
>
> > > Start it like ./ samba-with-nfsv4.sh (client or server)
>
> > >
>
> > > Its tested and works on debian jessie.
>
> > > I contains the nfs server settings and client settings.
>
> > >
>
> > > Greetz,
>
> > >
>
> > > Louis
>
> > >
>
> > >
>
> > >
>
> > >> -----Oorspronkelijk bericht-----
>
> > >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Bruno MACADRÉ
>
> > >> Verzonden: maandag 1 augustus 2016 17:16
>
> > >> Aan: samba at lists.samba.org <mailto:samba at lists.samba.org>
>
> > >> Onderwerp: Re: [Samba] kerberos nfs4's principals and root
> access
>
> > >>
>
> > >> Hi,
>
> > >>
>
> > >> Sorry for this necrobump.... But I'm still can't use
> my local
>
> > root
>
> > >> user to browse content of my NFSv4/Krb5 share......
> (others permission
>
> > >> are checked when root use this share)
>
> > >>
>
> > >> So a lot of questions appeared during my tests :
>
> > >>
>
> > >> - Must i have same idmap.conf on both client and
> server ?
>
> > >> - Why rpc.idmapd only use 'nsswitch' method even if
> 'static' is
>
> > >> placed before it in 'Method' and 'GSS-Methods' list ?
>
> > >> - Must root user use kinit before exploring ?
>
> > >>
>
> > >> And the most important question : Is there anybody
> who sucess to
>
> > >> access (in a real root behaviour !!) to a nfsv4/krb5 share
> in a
>
> > >> Samba4/Krb5/NFSv4 setup ?
>
> > >>
>
> > >> Thanks by advance,
>
> > >> Best regards,
>
> > >> Bruno
>
> > >>
>
> > >> PS: I sent this morning a mail about access to this share
> from local
>
> > >> user (www-data), but I think that granting access to root
> may be a good
>
> > >> start point !!
>
> > >>
>
> > >> Le 09/10/2015 à 15:42, L.P.H. van Belle a écrit :
>
> > >>> Hai Batiste,
>
> > >>>
>
> > >>> Ok, thanks for these, i'll test that also.
>
> > >>>
>
> > >>> And the "why" is a bit more explained here.
>
> > >>>
>
> > >>
>
> > http://www.citi.umich.edu/projects/nfsv4/crossrealm/libnfsidmap_config.htm
>
> > >> l
>
> > >>> and per example,
>
> > >>>
>
> > >>
>
> > http://www.citi.umich.edu/projects/nfsv4/crossrealm/ldap_server_setup.html
>
> > >>> First my work here, but this is a good one which i also
> need to adjust
>
> > >> in my scripts, so thank you for asking this on the samba
> list ;-)
>
> > >>> Gr,
>
> > >>>
>
> > >>> Louis
>
> > >>>
>
> > >>>> -----Oorspronkelijk bericht-----
>
> > >>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Prunk Dump
>
> > >>>> Verzonden: vrijdag 9 oktober 2015 14:11
>
> > >>>> Aan: samba at lists.samba.org <mailto:samba at lists.samba.org>
>
> > >>>> Onderwerp: Re: [Samba] kerberos nfs4's principals and
> root access
>
> > >>>>
>
> > >>>> Thanks Louis ! Very interesting !
>
> > >>>>
>
> > >>>> Maybe the simplest method is to set a static translation.
>
> > >>>>
>
> > >>>> 1) Enabling the no_root_squash option in /etc/exports
>
> > >>>>
>
> > >>>> 2) Set the translation in /etc/idmapd.conf
>
> > >>>>
>
> > >>>> ------------------------
>
> > >>>> /etc/idmap.conf
>
> > >>>> ------------------------
>
> > >>>>
>
> > >>>> ...
