[Samba] Samba and kerberized NFSv4

Fri Dec 2 12:54:51 UTC 2016

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny via
> samba
> Verzonden: vrijdag 2 december 2016 13:17
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Samba and kerberized NFSv4
> 
> On Fri, 02 Dec 2016 12:44:04 +0100
> marcel at linux-ng.de wrote:
> 
> > Am 2016-12-02 12:12, schrieb Rowland Penny via samba:
> > > On Fri, 2 Dec 2016 11:05:50 +0100
> > > Matthias Kahle via samba <samba at lists.samba.org> wrote:
> > >
> > >> > Does it work if you manually add
> > >> > userPrincipalName=CLIENT02.DOMAIN.TLD to your clients ldap entry
> > >> > and reexport the keytab?
> > >>
> > >> I already thought about trying that. So by now, I tried tweaking
> > >> the client's LDAP entry.
> > >>
> > >> Adding
> > >>
> > >>   userPrincipalName=CLIENT02.DOMAIN.TLD
> > >>
> > >> does not succeeed, however, after reviewing the ldap filter once
> > >> again, I added
> > >>
> > >>   userPrincipalName=nfs/client02.domain.tld at DOMAIN.TLD
> > >>
> > >> to the workstation's account  and finally, the mount does not
> > >> return an error anymore. Though I can't access anything on the
> > >> mounted share but I guess that's OK for now, because the users'
> > >> home directories hosted there must not be accessible to the root
> > >> user at all.
> > >>
> > >> However I don't expect that to be the right approach, not only
> > >> because it requires a userPricipalName for a service but mainly
> > >> because I even have to add the kerberos REALM ... or am I mistaken
> > >> there? (please bear with me if that sounds stupid, I'm still
> > >> somehow new to dealing with kerberos)
> > >>
> > >> Regards,
> > >> Mathias
> > >>
> > >
> > > I don't normally use NFS, but I did try it out some time ago and I
> > > didn't do it the way everybody else seems to be trying.
> > > I created a user just for nfs and gave that a SPN 'nfs/FQDN', where
> > > 'FQDN' is the fully qualified name of the computer that is running
> > > the NFS server.
> > >
> > > This works for me, I just tried it again, mounting nfs shares from
> > > a DC on a domain member.
> > >
> > > Rowland
> >
> > Hi Rowland,
> >
> > I just wanted to make sure: Your DCs are Samba based?
> >
> > After mounting the nfs share, were you able to access files?
> >
> > Bye,
> >    Marcel
> 
> Yes, I only have Unix machines.
> 
> Yes, if I create a file in the mounted NFS share
> 
> rowland at devstation:~$ touch /home/SAMDOM/rowland/nfstest.txt
> 
> And then go to the share on the NFS server:
> 
> root at member1:~# ls -la /home/rowland/
> ........
> -rw-r--r--   1 SAMDOM\rowland SAMDOM\domain users    0 Dec  2 11:08
> nfstest.txt
> .......
> 
> I can open, read, write etc anything in my share
> 
>  Rowland
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

And i can confirm this. 

user at mem1:~$ touch testnfs.txt
user at mem1:~$ ls -la testnfs.txt

now login on the web server as user and 
sudo su -
[sudo] password for user:
root at web1:~# cd /home/users/user
cd: /home/users/user: Permission denied

Even if i kinit Adminstrator, root can not access the user dirs on the webserver. 

! on the member server YES thats possible due to the ACL rights. 
! which can be changed, i needed it on my member. 

The difference between these 2. 
Mem1 is the server which has the nfs export, and my user homedirs
Web1 is my webserver. 

My setup is based on info found here :

https://wiki.debian.org/NFS/Kerberos 
https://help.ubuntu.com/community/NFSv4Howto 
https://linux.die.net/man/5/idmapd.conf 

and for the mount at boot you need the systemd change. 
Only systemd change was needed due to a bug. 
I dont know if it still exists, i scripted my setup. 

If you want, this is the script, i used for my setup, and can be found here. 
http://downloads.van-belle.nl/samba4/setup-nfs4-with-samba.sh

Read the script content, it explains itself.

Greetz, 

Louis