[Samba] FW: kerberos nfs4's principals and root access

Bruno MACADRÉ bruno.macadre at univ-rouen.fr
Wed Aug 3 08:21:51 UTC 2016 

Yes, in fact this correspond to another mail I post in this list : 
"kerberized nfs4 homedir and local account access (www-data)" but, over 
the mail, my two requests (root access and www-data access) are crossed 
and merged....

I've tried the kinit -kt as the www-data user but it still doesn't work 
(keytab contains no suitable keys for host/client1.domain at DOMAIN ...)

I think i'm not so far of a good solution but I don't have enough time 
to continue (I've to respect some deadlines), so, I have to give up for 
now (may be I'll retry later in the year).

Anyway thank you Rowland and Louis for trying to help me !! I'll come 
back asap !

Best regards,
Bruno.

Le 03/08/2016 à 09:35, L.P.H. van Belle a écrit :
> Ah ok, you are using "public_html" from a default setup.
> Now i understand what you exact want.
>
> If you have the apache keytab created.
>
> Create a cron job and run :
> kinit -t /path/to/keytab as the www user.
>
> Dont forget het disable the password change in the AD user for
> the "apache Service user" account.
> You probely also need to export some kerberos variables like : KRB5CCNAME
>
>
> Greetz,
>
> Louis
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Bruno MACADRÉ
>> Verzonden: woensdag 3 augustus 2016 9:16
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] FW: kerberos nfs4's principals and root access
>>
>> Thanks Louis,
>>
>> I'll reply in your answer
>>
>> Le 03/08/2016 à 08:57, L.P.H. van Belle a écrit :
>>> You need for the apache keytab something like
>>> Alias /webmail /usr/share/webmail
>>> #
>>> <Directory /usr/share/ webmail >
>>>     AuthType Kerberos
>>>     AuthName "Kerberos Login"
>>>     KrbMethodNegotiate On
>>>     KrbMethodK5Passwd Off
>>>     KrbServiceName HTTP
>>>     KrbAuthRealms EXAMPLE.COM
>>>     Krb5KeyTab /etc/httpd/conf/keytab
>>>     require valid-user
>>> </Directory>
>>> chmod 400 /etc/httpd/conf/keytab
>>> chown www-data:www-data /etc/httpd/conf/keytab
>>>
>> That's exactly what I thought. I'll try this soon.
>>>> In fact i'm stuck between my two problems (root acces to Kerberised NFS
>>>> share / www-data access to userdir into a Kerberised NFS share),
>>>> contrary to what I thought It's the root acces the more difficult to
>>>> resolve...
>>> This is because of your layout for your website.
>>> Now, your "abuseing" the user homedir, and normaly thats a private dir
>> for only the user.
>>> For the root access, you can kinit adminsitrator in a root script, i
>> dont know what you exact want.
>>> But echo "passwd" | kinit Administrator simpel resolve you problem.
>> There's no "abuse" of the homedir. The principle of Apache' userdir is
>> to give users the ability to create web pages in their homedirand to
>> test them with Apache in an unprivileged manner and withoutlosing the
>> private side of their homedir.
>>
>>> And for the users/website data.
>>>
>>> When you set a layout like this.
>>> /var/www/domain/site/
>>> Add on domain for example an AD Group with write rights.
>>> Like "Domain website Admins" give these full control.
>>> And  something like "Site Admins" for a website, inherit the one before.
>>>
>>> No hassle with keytabs, changing owner/group.
>>> Besited if you want to do that, look at mod_ruid, which allows to run an
>> apache vhost as user.
>>> But its what you want.
>> Thanks again,
>> Greetz,
>> Bruno
>>
>>> Greetz,
>>>
>>> Louis
>>>
>>>
>>>
>>>> -----Oorspronkelijk bericht-----
>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Bruno Macadré
>>>> Verzonden: woensdag 3 augustus 2016 8:20
>>>> Aan: samba at lists.samba.org
>>>> Onderwerp: Re: [Samba] FW: kerberos nfs4's principals and root access