>
> > >>>> [Translation]
>
> > >>>>
>
> > >>>> Method = static,nsswitch
>
> > >>>>
>
> > >>>> [Static]
>
> > >>>>
>
> > >>>> MYCLIENT$@SAMDOM.COM <mailto:MYCLIENT$@SAMDOM.COM> = root
>
> > >>>>
>
> > >>>> ------------------------
>
> > >>>>
>
> > >>>> But I don't understand why, with samba, we can't
> authenticate as
>
> > >>>> client with nfs/myclient.samdom.com or
> root/myclient.samdom.com. It
>
> > >>>> seem that it is because we can't kinit them. But I don't
> understand
>
> > >>>> why...
>
> > >>>>
>
> > >>>> Thanks again !
>
> > >>>>
>
> > >>>> Baptiste.
>
> > >>>>
>
> > >>>>
>
> > >>>> 2015-10-09 13:39 GMT+02:00 L.P.H. van Belle
> <belle at bazuin.nl> <mailto:belle at bazuin.nl>:
>
> > >>>>> Ok, now its clear to me.
>
> > >>>>>
>
> > >>>>> We need to set UMICH_SCHEMA in idmap.conf
>
> > >>>>> Read : http://linux.die.net/man/5/idmapd.conf
>
> > >>>>>
>
> > >>>>> Working on it now.
>
> > >>>>>
>
> > >>>>> Greetz,
>
> > >>>>>
>
> > >>>>> Louis
>
> > >>>>>
>
> > >>>>>
>
> > >>>>>> -----Oorspronkelijk bericht-----
>
> > >>>>>> Van: samba [mailto:samba-bounces at lists.samba.org]
> Namens L.P.H. van
>
> > >>>> Belle
>
> > >>>>>> Verzonden: vrijdag 9 oktober 2015 13:34
>
> > >>>>>> Aan: samba at lists.samba.org <mailto:samba at lists.samba.org>
>
> > >>>>>> Onderwerp: Re: [Samba] kerberos nfs4's principals and
> root access
>
> > >>>>>>
>
> > >>>>>> Ok, not working...
>
> > >>>>>>
>
> > >>>>>> But found this...
>
> > >>>>>>
>
> > >>>>>> ( http://users.suse.com/~sjayaraman/nfs4_howto.txt
> <http://users.suse.com/%7Esjayaraman/nfs4_howto.txt> )
>
> > >>>>>>
>
> > >>>>>> 4.5 A known issue using NFS with kerberos
>
> > >>>>>> _________________________________________
>
> > >>>>>>
>
> > >>>>>> Even if "no_root_squash" option is used, while exporting a
>
> > filesystem
>
> > >>>> at
>
> > >>>>>> the
>
> > >>>>>> server, root on the client gets a "Permission denied"
> error when
>
> > >>>> creating
>
> > >>>>>> files on the mount point.
>
> > >>>>>>
>
> > >>>>>> This is because there is no proper mapping between
> root and the
>
> > >>>>>> GSSAuthName.
>
> > >>>>>>
>
> > >>>>>> Note: Trying to set 777 permission is not correct as
> it is not
>
> > >> secure.
>
> > >>>>>> Also,
>
> > >>>>>> any file created on the mountpoint will have "nobody"
> as owner.
>
> > >>>>>>
>
> > >>>>>> There is a work around for this if both NFS server and
> client use
>
> > >>>>>> umich_ldap
>
> > >>>>>> methods to authenticate. If the idmapd on both server
> and client is
>
> > >>>>>> configured
>
> > >>>>>> to use umich_ldap modules then having GSSAuthName
>
> > >>>> (<nfs/hostname at realm>)
>
> > >>>>>> parameter map to root user, on the ldap server will
> solve this
>
> > >> problem.
>
> > >>>>>>
>
> > >>>>>> Still reading, but should be solveable..
