[Samba] Using Samba AD for NFSV4 Kerberos servers and clients
Luc Lalonde
luc.lalonde at polymtl.ca
Mon Feb 5 13:01:13 UTC 2018
Hello Kevin,
We have a Samba/Windows20008R2 domain that's been running a few years now.
Here are the details:
* clients auth with SSSD (ldap, kerberos, ldap_schema=rfc2307bis)
* idmap
* samba on clients/server for joining domain
We have scripts that automatically create users with UnixHomeDir, UID
and GUID numbers within AD.
I don't know about using WInbind... I dropped that option during
testing. I found it to be a flaky daemon. SSSD also had more options.
Here's a sanitized version of some of some config files:
########## /etc/auto.master #################################
/users /etc/auto.home_all --timeout=60
#############################################################
########## /etc/auto.home_all ###############################
* -fstype=nfs4,rw,sec=krb5 server.example.com:/&
#############################################################
########## begin client /etc/samba/smb.conf ##########################
[global]
workgroup = GIGL
realm = example.com
netbios name = workstation-name
security = ADS
password server = DOMSERVER1.EXAMPLE.COM, DOMSERVER2.EXAMPLE.COM
client signing = yes
client use spnego = yes
kerberos method = secrets and keytab
log file = /var/log/samba/%m.log
dedicated keytab file = /etc/krb5.keytab
########## end client /etc/samba/smb.conf ############################
########## begin server /etc/samba/smb.conf ##########################
[global]
workgroup = GIGL
realm = example.com
netbios name = SERVER
security = ADS
password server = DOMSERVER1.EXAMPLE.COM, DOMSERVER2.EXAMPLE.COM
client signing = yes
client use spnego = yes
kerberos method = secrets and keytab
log file = /var/log/samba/%m.log
dedicated keytab file = /etc/krb5.keytab
[homes]
comment = homes
read only = No
directory mask = 0700
force directory mode = 0700
create mask = 0600
force create mode = 0600
browseable = No
valid users = %S
follow symlinks = yes
########## end server /etc/samba/smb.conf ############################
############## begin /etc/krb5.conf ####################
[logging]
default = SYSLOG:INFO:DAEMON
kdc = SYSLOG:INFO:DAEMON
admin_server = SYSLOG:INFO:DAEMON
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 10h
renew_lifetime = 7d
forwardable = true
allow_weak_crypto = true
[realms]
EXAMPLE.COM = {
default_domain = example.com
master_kdc= domserver1.example.com
kdc=domserver1.example.com
kdc=domserver2.example.com
admin_server=domserver1.example.com
}
[domain_realm]
example.com = EXAMPLE.COM
subnet1.example.com = EXAMPLE.COM
.subnet1.example.com = EXAMPLE.COM
subnet2.example.com = EXAMPLE.COM
.subnet2.example.com = EXAMPLE.COM
[appdefaults]
pam = {
debug = false
ticket_lifetime = 10h
renew_lifetime = 7d
forwardable = true
krb4_convert = false
validate = true
}
############## end /etc/krb5.conf #####################
Here's the command that I run to generate the keytab on the nfs server
(after properly configuring '/etc/samba/smb.conf':
#############
kinit Administrator at EXMAPLE.COM
rm -rf /etc/krb5.keytab;
msktutil --delegation --dont-expire-password \
--no-pac --computer-name server \
--enctypes 0x1F -b "OU=Services" \
-k /etc/krb5.keytab -h server.example.com \
-s nfs/server.example.com \
--upn nfs/server.example.com --verbose
rm -rf /etc/krb5.keytab
net ads join -k -UAdministrator
#############
Also, don't forget that you need the 'ServicePrincipalNames' enabled for
your NFS service. I don't know the command on Samba, but here's the
command on Windows2008R2 (I keep these in the OU=Services):
#############
setspn -A nfs/server.example.com example
setspn -A nfs/server server
setspn -L server
Registered ServicePrincipalNames for
CN=server,OU=Services,DC=example,DC=com:
nfs/server
nfs/server.example.com
HOST/server.example.com
HOST/server
#############
And on the client:
#############
kinit Administrator at EXMAPLE.COM
rm -rf /etc/krb5.keytab;
msktutil --server domserver1.example.com --delegation \
--dont-expire-password --no-pac --computer-name workstation-client-nfs \
--enctypes 0x1F -b "OU=Services" -k /etc/krb5.keytab \
-h workstation-client.example.com \
-s nfs/workstation-client.example.com \
--upn nfs/workstation-client.example.com --verbose
#############
There are more details... too much to put in this email. Hopefully, this
can get you on the right path. Maybe I should take the time to
document this on the Samba Wiki.
