[Samba] FW: kerberos nfs4's principals and root access
Rowland Penny
rpenny at samba.org
Tue Aug 2 16:20:42 UTC 2016
On Tue, 2 Aug 2016 17:05:37 +0200
Bruno MACADRÉ <bruno.macadre at univ-rouen.fr> wrote:
> It's ok
>
> So, if I create a httpuser and an httpgroup in my AD and use these at
> owner and group for my apache2 daemon, this one could access to
> userdirs (while permissions granting it) ? But I need to cron 'kinit'
> to keep valid ticket... ?
>
> My local root user always can't access to the share, but my other
> problem seems to be resolved.
>
>
OK, I went and re-read your first post and I think you are going about
this the wrong way. I did a quick google and found this:
http://blog.sumostyle.net/2009/01/nfs4-krb5-and-apache-userdir/
So to translate that into Samba:
Create a user 'httpuser' with a random password:
samba-tool user create --random-password httpuser
Give the new user an SPN:
samba-tool spn add HTTP/servername.your.realm.tld httpuser
Where 'servername' is the short hostname of your machine running Apache
and 'your.realm.tld' is (obviously) your dns/realm name
Now export the keytab:
samba-tool domain exportkeytab /root/httpd.keytab
--principal=HTTP/servername.your.realm.tld at YOUR.REALM.TLD
copy the keytab to the machine running Apache and allow www-data to
read the keytab.
Rowland
More information about the samba
mailing list