>
> > >>>>>>
>
> > >>>>>> Greetz,
>
> > >>>>>>
>
> > >>>>>> Louis
>
> > >>>>>>
>
> > >>>>>>
>
> > >>>>>>> -----Oorspronkelijk bericht-----
>
> > >>>>>>> Van: samba [mailto:samba-bounces at lists.samba.org]
> Namens L.P.H.
>
> > van
>
> > >>>>>> Belle
>
> > >>>>>>> Verzonden: vrijdag 9 oktober 2015 13:17
>
> > >>>>>>> Aan: samba at lists.samba.org <mailto:samba at lists.samba.org>
>
> > >>>>>>> Onderwerp: Re: [Samba] kerberos nfs4's principals and
> root access
>
> > >>>>>>>
>
> > >>>>>>> Hai Baptiste,
>
> > >>>>>>>
>
> > >>>>>>> I re-checked my setup and your totaly correct.
>
> > >>>>>>> I can not enter the nfsV4 mounted directory as root.
>
> > >>>>>>>
>
> > >>>>>>> What i've added in idmap.conf
>
> > >>>>>>> Is this :
>
> > >>>>>>> Domain = your_DNS_domain.tld
>
> > >>>>>>>
>
> > >>>>>>> [Translation]
>
> > >>>>>>>
>
> > >>>>>>> Method = nsswitch
>
> > >>>>>>>
>
> > >>>>>>> And i found this link.
>
> > >>>>>>>
>
> > >>>>>>>
> http://serverfault.com/questions/526762/root-access-to-kerberized-
>
> > >>>> nfsv4-
>
> > >>>>>>> host-on-ubuntu
>
> > >>>>>>>
>
> > >>>>>>> im testing this now.
>
> > >>>>>>>
>
> > >>>>>>> Greetz,
>
> > >>>>>>>
>
> > >>>>>>> Louis
>
> > >>>>>>>
>
> > >>>>>>>
>
> > >>>>>>>
>
> > >>>>>>>> -----Oorspronkelijk bericht-----
>
> > >>>>>>>> Van: samba [mailto:samba-bounces at lists.samba.org]
> Namens Prunk
>
> > Dump
>
> > >>>>>>>> Verzonden: vrijdag 9 oktober 2015 11:34
>
> > >>>>>>>> Aan: samba at lists.samba.org
> <mailto:samba at lists.samba.org>
>
> > >>>>>>>> Onderwerp: Re: [Samba] kerberos nfs4's principals
> and root access
>
> > >>>>>>>>
>
> > >>>>>>>> Thanks you very much Louis !
>
> > >>>>>>>>
>
> > >>>>>>>> I have tried your setup and I can't mount the share
> neither from
>
> > >>>> the
>
> > >>>>>>>> server itself or the client.
>
> > >>>>>>>>
>
> > >>>>>>>> On /var/log/syslog I have :
>
> > >>>>>>>>
>
> > >>>>>>>> rpc.gssd : ERROR : no credentials found for
> connecting to server
>
> > >>>>>>> myserver
>
> > >>>>>>>> This is because the machine principal is not present
> in the
>
> > keytab
>
> > >>>> :
>
> > >>>>>>>> $ klist -k
>
> > >>>>>>>> 1 nfs/myclient.samdom.com at SAMDOM.COM
> <mailto:nfs/myclient.samdom.com at SAMDOM.COM>
>
> > >>>>>>>> 1 nfs/myclient.samdom.com at SAMDOM.COM
> <mailto:nfs/myclient.samdom.com at SAMDOM.COM>
>
> > >>>>>>>> 1 nfs/myclient.samdom.com at SAMDOM.COM
> <mailto:nfs/myclient.samdom.com at SAMDOM.COM>
>
> > >>>>>>>>
>
> > >>>>>>>> If I add the machine principal. I can mount the
> share but root
>
> > user
>
> > >>>>>>>> write as "machine" not as "root".
