[Samba] Using Samba AD for NFSV4 Kerberos servers and clients
L.P.H. van Belle
belle at bazuin.nl
Mon Feb 5 11:00:22 UTC 2018
Hai,
NfsV4 and samba works fine but there is a big BUT and you have found it already.
> The nfs4 krb5 export mounts on the remote client, but doesn't seem to
> recognize permissions. The mount directory is shown as owned by root and the group is 4294967294
Yes, the nfsv4 acls and system acl over kerberos doent match anymore.
This is a know problem and i dont know when it wil be fixed.
I use atm this for for the NFS Server.
# Test all sec variable.
/exports 192.168.0.0/24(rw,sync,fsid=0,no_subtree_check,crossmnt,sec=sys:krb5:krb5i:krb5p)
/exports/users 192.168.0.0/24(rw,sync,no_subtree_check,sec=sys:krb5:krb5i:krb5p)
This gives the option to test all sec= settings.
Now if you use sys, ( not kerberos ) all right work ok and you should have a 100% match.
I've tried with one of the latest libnfsidmap files and builded it for debian stretch.
http://apt.van-belle.nl/current-packages-in-stretch-experimental-apt.txt
> stretch-experimental|main|amd64: libnfsidmap2 0.27-0.1~deb9
Since changlogs indicate that it should be fixed with 0.27 but its not,
well at least i did not get the correct acls also with kerberos mounts.
Irritation is, it did work for some time in Debian Jessie about 6-12 months ago, then it stopped there also.
See also my message to debian:
https://lists.debian.org/debian-kernel/2017/11/msg00079.html
Now about the keytab nfs generation. ( use sys for now that works fine.)
>From : https://wiki.samba.org/index.php/Generating_Keytabs
samba-tool spn add host/hostname.dom.tld "NETBIOSNAME\$"
samba-tool spn add host/hostname.dom.tld at REALM "NETBIOSNAME\$" < i dont use this one, imo only when you use muliple REALMS.
samba-tool domain exportkeytab --principal=nfs/hostname.dom.tld ~/nfs-hostname.keytab
Copy ~/nfs-hostname.keytab to the correct server.
ktutil
rkt /etc/krb5.keytab
rkt ~/nfs-hostname.keytab
list ... Aka check it.
wkt /etc/krb5.keytab.NEW
stop samba/winbind
cp /etc/krb5.keytab{,.backup}
cp /etc/krb5.keytab.NEW /etc/krb5.keytab
Start samba/winbind
Give it a try
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ken
> McDonald via samba
> Verzonden: maandag 5 februari 2018 6:14
> Aan: samba
> Onderwerp: Re: [Samba] Using Samba AD for NFSV4 Kerberos
> servers and clients
>
> I found one of my problems was that on the client, in the
> /etc/krb5.conf
> file, the domain name was in lower case. The one on the
> server was upper
> case. Upper case'ing the client one fixed my nfs4 mount
> issue, but now I
> have another one.
>
> The nfs4 krb5 export mounts on the remote client, but doesn't seem to
> recognize permissions. The mount directory is shown as owned
> by root and
> the group is 4294967294
>
> If I mount the export using nfs4 without krb5 it works as
> expected and
> the mount directory is owned by root and the group is from
> Samba AD as
> DOMAIN\group
>
> I suppose this has something to do with id mapping and a special
> requirement for nfs4 krb5. I have winbindd running, which of
> course is
> why my perms are working non-krb5.
>
> Help?
>
>
> On 02/04/2018 08:23 PM, Ken McDonald via samba wrote:
> > Thanks Luc,
> >
> > First, can I just use the small /etc/krb5.conf suggested in
> Samba AD
> > docs or do I need something more substantial on the server & client
> > for Kerberos NFS to work?
> >
> > [libdefaults]
> > default_realm = SUBDOMAIN.DOMAIN.COM
> > dns_lookup_realm = false
> > dns_lookup_kdc = true
> >
> > I understand a /etc/krb5.keytab file has to be created on
> both server
> > & client. Most of the existing docs show commands to do
> this using a
> > real KDC, not Samba AD. If I try to use the kadmin tool, there's a
> > message about the krb5.conf being incomplete. I am able to
> use klist
> > and ktutil
> >
> > How do I generate the keytab file with the correct credentials?
> >
> > nfs/server at subdomain.domain.com
> >
> > nfs/client at subdomain.domain.com
> >
> > Are these created manually by adding some account in ADUC
> and then use
> > "samba-tool domain exportkeytab" to export the krb5.keytab file
> >
> > https://wiki.samba.org/index.php/Generating_Keytabs
> >
> > -Ken
> >
> >
> >
> > On 02/04/2018 06:29 PM, Luc Lalonde wrote:
> >> Hey Ken,
> >>
> >> We?re using AD as a Kerberos server for NFSv4 in our Linux labs to
> >> automount the students home directories.
> >>
> >> I can answer specific questions if you?ve got some.
> >>
> >> Cheers, Luc.
> >>
> >>
> >> Luc Lalonde, analyste
> >> -----------------------------
> >> Département de génie informatique:
> >> École polytechnique de MTL
> >> (514) 340-4711 x5049
> >> Luc.Lalonde at polymtl.ca
> >> -----------------------------
> >>
> >>> On Feb 4, 2018, at 16:30, Ken McDonald via samba
> >>> <samba at lists.samba.org> wrote:
> >>>
> >>> Is it possible to use Samba AD for Kerberos KDC with NFV4 servers
> >>> and then have clients connect to them?
> >>>
> >>> I have Ubuntu Server for the server and Linux Mint for
> clients. So
> >>> far, I've got a lot setup according to these instructions
> >>>
> >>> https://help.ubuntu.com/community/NFSv4Howto
> >>>
> >>> And seem to have adapted the keytab entries from using
> this Samba AD
> >>> info
> >>>
> >>> https://wiki.samba.org/index.php/Generating_Keytabs
> >>>
> >>> But I'm kind of stuck getting the actual mount to work on
> a client
> >>> side. I'll admit to never using Kerberos with NFS before and my
> >>> Samba AD knowledge is also fairly new (but I do have
> working Samba
> >>> AD for Windows and Linux client logins, group, POSIX &
> Win ACls). I
> >>> can't seem to find good information or howto on implementing
> >>> NFSKerberos + SambaAD
> >>>
> >>> Before I post actual questions and logs, is this
> configuration even
> >>> possible?
> >>>
> >>>
> >>> --
> >>> To unsubscribe from this list go to the following URL and read the
> >>> instructions: https://lists.samba.org/mailman/options/samba
> >>>
> >>
> >
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list