[Samba] FW: kerberos nfs4's principals and root access

[Bruno Macadré]

Hi Rowland,

I've already read this article, but I never find how to indicate to 
apache to read this file... After some research, I think I need to 
install mod_auth_krb5 to specify at least how to find this keytab (even 
if I don't need Apache authentication against Kerberos).

I will try this today and comme back to say if it works !

In fact i'm stuck between my two problems (root acces to Kerberised NFS 
share / www-data access to userdir into a Kerberised NFS share), 
contrary to what I thought It's the root acces the more difficult to 
resolve...

Thanks Rowland,
Greetz,
Bruno


Le 02/08/2016 à 18:20, Rowland Penny a écrit :
> On Tue, 2 Aug 2016 17:05:37 +0200
> Bruno MACADRÉ <bruno.macadre at univ-rouen.fr> wrote:
>
>> It's ok
>>
>> So, if I create a httpuser and an httpgroup in my AD and use these at
>> owner and group for my apache2 daemon, this one could access to
>> userdirs (while permissions granting it) ? But I need to cron 'kinit'
>> to keep valid ticket... ?
>>
>> My local root user always can't access to the share, but my other
>> problem seems to be resolved.
>>
>>
> OK, I went and re-read your first post and I think you are going about
> this the wrong way. I did a quick google and found this:
>
> http://blog.sumostyle.net/2009/01/nfs4-krb5-and-apache-userdir/
>
> So to translate that into Samba:
>
> Create a user 'httpuser' with a random password:
>
> samba-tool user create --random-password httpuser
>
> Give the new user an SPN:
>
> samba-tool spn add HTTP/servername.your.realm.tld httpuser
>
> Where 'servername' is the short hostname of your machine running Apache
> and 'your.realm.tld' is (obviously) your dns/realm name
>
> Now export the keytab:
>
> samba-tool domain exportkeytab /root/httpd.keytab
> --principal=HTTP/servername.your.realm.tld at YOUR.REALM.TLD
>
> copy the keytab to the machine running Apache and allow www-data to
> read the keytab.
>
> Rowland
>