>
> > >>>>>>>>
>
> > >>>>>>>> Can you check your setup ? Do you have your machine
> credential in
>
> > >>>>>>>> /etc/krb5.keytab ? (with klist -k)
>
> > >>>>>>>>
>
> > >>>>>>>> Do you do something related with kerberos when you
> login as root
>
> > ?
>
> > >>>>>>>>
>
> > >>>>>>>> Do you have additional options in "/etc/idmap.conf" ?
>
> > >>>>>>>>
>
> > >>>>>>>> Can you give me the result of :
>
> > >>>>>>>>
>
> > >>>>>>>> $klist
>
> > >>>>>>>> $klist -k
>
> > >>>>>>>>
>
> > >>>>>>>> When you are logged as root ?
>
> > >>>>>>>>
>
> > >>>>>>>> Thanks you again !
>
> > >>>>>>>>
>
> > >>>>>>>> Baptiste.
>
> > >>>>>>>>
>
> > >>>>>>>>
>
> > >>>>>>>> 2015-10-09 9:13 GMT+02:00 L.P.H. van Belle
> <belle at bazuin.nl> <mailto:belle at bazuin.nl>:
>
> > >>>>>>>>> Hai,
>
> > >>>>>>>>>
>
> > >>>>>>>>> I had it the other way around. Only root acces.
>
> > >>>>>>>>>
>
> > >>>>>>>>> I have scripted my setup and tested on debian.
>
> > >>>>>>>>> Look here
>
> > >>>>>>>>>
> https://secure.bazuin.nl/scripts/these_are_experimental_scripts/
>
> > >>>>>>>>> setup-nfsv4-kerberos.sh
>
> > >>>>>>>>>
>
> > >>>>>>>>> If you get the file, setup-nfsv4-kerberos.sh and
> compair it to
>
> > >>>> your
>
> > >>>>>>>> setup.
>
> > >>>>>>>>> If you can read the bash script maybe you see
> something you
>
> > >>>> missed.
>
> > >>>>>>>>> When i write as "root" its root and not the machine
> account who
>
> > >>>> owns
>
> > >>>>>>> the
>
> > >>>>>>>> file.
>
> > >>>>>>>>> How is your exports file on the server configured?
>
> > >>>>>>>>>
>
> > >>>>>>>>> Greetz,
>
> > >>>>>>>>>
>
> > >>>>>>>>> Louis
>
> > >>>>>>>>>
>
> > >>>>>>>>>
>
> > >>>>>>>>>
>
> > >>>>>>>>>> -----Oorspronkelijk bericht-----
>
> > >>>>>>>>>> Van: samba [mailto:samba-bounces at lists.samba.org]
> Namens Prunk
>
> > >>>> Dump
>
> > >>>>>>>>>> Verzonden: vrijdag 9 oktober 2015 8:59
>
> > >>>>>>>>>> Aan: samba at lists.samba.org
> <mailto:samba at lists.samba.org>
>
> > >>>>>>>>>> Onderwerp: [Samba] kerberos nfs4's principals and
> root access
>
> > >>>>>>>>>>
>
> > >>>>>>>>>> Hello samba team !
>
> > >>>>>>>>>>
>
> > >>>>>>>>>> I have some NFS4 exports managed by a Samba's
> Kerberos realm.
>
> > >>>> All
>
> > >>>>>> the
>
> > >>>>>>>>>> standard user accesses work fine.
>
> > >>>>>>>>>>
>
> > >>>>>>>>>> I try now to setup an NFS4 root access to
> administer the share
>
> > >>>> from
>
> > >>>>>>>>>> another server (the two host are DC, one PDC and
> one SDC). But
>
> > >>>> I
>
> > >>>>>>> have
>
> > >>>>>>>>>> trouble understanding the kerberos/principals layer.
