[Samba] FW: kerberos nfs4's principals and root access

Bruno MACADRÉ bruno.macadre at univ-rouen.fr
Wed Aug 3 13:35:55 UTC 2016 

host is already in AD... I don't know where it blocks but thanks for 
trying !

I will retry this later (when I'll have more time)

Greete,
Bruno.


Le 03/08/2016 à 11:37, L.P.H. van Belle a écrit :
> If not done, add the server to the AD.
>
> Add the host and nfs to the COMPUTERNAME($) account.
> 	And use winbind to refresh the keytab.
>
> 	Stop samba,
> 	remove the keytab, create the new with the new SPN's in it,
> 	start samba.
>
> 	And Use the second keytab for apache with only http as upn in it.
>
>
> Greetz,
>
> Louis
>
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Bruno MACADRÉ
>> Verzonden: woensdag 3 augustus 2016 10:22
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] FW: kerberos nfs4's principals and root access
>>
>> Yes, in fact this correspond to another mail I post in this list :
>> "kerberized nfs4 homedir and local account access (www-data)" but, over
>> the mail, my two requests (root access and www-data access) are crossed
>> and merged....
>>
>> I've tried the kinit -kt as the www-data user but it still doesn't work
>> (keytab contains no suitable keys for host/client1.domain at DOMAIN ...)
>>
>> I think i'm not so far of a good solution but I don't have enough time
>> to continue (I've to respect some deadlines), so, I have to give up for
>> now (may be I'll retry later in the year).
>>
>> Anyway thank you Rowland and Louis for trying to help me !! I'll come
>> back asap !
>>
>> Best regards,
>> Bruno.
>>
>> Le 03/08/2016 à 09:35, L.P.H. van Belle a écrit :
>>> Ah ok, you are using "public_html" from a default setup.
>>> Now i understand what you exact want.
>>>
>>> If you have the apache keytab created.
>>>
>>> Create a cron job and run :
>>> kinit -t /path/to/keytab as the www user.
>>>
>>> Dont forget het disable the password change in the AD user for
>>> the "apache Service user" account.
>>> You probely also need to export some kerberos variables like :
>> KRB5CCNAME
>>>
>>> Greetz,
>>>
>>> Louis
>>>
>>>
>>>> -----Oorspronkelijk bericht-----
>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Bruno MACADRÉ
>>>> Verzonden: woensdag 3 augustus 2016 9:16
>>>> Aan: samba at lists.samba.org
>>>> Onderwerp: Re: [Samba] FW: kerberos nfs4's principals and root access
>>>>
>>>> Thanks Louis,
>>>>
>>>> I'll reply in your answer
>>>>
>>>> Le 03/08/2016 à 08:57, L.P.H. van Belle a écrit :
>>>>> You need for the apache keytab something like
>>>>> Alias /webmail /usr/share/webmail
>>>>> #
>>>>> <Directory /usr/share/ webmail >
>>>>>      AuthType Kerberos
>>>>>      AuthName "Kerberos Login"
>>>>>      KrbMethodNegotiate On
>>>>>      KrbMethodK5Passwd Off
>>>>>      KrbServiceName HTTP
>>>>>      KrbAuthRealms EXAMPLE.COM
>>>>>      Krb5KeyTab /etc/httpd/conf/keytab
>>>>>      require valid-user
>>>>> </Directory>
>>>>> chmod 400 /etc/httpd/conf/keytab
>>>>> chown www-data:www-data /etc/httpd/conf/keytab
>>>>>
>>>> That's exactly what I thought. I'll try this soon.
>>>>>> In fact i'm stuck between my two problems (root acces to Kerberised
>> NFS
>>>>>> share / www-data access to userdir into a Kerberised NFS share),
>>>>>> contrary to what I thought It's the root acces the more difficult to
>>>>>> resolve...
>>>>> This is because of your layout for your website.
>>>>> Now, your "abuseing" the user homedir, and normaly thats a private dir
>>>> for only the user.
>>>>> For the root access, you can kinit adminsitrator in a root script, i
>>>> dont know what you exact want.
>>>>> But echo "passwd" | kinit Administrator simpel resolve you problem.
>>>> There's no "abuse" of the homedir. The principle of Apache' userdir is
>>>> to give users the ability to create web pages in their homedirand to
>>>> test them with Apache in an unprivileged manner and withoutlosing the
>>>> private side of their homedir.
>>>>
>>>>> And for the users/website data.
>>>>>
>>>>> When you set a layout like this.
>>>>> /var/www/domain/site/
>>>>> Add on domain for example an AD Group with write rights.
>>>>> Like "Domain website Admins" give these full control.
>>>>> And  something like "Site Admins" for a website, inherit the one
>> before.
>>>>> No hassle with keytabs, changing owner/group.
>>>>> Besited if you want to do that, look at mod_ruid, which allows to run
>> an
>>>> apache vhost as user.
>>>>> But its what you want.
>>>> Thanks again,
>>>> Greetz,
>>>> Bruno
>>>>
>>>>> Greetz,
>>>>>
>>>>> Louis
>>>>>
>>>>>
>>>>>
>>>>>> -----Oorspronkelijk bericht-----
>>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Bruno
>> Macadré
>>>>>> Verzonden: woensdag 3 augustus 2016 8:20
>>>>>> Aan: samba at lists.samba.org
>>>>>> Onderwerp: Re: [Samba] FW: kerberos nfs4's principals and root access