>>>>
>>>> Hi Rowland,
>>>>
>>>> I've already read this article, but I never find how to indicate to
>>>> apache to read this file... After some research, I think I need to
>>>> install mod_auth_krb5 to specify at least how to find this keytab (even
>>>> if I don't need Apache authentication against Kerberos).
>>>>
>>>> I will try this today and comme back to say if it works !
>>>>
>>>> In fact i'm stuck between my two problems (root acces to Kerberised NFS
>>>> share / www-data access to userdir into a Kerberised NFS share),
>>>> contrary to what I thought It's the root acces the more difficult to
>>>> resolve...
>>>>
>>>> Thanks Rowland,
>>>> Greetz,
>>>> Bruno
>>>>
>>>>
>>>> Le 02/08/2016 à 18:20, Rowland Penny a écrit :
>>>>> On Tue, 2 Aug 2016 17:05:37 +0200
>>>>> Bruno MACADRÉ <bruno.macadre at univ-rouen.fr> wrote:
>>>>>
>>>>>> It's ok
>>>>>>
>>>>>> So, if I create a httpuser and an httpgroup in my AD and use these at
>>>>>> owner and group for my apache2 daemon, this one could access to
>>>>>> userdirs (while permissions granting it) ? But I need to cron 'kinit'
>>>>>> to keep valid ticket... ?
>>>>>>
>>>>>> My local root user always can't access to the share, but my other
>>>>>> problem seems to be resolved.
>>>>>>
>>>>>>
>>>>> OK, I went and re-read your first post and I think you are going about
>>>>> this the wrong way. I did a quick google and found this:
>>>>>
>>>>> http://blog.sumostyle.net/2009/01/nfs4-krb5-and-apache-userdir/
>>>>>
>>>>> So to translate that into Samba:
>>>>>
>>>>> Create a user 'httpuser' with a random password:
>>>>>
>>>>> samba-tool user create --random-password httpuser
>>>>>
>>>>> Give the new user an SPN:
>>>>>
>>>>> samba-tool spn add HTTP/servername.your.realm.tld httpuser
>>>>>
>>>>> Where 'servername' is the short hostname of your machine running
>> Apache
>>>>> and 'your.realm.tld' is (obviously) your dns/realm name
>>>>>
>>>>> Now export the keytab:
>>>>>
>>>>> samba-tool domain exportkeytab /root/httpd.keytab
>>>>> --principal=HTTP/servername.your.realm.tld at YOUR.REALM.TLD
>>>>>
>>>>> copy the keytab to the machine running Apache and allow www-data to
>>>>> read the keytab.
>>>>>
>>>>> Rowland
>>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>> --
>>
>> Bruno MACADRE
>> -------------------------------------------------------------------
>>    Ingénieur Systèmes et Réseau     | Systems and Network Engineer
>>    Département Informatique         | Department of computer science
>>    Responsable Info SER             | SER IT Manager
>>    Université de Rouen              | University of Rouen
>> -------------------------------------------------------------------
>> Coordonnées / Contact :
>> 	Université de Rouen
>> 	Faculté des Sciences et Techniques - Madrillet
>> 	Avenue de l'Université
>> 	CS 70012
>> 	76801 St Etienne du Rouvray CEDEX
>> 	FRANCE
>>
>> 	Tél : +33 (0)2-32-95-51-86
>> 	Mob : +33 (0)6-74-71-45-64
>> -------------------------------------------------------------------
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>
>

-- 

Bruno MACADRE
-------------------------------------------------------------------
  Ingénieur Systèmes et Réseau     | Systems and Network Engineer
  Département Informatique         | Department of computer science
  Responsable Info SER             | SER IT Manager
  Université de Rouen              | University of Rouen
-------------------------------------------------------------------
Coordonnées / Contact :
	Université de Rouen
	Faculté des Sciences et Techniques - Madrillet
	Avenue de l'Université
	CS 70012
	76801 St Etienne du Rouvray CEDEX
	FRANCE

	Tél : +33 (0)2-32-95-51-86
	Mob : +33 (0)6-74-71-45-64
-------------------------------------------------------------------

More information about the samba mailing list