>
> > >>>>>>>>>>
>
> > >>>>>>>>>> ------------
>
> > >>>>>>>>>> Actually I do
>
> > >>>>>>>>>> -------------
>
> > >>>>>>>>>>
>
> > >>>>>>>>>> -> on the server I create an nfs principal and
> export it to the
>
> > >>>>>>> keytab
>
> > >>>>>>>>>> $ samba-tool user add nfs-myserver --random-password
>
> > >>>>>>>>>> $ samba-tool spn add nfs/myserver.samdom.com
> nfs-myserver
>
> > >>>>>>>>>> $ samba-tool domain exportkeytab --
>
> > >>>>>> principal=nfs/myserver.samdom.com
>
> > >>>>>>>>>> /etc/krb5.keytab
>
> > >>>>>>>>>>
>
> > >>>>>>>>>> -> on the client I use the machine keytab.
>
> > >>>>>>>>>> $ samba-tool domain exportkeytab --principal=MYCLIENT$
>
> > >>>>>>> /etc/krb5.keytab
>
> > >>>>>>>>>> With this setup all my domain users can write to
> the share. But
>
> > >>>>>> when
>
> > >>>>>>> I
>
> > >>>>>>>>>> try with the root account it use the machine
> keytab (that's
>
> > >>>> normal,
>
> > >>>>>>>>>> root is not a domain user but he have access to
> the keytab) :
>
> > >>>>>>>>>>
>
> > >>>>>>>>>> -> on the client as root
>
> > >>>>>>>>>> $ touch /myshare/testfile
>
> > >>>>>>>>>>
>
> > >>>>>>>>>> -> on the server
>
> > >>>>>>>>>> $ ls -al /srv/nfs4/myshare/testfile
>
> > >>>>>>>>>> -rw-r--r-- SAMDOM\MYCLIENT$ SAMDOM\Domain
> Controllers
>
> > >>>> ....
>
> > >>>>>>>>>> /nfs4/myshare/tesfile
>
> > >>>>>>>>>>
>
> > >>>>>>>>>> But I need root access !
>
> > >>>>>>>>>>
>
> > >>>>>>>>>> ----------
>
> > >>>>>>>>>> I have tried with a root/myclient service
> principal name
>
> > >>>>>>>>>> ----------
>
> > >>>>>>>>>>
>
> > >>>>>>>>>> -> on the client I create an root/myclient spn and
> export to
>
> > >>>> keytab
>
> > >>>>>>>>>> $ samba-tool user add root-myclient --random-password
>
> > >>>>>>>>>> $ samba-tool spn add root/myclient.samdom.com
> root-myclient
>
> > >>>>>>>>>> $ samba-tool domain exportkeytab --
>
> > >>>>>> principal=root/myclient.samdom.com
>
> > >>>>>>>>>> /etc/krb5.keytab
>
> > >>>>>>>>>>
>
> > >>>>>>>>>> But nothings change when I access the share. I
> tried to kinit
>
> > >>>> this
>
> > >>>>>>>>>> principal but it fail. However kinit with the
> machine principal
>
> > >>>>>>> works.
>
> > >>>>>>>>>> $ kinit -k root/myclient.samdom.com
>
> > >>>>>>>>>> kinit: Client 'root/myclient.samdom.com at SAMDOM.COM
> <mailto:root/myclient.samdom.com at SAMDOM.COM>' not found
>
> > in
>
> > >>>>>>>>>> kerberos database while getting initial credentials
>
> > >>>>>>>>>>
>
> > >>>>>>>>>> $ kinit -k MYCLIENT$
>
> > >>>>>>>>>> ok
>
> > >>>>>>>>>>
>
> > >>>>>>>>>> ---------
>
> > >>>>>>>>>> I tried creating a samba root user.
>
> > >>>>>>>>>> ---------
>
> > >>>>>>>>>>
>
> > >>>>>>>>>> -> on the client I create a root user and export
> to keytab
>
> > >>>>>>>>>> $ samba-tool user add root
>
> > >>>>>>>>>> $ samba-tool domain exportkeytab --principal=root
>
> > >>>> /etc/krb5.keytab
>
> > >>>>>>>>>> Same problem but here "kinit -k root" works.
