[Samba] Using Samba AD for NFSV4 Kerberos servers and clients

L.P.H. van Belle belle at bazuin.nl
Mon Feb 5 11:00:22 UTC 2018 

Hai, 

NfsV4 and samba works fine but there is a big BUT and you have found it already. 
> The nfs4 krb5 export mounts on the remote client, but doesn't seem to 
> recognize permissions. The mount directory is shown as owned by root and the group is 4294967294

Yes, the nfsv4 acls and system acl over kerberos doent match anymore. 
This is a know problem and i dont know when it wil be fixed. 

I use atm this for for the NFS Server.

# Test all sec variable.
/exports         192.168.0.0/24(rw,sync,fsid=0,no_subtree_check,crossmnt,sec=sys:krb5:krb5i:krb5p)
/exports/users   192.168.0.0/24(rw,sync,no_subtree_check,sec=sys:krb5:krb5i:krb5p)

This gives the option to test all sec= settings.
Now if you use sys, ( not kerberos ) all right work ok and you should have a 100% match. 

I've tried with one of the latest libnfsidmap files and builded it for debian stretch.
http://apt.van-belle.nl/current-packages-in-stretch-experimental-apt.txt 
>  stretch-experimental|main|amd64: libnfsidmap2 0.27-0.1~deb9 

Since changlogs indicate that it should be fixed with 0.27 but its not, 
well at least i did not get the correct acls also with kerberos mounts. 
Irritation is, it did work for some time in Debian Jessie about 6-12 months ago, then it stopped there also.

See also my message to debian:
https://lists.debian.org/debian-kernel/2017/11/msg00079.html 


Now about the keytab nfs generation. ( use sys for now that works fine.) 
>From : https://wiki.samba.org/index.php/Generating_Keytabs  

samba-tool spn add host/hostname.dom.tld "NETBIOSNAME\$"
samba-tool spn add host/hostname.dom.tld at REALM "NETBIOSNAME\$"  < i dont use this one, imo only when you use muliple REALMS.
samba-tool domain exportkeytab --principal=nfs/hostname.dom.tld ~/nfs-hostname.keytab
Copy ~/nfs-hostname.keytab to the correct server. 

ktutil
rkt /etc/krb5.keytab
rkt ~/nfs-hostname.keytab
list   ... Aka check it. 
wkt /etc/krb5.keytab.NEW

stop samba/winbind
cp /etc/krb5.keytab{,.backup}
cp /etc/krb5.keytab.NEW /etc/krb5.keytab
Start samba/winbind

Give it a try


Greetz, 

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ken 
> McDonald via samba
> Verzonden: maandag 5 februari 2018 6:14
> Aan: samba
> Onderwerp: Re: [Samba] Using Samba AD for NFSV4 Kerberos 
> servers and clients
> 
> I found one of my problems was that on the client, in the 
> /etc/krb5.conf 
> file, the domain name was in lower case. The one on the 
> server was upper 
> case. Upper case'ing the client one fixed my nfs4 mount 
> issue, but now I 
> have another one.
> 
> The nfs4 krb5 export mounts on the remote client, but doesn't seem to 
> recognize permissions. The mount directory is shown as owned 
> by root and 
> the group is 4294967294
> 
> If I mount the export using nfs4 without krb5 it works as 
> expected and 
> the mount directory is owned by root and the group is from 
> Samba AD as 
> DOMAIN\group
> 
> I suppose this has something to do with id mapping and a special 
> requirement for nfs4 krb5. I have winbindd running, which of 
> course is 
> why my perms are working non-krb5.
> 
> Help?
> 
> 
> On 02/04/2018 08:23 PM, Ken McDonald via samba wrote:
> > Thanks Luc,
> >
> > First, can I just use the small /etc/krb5.conf suggested in 
> Samba AD 
> > docs or do I need something more substantial on the server & client 
> > for Kerberos NFS to work?
> >
> > [libdefaults]
> >         default_realm = SUBDOMAIN.DOMAIN.COM
> >         dns_lookup_realm = false
> >         dns_lookup_kdc = true
> >
> > I understand a /etc/krb5.keytab file has to be created on 
> both server 
> > & client. Most of the existing docs show commands to do 
> this using a 
> > real KDC, not Samba AD. If I try to use the kadmin tool, there's a 
> > message about the krb5.conf being incomplete. I am able to 
> use klist 
> > and ktutil
> >
> > How do I generate the keytab file with the correct credentials?
> >
> > nfs/server at subdomain.domain.com
> >
> > nfs/client at subdomain.domain.com
> >
> > Are these created manually by adding some account in ADUC 
> and then use 
> > "samba-tool domain exportkeytab" to export the krb5.keytab file
> >
> > https://wiki.samba.org/index.php/Generating_Keytabs
> >
> > -Ken
> >
> >
> >
> > On 02/04/2018 06:29 PM, Luc Lalonde wrote:
> >> Hey Ken,
> >>
> >> We?re using AD as a Kerberos server for NFSv4 in our Linux labs to 
> >> automount the students home directories.
> >>
> >> I can answer specific questions if you?ve got some.
> >>
> >> Cheers, Luc.
> >>
> >>
> >> Luc Lalonde, analyste
> >> -----------------------------
> >> Département de génie informatique:
> >> École polytechnique de MTL
> >> (514) 340-4711 x5049
> >> Luc.Lalonde at polymtl.ca
> >> -----------------------------
> >>
> >>> On Feb 4, 2018, at 16:30, Ken McDonald via samba 
> >>> <samba at lists.samba.org> wrote:
> >>>
> >>> Is it possible to use Samba AD for Kerberos KDC with NFV4 servers 
> >>> and then have clients connect to them?
> >>>
> >>> I have Ubuntu Server for the server and Linux Mint for 
> clients. So 
> >>> far, I've got a lot setup according to these instructions
> >>>
> >>> https://help.ubuntu.com/community/NFSv4Howto
> >>>
> >>> And seem to have adapted the keytab entries from using 
> this Samba AD 
> >>> info
> >>>
> >>> https://wiki.samba.org/index.php/Generating_Keytabs
> >>>
> >>> But I'm kind of stuck getting the actual mount to work on 
> a client 
> >>> side. I'll admit to never using Kerberos with NFS before and my 
> >>> Samba AD knowledge is also fairly new (but I do have 
> working Samba 
> >>> AD for Windows and Linux client logins, group, POSIX & 
> Win ACls). I 
> >>> can't seem to find good information or howto on implementing 
> >>> NFSKerberos + SambaAD
> >>>
> >>> Before I post actual questions and logs, is this 
> configuration even 
> >>> possible?
> >>>
> >>>
> >>> -- 
> >>> To unsubscribe from this list go to the following URL and read the
> >>> instructions:  https://lists.samba.org/mailman/options/samba
> >>>
> >>
> >
> >
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

More information about the samba mailing list