>>>>>>
>>>>>> Hi Rowland,
>>>>>>
>>>>>> I've already read this article, but I never find how to indicate to
>>>>>> apache to read this file... After some research, I think I need to
>>>>>> install mod_auth_krb5 to specify at least how to find this keytab
>> (even
>>>>>> if I don't need Apache authentication against Kerberos).
>>>>>>
>>>>>> I will try this today and comme back to say if it works !
>>>>>>
>>>>>> In fact i'm stuck between my two problems (root acces to Kerberised
>> NFS
>>>>>> share / www-data access to userdir into a Kerberised NFS share),
>>>>>> contrary to what I thought It's the root acces the more difficult to
>>>>>> resolve...
>>>>>>
>>>>>> Thanks Rowland,
>>>>>> Greetz,
>>>>>> Bruno
>>>>>>
>>>>>>
>>>>>> Le 02/08/2016 à 18:20, Rowland Penny a écrit :
>>>>>>> On Tue, 2 Aug 2016 17:05:37 +0200
>>>>>>> Bruno MACADRÉ <bruno.macadre at univ-rouen.fr> wrote:
>>>>>>>
>>>>>>>> It's ok
>>>>>>>>
>>>>>>>> So, if I create a httpuser and an httpgroup in my AD and use these
>> at
>>>>>>>> owner and group for my apache2 daemon, this one could access to
>>>>>>>> userdirs (while permissions granting it) ? But I need to cron
>> 'kinit'
>>>>>>>> to keep valid ticket... ?
>>>>>>>>
>>>>>>>> My local root user always can't access to the share, but my other
>>>>>>>> problem seems to be resolved.
>>>>>>>>
>>>>>>>>
>>>>>>> OK, I went and re-read your first post and I think you are going
>> about
>>>>>>> this the wrong way. I did a quick google and found this:
>>>>>>>
>>>>>>> http://blog.sumostyle.net/2009/01/nfs4-krb5-and-apache-userdir/
>>>>>>>
>>>>>>> So to translate that into Samba:
>>>>>>>
>>>>>>> Create a user 'httpuser' with a random password:
>>>>>>>
>>>>>>> samba-tool user create --random-password httpuser
>>>>>>>
>>>>>>> Give the new user an SPN:
>>>>>>>
>>>>>>> samba-tool spn add HTTP/servername.your.realm.tld httpuser
>>>>>>>
>>>>>>> Where 'servername' is the short hostname of your machine running
>>>> Apache
>>>>>>> and 'your.realm.tld' is (obviously) your dns/realm name
>>>>>>>
>>>>>>> Now export the keytab:
>>>>>>>
>>>>>>> samba-tool domain exportkeytab /root/httpd.keytab
>>>>>>> --principal=HTTP/servername.your.realm.tld at YOUR.REALM.TLD
>>>>>>>
>>>>>>> copy the keytab to the machine running Apache and allow www-data to
>>>>>>> read the keytab.
>>>>>>>
>>>>>>> Rowland
>>>>>>>
>>>>>> --
>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>> --
>>>>
>>>> Bruno MACADRE
>>>> -------------------------------------------------------------------
>>>>     Ingénieur Systèmes et Réseau     | Systems and Network Engineer
>>>>     Département Informatique         | Department of computer science
>>>>     Responsable Info SER             | SER IT Manager
>>>>     Université de Rouen              | University of Rouen
>>>> -------------------------------------------------------------------
>>>> Coordonnées / Contact :
>>>> 	Université de Rouen
>>>> 	Faculté des Sciences et Techniques - Madrillet
>>>> 	Avenue de l'Université
>>>> 	CS 70012
>>>> 	76801 St Etienne du Rouvray CEDEX
>>>> 	FRANCE
>>>>
>>>> 	Tél : +33 (0)2-32-95-51-86
>>>> 	Mob : +33 (0)6-74-71-45-64
>>>> -------------------------------------------------------------------
>>>>
>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>> --
>>
>> Bruno MACADRE
>> -------------------------------------------------------------------
>>    Ingénieur Systèmes et Réseau     | Systems and Network Engineer
>>    Département Informatique         | Department of computer science
>>    Responsable Info SER             | SER IT Manager
>>    Université de Rouen              | University of Rouen
>> -------------------------------------------------------------------
>> Coordonnées / Contact :
>> 	Université de Rouen
>> 	Faculté des Sciences et Techniques - Madrillet
>> 	Avenue de l'Université
>> 	CS 70012
>> 	76801 St Etienne du Rouvray CEDEX
>> 	FRANCE
>>
>> 	Tél : +33 (0)2-32-95-51-86
>> 	Mob : +33 (0)6-74-71-45-64
>> -------------------------------------------------------------------
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>
>

-- 

Bruno MACADRE
-------------------------------------------------------------------
  Ingénieur Systèmes et Réseau     | Systems and Network Engineer
  Département Informatique         | Department of computer science
  Responsable Info SER             | SER IT Manager
  Université de Rouen              | University of Rouen
-------------------------------------------------------------------
Coordonnées / Contact :
	Université de Rouen
	Faculté des Sciences et Techniques - Madrillet
	Avenue de l'Université
	CS 70012
	76801 St Etienne du Rouvray CEDEX
	FRANCE

	Tél : +33 (0)2-32-95-51-86
	Mob : +33 (0)6-74-71-45-64
-------------------------------------------------------------------

More information about the samba mailing list