>
> > >>>>>>>>>>
>
> > >>>>>>>>>> $ kinit -k root
>
> > >>>>>>>>>> ok
>
> > >>>>>>>>>>
>
> > >>>>>>>>>>
>
> > >>>>>>>>>> ------
>
> > >>>>>>>>>> I tried to kinit anather samba user
>
> > >>>>>>>>>> ------
>
> > >>>>>>>>>>
>
> > >>>>>>>>>> -> on the client I kinit a valid user and write to
> the share
>
> > >>>>>>>>>>
>
> > >>>>>>>>>> $ kinit validuser
>
> > >>>>>>>>>> $ touch /myshare/testfile2
>
> > >>>>>>>>>>
>
> > >>>>>>>>>> Here the nfs4 connection is not made with the
> validuser's
>
> > >>>>>> principal.
>
> > >>>>>>>>>> Always with the machine's principal.
>
> > >>>>>>>>>>
>
> > >>>>>>>>>>
>
> > >>>>>>>>>> -------
>
> > >>>>>>>>>> So
>
> > >>>>>>>>>> -------
>
> > >>>>>>>>>>
>
> > >>>>>>>>>> I don't understand why in can "kinit root" but not
> "kinit
>
> > >>>>>>>>>> root/myclient.samdom.com". What's the difference
> between there
>
> > >>>>>>>>>> principals ?
>
> > >>>>>>>>>>
>
> > >>>>>>>>>> I don't understand how the nfs4 client choose the
> principal
>
> > used
>
> > >>>> to
>
> > >>>>>>>>>> make the connection to the nfs4 share. Why the
> root user can
>
> > >>>> only
>
> > >>>>>> use
>
> > >>>>>>>>>> the machine's principal ?
>
> > >>>>>>>>>>
>
> > >>>>>>>>>> I don't know if the problem come from the creation
> of kerberos
>
> > >>>>>>>>>> principals or come from the nfs4 client not
> choosing the
>
> > correct
>
> > >>>>>>>>>> principal...
>
> > >>>>>>>>>>
>
> > >>>>>>>>>> Can someone give me a tips ?
>
> > >>>>>>>>>>
>
> > >>>>>>>>>> Thanks !
>
> > >>>>>>>>>>
>
> > >>>>>>>>>> Baptiste.
>
> > >>>>>>>>>>
>
> > >>>>>>>>>> --
>
> > >>>>>>>>>> To unsubscribe from this list go to the following
> URL and read
>
> > >>>> the
>
> > >>>>>>>>>> instructions:
> https://lists.samba.org/mailman/options/samba
>
> > >>>>>>>>>
>
> > >>>>>>>>> --
>
> > >>>>>>>>> To unsubscribe from this list go to the following
> URL and read
>
> > >>>> the
>
> > >>>>>>>>> instructions:
> https://lists.samba.org/mailman/options/samba
>
> > >>>>>>>> --
>
> > >>>>>>>> To unsubscribe from this list go to the following
> URL and read
>
> > the
>
> > >>>>>>>> instructions:
> https://lists.samba.org/mailman/options/samba
>
> > >>>>>>>
>
> > >>>>>>> --
>
> > >>>>>>> To unsubscribe from this list go to the following URL
> and read the
>
> > >>>>>>> instructions:
> https://lists.samba.org/mailman/options/samba
>
> > >>>>>>
>
> > >>>>>> --
>
> > >>>>>> To unsubscribe from this list go to the following URL
> and read the
>
> > >>>>>> instructions:
> https://lists.samba.org/mailman/options/samba
>
> > >>>>>
>
> > >>>>> --
>
> > >>>>> To unsubscribe from this list go to the following URL
> and read the
>
> > >>>>> instructions: https://lists.samba.org/mailman/options/samba
>
> > >>>> --
>
> > >>>> To unsubscribe from this list go to the following URL
> and read the
>
> > >>>> instructions: https://lists.samba.org/mailman/options/samba
>
> > >>>
>
> > >> --
>
> > >>
>
> > >> Bruno MACADRE
>
> > >>
> -------------------------------------------------------------------
>
> > >> Ingénieur Systèmes et Réseau | Systems and Network Engineer
>
> > >> Département Informatique | Department of computer
> science
