[Samba] Samba server with NFSV4/kerberos

Orion Poplawski orion at cora.nwra.com
Fri May 12 14:52:37 UTC 2017 

We have a samba server that we would like to share a directory that is nfs4
sec=krb5 mounted from another machine.  However, the user has no kerberos
ticket on the samba server and so their smbd process cannot access the nfs
mount.  If the samba server process took the user's kerberos ticket and put it
where rpc.gssd could find it, then it would have access.

On 05/12/2017 03:47 AM, L.P.H. van Belle wrote:
> Hai, 
> 
> May i ask what the problem is? Tried to understand it from reading the threat, but i cant figure that out. 
> On my debian ( samba 4.6.3 ), i use kerberos and nfsv4 almost everywhere. 
> And i do reuse my client tickets. 
> 
> klist
> Ticket cache: FILE:/tmp/krb5cc_10002_Ki1hjqMDNM
> Default principal: username at MY_REALM
> 
> Valid starting       Expires              Service principal
> 05/12/2017 09:53:19  05/12/2017 18:06:28  krbtgt/MY_REALM at MY_REALM
>         renew until 05/19/2017 08:06:28
> 05/12/2017 10:30:32  05/12/2017 18:06:28  nfs/member1.internal.domain.tld@
>         renew until 05/19/2017 08:06:28
> 05/12/2017 10:30:32  05/12/2017 18:06:28  nfs/member1.internal.domain.tld at MY_REALM
>         renew until 05/19/2017 08:06:28
> 		
> Or this this not what you are looking for? 
> 
> Greetz, 
> 
> Louis
> 
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
>> Orion Poplawski via samba
>> Verzonden: woensdag 10 mei 2017 21:43
>> Aan: samba at lists.samba.org; Jeremy Allison
>> Onderwerp: Re: [Samba] Samba server with NFSV4/kerberos
>>
>>> I have some code that does this I gave to a (large) user 
>> site to test. 
>>> It took a forwarded ticket from the Windows client and 
>> saved it in the 
>>> /tmp/krb5cc_XXXXX file so that the NFS client redirector on Linux 
>>> could use it.
>>>
>>> I got it to work in testing, but never got good feedback from the 
>>> users so didn't finish it up.
>>>
>>> I can dig it out again and forward port to 4.x if you like ?
>>>
>>> Jeremy.
>>
>> I would be very much interested in this if this is still around.
>>


-- 
Orion Poplawski
Technical Manager                          720-772-5637
NWRA, Boulder/CoRA Office             FAX: 303-415-9702
3380 Mitchell Lane                       orion at nwra.com
Boulder, CO 80301                   http://www.nwra.com

More information about the samba mailing list