[Samba] Using Samba AD for NFSV4 Kerberos servers and clients

Mon Feb 5 05:13:34 UTC 2018

I found one of my problems was that on the client, in the /etc/krb5.conf 
file, the domain name was in lower case. The one on the server was upper 
case. Upper case'ing the client one fixed my nfs4 mount issue, but now I 
have another one.

The nfs4 krb5 export mounts on the remote client, but doesn't seem to 
recognize permissions. The mount directory is shown as owned by root and 
the group is 4294967294

If I mount the export using nfs4 without krb5 it works as expected and 
the mount directory is owned by root and the group is from Samba AD as 
DOMAIN\group

I suppose this has something to do with id mapping and a special 
requirement for nfs4 krb5. I have winbindd running, which of course is 
why my perms are working non-krb5.

Help?

On 02/04/2018 08:23 PM, Ken McDonald via samba wrote:
> Thanks Luc,
>
> First, can I just use the small /etc/krb5.conf suggested in Samba AD 
> docs or do I need something more substantial on the server & client 
> for Kerberos NFS to work?
>
> [libdefaults]
>         default_realm = SUBDOMAIN.DOMAIN.COM
>         dns_lookup_realm = false
>         dns_lookup_kdc = true
>
> I understand a /etc/krb5.keytab file has to be created on both server 
> & client. Most of the existing docs show commands to do this using a 
> real KDC, not Samba AD. If I try to use the kadmin tool, there's a 
> message about the krb5.conf being incomplete. I am able to use klist 
> and ktutil
>
> How do I generate the keytab file with the correct credentials?
>
> nfs/server at subdomain.domain.com
>
> nfs/client at subdomain.domain.com
>
> Are these created manually by adding some account in ADUC and then use 
> "samba-tool domain exportkeytab" to export the krb5.keytab file
>
> https://wiki.samba.org/index.php/Generating_Keytabs
>
> -Ken
>
>
>
> On 02/04/2018 06:29 PM, Luc Lalonde wrote:
>> Hey Ken,
>>
>> We’re using AD as a Kerberos server for NFSv4 in our Linux labs to 
>> automount the students home directories.
>>
>> I can answer specific questions if you’ve got some.
>>
>> Cheers, Luc.
>>
>>
>> Luc Lalonde, analyste
>> -----------------------------
>> Département de génie informatique:
>> École polytechnique de MTL
>> (514) 340-4711 x5049
>> Luc.Lalonde at polymtl.ca
>> -----------------------------
>>
>>> On Feb 4, 2018, at 16:30, Ken McDonald via samba 
>>> <samba at lists.samba.org> wrote:
>>>
>>> Is it possible to use Samba AD for Kerberos KDC with NFV4 servers 
>>> and then have clients connect to them?
>>>
>>> I have Ubuntu Server for the server and Linux Mint for clients. So 
>>> far, I've got a lot setup according to these instructions
>>>
>>> https://help.ubuntu.com/community/NFSv4Howto
>>>
>>> And seem to have adapted the keytab entries from using this Samba AD 
>>> info
>>>
>>> https://wiki.samba.org/index.php/Generating_Keytabs
>>>
>>> But I'm kind of stuck getting the actual mount to work on a client 
>>> side. I'll admit to never using Kerberos with NFS before and my 
>>> Samba AD knowledge is also fairly new (but I do have working Samba 
>>> AD for Windows and Linux client logins, group, POSIX & Win ACls). I 
>>> can't seem to find good information or howto on implementing 
>>> NFSKerberos + SambaAD
>>>
>>> Before I post actual questions and logs, is this configuration even 
>>> possible?
>>>
>>>
>>> -- 
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>>
>
>