[Samba] FW: kerberos nfs4's principals and root access

L.P.H. van Belle belle at bazuin.nl
Wed Aug 3 09:37:29 UTC 2016


If not done, add the server to the AD. 

Add the host and nfs to the COMPUTERNAME($) account.
	And use winbind to refresh the keytab. 

	Stop samba, 
	remove the keytab, create the new with the new SPN's in it, 
	start samba. 

	And Use the second keytab for apache with only http as upn in it.


Greetz, 

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Bruno MACADRÉ
> Verzonden: woensdag 3 augustus 2016 10:22
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] FW: kerberos nfs4's principals and root access
> 
> Yes, in fact this correspond to another mail I post in this list :
> "kerberized nfs4 homedir and local account access (www-data)" but, over
> the mail, my two requests (root access and www-data access) are crossed
> and merged....
> 
> I've tried the kinit -kt as the www-data user but it still doesn't work
> (keytab contains no suitable keys for host/client1.domain at DOMAIN ...)
> 
> I think i'm not so far of a good solution but I don't have enough time
> to continue (I've to respect some deadlines), so, I have to give up for
> now (may be I'll retry later in the year).
> 
> Anyway thank you Rowland and Louis for trying to help me !! I'll come
> back asap !
> 
> Best regards,
> Bruno.
> 
> Le 03/08/2016 à 09:35, L.P.H. van Belle a écrit :
> > Ah ok, you are using "public_html" from a default setup.
> > Now i understand what you exact want.
> >
> > If you have the apache keytab created.
> >
> > Create a cron job and run :
> > kinit -t /path/to/keytab as the www user.
> >
> > Dont forget het disable the password change in the AD user for
> > the "apache Service user" account.
> > You probely also need to export some kerberos variables like :
> KRB5CCNAME
> >
> >
> > Greetz,
> >
> > Louis
> >
> >
> >> -----Oorspronkelijk bericht-----
> >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Bruno MACADRÉ
> >> Verzonden: woensdag 3 augustus 2016 9:16
> >> Aan: samba at lists.samba.org
> >> Onderwerp: Re: [Samba] FW: kerberos nfs4's principals and root access
> >>
> >> Thanks Louis,
> >>
> >> I'll reply in your answer
> >>
> >> Le 03/08/2016 à 08:57, L.P.H. van Belle a écrit :
> >>> You need for the apache keytab something like
> >>> Alias /webmail /usr/share/webmail
> >>> #
> >>> <Directory /usr/share/ webmail >
> >>>     AuthType Kerberos
> >>>     AuthName "Kerberos Login"
> >>>     KrbMethodNegotiate On
> >>>     KrbMethodK5Passwd Off
> >>>     KrbServiceName HTTP
> >>>     KrbAuthRealms EXAMPLE.COM
> >>>     Krb5KeyTab /etc/httpd/conf/keytab
> >>>     require valid-user
> >>> </Directory>
> >>> chmod 400 /etc/httpd/conf/keytab
> >>> chown www-data:www-data /etc/httpd/conf/keytab
> >>>
> >> That's exactly what I thought. I'll try this soon.
> >>>> In fact i'm stuck between my two problems (root acces to Kerberised
> NFS
> >>>> share / www-data access to userdir into a Kerberised NFS share),
> >>>> contrary to what I thought It's the root acces the more difficult to
> >>>> resolve...
> >>> This is because of your layout for your website.
> >>> Now, your "abuseing" the user homedir, and normaly thats a private dir
> >> for only the user.
> >>> For the root access, you can kinit adminsitrator in a root script, i
> >> dont know what you exact want.
> >>> But echo "passwd" | kinit Administrator simpel resolve you problem.
> >> There's no "abuse" of the homedir. The principle of Apache' userdir is
> >> to give users the ability to create web pages in their homedirand to
> >> test them with Apache in an unprivileged manner and withoutlosing the
> >> private side of their homedir.
> >>
> >>> And for the users/website data.
> >>>
> >>> When you set a layout like this.
> >>> /var/www/domain/site/
> >>> Add on domain for example an AD Group with write rights.
> >>> Like "Domain website Admins" give these full control.
> >>> And  something like "Site Admins" for a website, inherit the one
> before.
> >>>
> >>> No hassle with keytabs, changing owner/group.
> >>> Besited if you want to do that, look at mod_ruid, which allows to run
> an
> >> apache vhost as user.
> >>> But its what you want.
> >> Thanks again,
> >> Greetz,
> >> Bruno
> >>
> >>> Greetz,
> >>>
> >>> Louis
> >>>
> >>>
> >>>
> >>>> -----Oorspronkelijk bericht-----
> >>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Bruno