>
> > >> Responsable Info SER | SER IT Manager
>
> > >> Université de Rouen | University of Rouen
>
> > >>
> -------------------------------------------------------------------
>
> > >> Coordonnées / Contact :
>
> > >> Université de Rouen
>
> > >> Faculté des Sciences et Techniques - Madrillet
>
> > >> Avenue de l'Université
>
> > >> CS 70012
>
> > >> 76801 St Etienne du Rouvray CEDEX
>
> > >> FRANCE
>
> > >>
>
> > >> Tél : +33 (0)2-32-95-51-86
>
> > >> Mob : +33 (0)6-74-71-45-64
>
> > >>
> -------------------------------------------------------------------
>
> > >>
>
> > >>
>
> > >> --
>
> > >> To unsubscribe from this list go to the following URL and
> read the
>
> > >> instructions: https://lists.samba.org/mailman/options/samba
>
> > >
>
> > >
>
> >
>
> > --
>
> >
>
> > Bruno MACADRE
>
> > -------------------------------------------------------------------
>
> > Ingénieur Systèmes et Réseau | Systems and Network Engineer
>
> > Département Informatique | Department of computer science
>
> > Responsable Info SER | SER IT Manager
>
> > Université de Rouen | University of Rouen
>
> > -------------------------------------------------------------------
>
> > Coordonnées / Contact :
>
> > Université de Rouen
>
> > Faculté des Sciences et Techniques - Madrillet
>
> > Avenue de l'Université
>
> > CS 70012
>
> > 76801 St Etienne du Rouvray CEDEX
>
> > FRANCE
>
> >
>
> > Tél : +33 (0)2-32-95-51-86
>
> > Mob : +33 (0)6-74-71-45-64
>
> > -------------------------------------------------------------------
>
> >
>
> >
>
> > --
>
> > To unsubscribe from this list go to the following URL and
> read the
>
> > instructions: https://lists.samba.org/mailman/options/samba
>
>
>
>
> --
>
> Bruno MACADRE
>
> -------------------------------------------------------------------
>
> Ingénieur Systèmes et Réseau | Systems and Network Engineer
>
> Département Informatique | Department of computer science
>
> Responsable Info SER | SER IT Manager
>
> Université de Rouen | University of Rouen
>
> -------------------------------------------------------------------
>
> Coordonnées / Contact :
>
> Université de Rouen
>
> Faculté des Sciences et Techniques - Madrillet
>
> Avenue de l'Université
>
> CS 70012
>
> 76801 St Etienne du Rouvray CEDEX
>
> FRANCE
>
> Tél : +33 (0)2-32-95-51-86
>
> Mob : +33 (0)6-74-71-45-64
>
> -------------------------------------------------------------------
>
>
>
> --
> Bruno MACADRE
> -------------------------------------------------------------------
> Ingénieur Systèmes et Réseau | Systems and Network Engineer
> Département Informatique | Department of computer science
> Responsable Info SER | SER IT Manager
> Université de Rouen | University of Rouen
> -------------------------------------------------------------------
> Coordonnées / Contact :
> Université de Rouen
> Faculté des Sciences et Techniques - Madrillet
> Avenue de l'Université
> CS 70012
> 76801 St Etienne du Rouvray CEDEX
> FRANCE
> Tél : +33 (0)2-32-95-51-86
> Mob : +33 (0)6-74-71-45-64
> -------------------------------------------------------------------
More information about the samba
mailing list