> Macadré
> >>>> Verzonden: woensdag 3 augustus 2016 8:20
> >>>> Aan: samba at lists.samba.org
> >>>> Onderwerp: Re: [Samba] FW: kerberos nfs4's principals and root access
> >>>>
> >>>> Hi Rowland,
> >>>>
> >>>> I've already read this article, but I never find how to indicate to
> >>>> apache to read this file... After some research, I think I need to
> >>>> install mod_auth_krb5 to specify at least how to find this keytab
> (even
> >>>> if I don't need Apache authentication against Kerberos).
> >>>>
> >>>> I will try this today and comme back to say if it works !
> >>>>
> >>>> In fact i'm stuck between my two problems (root acces to Kerberised
> NFS
> >>>> share / www-data access to userdir into a Kerberised NFS share),
> >>>> contrary to what I thought It's the root acces the more difficult to
> >>>> resolve...
> >>>>
> >>>> Thanks Rowland,
> >>>> Greetz,
> >>>> Bruno
> >>>>
> >>>>
> >>>> Le 02/08/2016 à 18:20, Rowland Penny a écrit :
> >>>>> On Tue, 2 Aug 2016 17:05:37 +0200
> >>>>> Bruno MACADRÉ <bruno.macadre at univ-rouen.fr> wrote:
> >>>>>
> >>>>>> It's ok
> >>>>>>
> >>>>>> So, if I create a httpuser and an httpgroup in my AD and use these
> at
> >>>>>> owner and group for my apache2 daemon, this one could access to
> >>>>>> userdirs (while permissions granting it) ? But I need to cron
> 'kinit'
> >>>>>> to keep valid ticket... ?
> >>>>>>
> >>>>>> My local root user always can't access to the share, but my other
> >>>>>> problem seems to be resolved.
> >>>>>>
> >>>>>>
> >>>>> OK, I went and re-read your first post and I think you are going
> about
> >>>>> this the wrong way. I did a quick google and found this:
> >>>>>
> >>>>> http://blog.sumostyle.net/2009/01/nfs4-krb5-and-apache-userdir/
> >>>>>
> >>>>> So to translate that into Samba:
> >>>>>
> >>>>> Create a user 'httpuser' with a random password:
> >>>>>
> >>>>> samba-tool user create --random-password httpuser
> >>>>>
> >>>>> Give the new user an SPN:
> >>>>>
> >>>>> samba-tool spn add HTTP/servername.your.realm.tld httpuser
> >>>>>
> >>>>> Where 'servername' is the short hostname of your machine running
> >> Apache
> >>>>> and 'your.realm.tld' is (obviously) your dns/realm name
> >>>>>
> >>>>> Now export the keytab:
> >>>>>
> >>>>> samba-tool domain exportkeytab /root/httpd.keytab
> >>>>> --principal=HTTP/servername.your.realm.tld at YOUR.REALM.TLD
> >>>>>
> >>>>> copy the keytab to the machine running Apache and allow www-data to
> >>>>> read the keytab.
> >>>>>
> >>>>> Rowland
> >>>>>
> >>>> --
> >>>> To unsubscribe from this list go to the following URL and read the
> >>>> instructions:  https://lists.samba.org/mailman/options/samba
> >>>
> >> --
> >>
> >> Bruno MACADRE
> >> -------------------------------------------------------------------
> >>    Ingénieur Systèmes et Réseau     | Systems and Network Engineer
> >>    Département Informatique         | Department of computer science
> >>    Responsable Info SER             | SER IT Manager
> >>    Université de Rouen              | University of Rouen
> >> -------------------------------------------------------------------
> >> Coordonnées / Contact :
> >> 	Université de Rouen
> >> 	Faculté des Sciences et Techniques - Madrillet
> >> 	Avenue de l'Université
> >> 	CS 70012
> >> 	76801 St Etienne du Rouvray CEDEX
> >> 	FRANCE
> >>
> >> 	Tél : +33 (0)2-32-95-51-86
> >> 	Mob : +33 (0)6-74-71-45-64
> >> -------------------------------------------------------------------
> >>
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/options/samba
> >
> >
> 
> --
> 
> Bruno MACADRE
> -------------------------------------------------------------------
>   Ingénieur Systèmes et Réseau     | Systems and Network Engineer
>   Département Informatique         | Department of computer science
>   Responsable Info SER             | SER IT Manager
>   Université de Rouen              | University of Rouen
> -------------------------------------------------------------------
> Coordonnées / Contact :
> 	Université de Rouen
> 	Faculté des Sciences et Techniques - Madrillet
> 	Avenue de l'Université
> 	CS 70012
> 	76801 St Etienne du Rouvray CEDEX
> 	FRANCE
> 
> 	Tél : +33 (0)2-32-95-51-86
> 	Mob : +33 (0)6-74-71-45-64
> -------------------------------------------------------------------
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba





More information about the samba mailing list