Bye.
On 2018-02-05 12:13 AM, Ken McDonald via samba wrote:
> I found one of my problems was that on the client, in the
> /etc/krb5.conf file, the domain name was in lower case. The one on the
> server was upper case. Upper case'ing the client one fixed my nfs4
> mount issue, but now I have another one.
>
> The nfs4 krb5 export mounts on the remote client, but doesn't seem to
> recognize permissions. The mount directory is shown as owned by root
> and the group is 4294967294
>
> If I mount the export using nfs4 without krb5 it works as expected and
> the mount directory is owned by root and the group is from Samba AD as
> DOMAIN\group
>
> I suppose this has something to do with id mapping and a special
> requirement for nfs4 krb5. I have winbindd running, which of course is
> why my perms are working non-krb5.
>
> Help?
>
>
> On 02/04/2018 08:23 PM, Ken McDonald via samba wrote:
>> Thanks Luc,
>>
>> First, can I just use the small /etc/krb5.conf suggested in Samba AD
>> docs or do I need something more substantial on the server & client
>> for Kerberos NFS to work?
>>
>> [libdefaults]
>> default_realm = SUBDOMAIN.DOMAIN.COM
>> dns_lookup_realm = false
>> dns_lookup_kdc = true
>>
>> I understand a /etc/krb5.keytab file has to be created on both server
>> & client. Most of the existing docs show commands to do this using a
>> real KDC, not Samba AD. If I try to use the kadmin tool, there's a
>> message about the krb5.conf being incomplete. I am able to use klist
>> and ktutil
>>
>> How do I generate the keytab file with the correct credentials?
>>
>> nfs/server at subdomain.domain.com
>>
>> nfs/client at subdomain.domain.com
>>
>> Are these created manually by adding some account in ADUC and then
>> use "samba-tool domain exportkeytab" to export the krb5.keytab file
>>
>> https://wiki.samba.org/index.php/Generating_Keytabs
>>
>> -Ken
>>
>>
>>
>> On 02/04/2018 06:29 PM, Luc Lalonde wrote:
>>> Hey Ken,
>>>
>>> We’re using AD as a Kerberos server for NFSv4 in our Linux labs to
>>> automount the students home directories.
>>>
>>> I can answer specific questions if you’ve got some.
>>>
>>> Cheers, Luc.
>>>
>>>
>>> Luc Lalonde, analyste
>>> -----------------------------
>>> Département de génie informatique:
>>> École polytechnique de MTL
>>> (514) 340-4711 x5049
>>> Luc.Lalonde at polymtl.ca
>>> -----------------------------
>>>
>>>> On Feb 4, 2018, at 16:30, Ken McDonald via samba
>>>> <samba at lists.samba.org> wrote:
>>>>
>>>> Is it possible to use Samba AD for Kerberos KDC with NFV4 servers
>>>> and then have clients connect to them?
>>>>
>>>> I have Ubuntu Server for the server and Linux Mint for clients. So
>>>> far, I've got a lot setup according to these instructions
>>>>
>>>> https://help.ubuntu.com/community/NFSv4Howto
>>>>
>>>> And seem to have adapted the keytab entries from using this Samba
>>>> AD info
>>>>
>>>> https://wiki.samba.org/index.php/Generating_Keytabs
>>>>
>>>> But I'm kind of stuck getting the actual mount to work on a client
>>>> side. I'll admit to never using Kerberos with NFS before and my
>>>> Samba AD knowledge is also fairly new (but I do have working Samba
>>>> AD for Windows and Linux client logins, group, POSIX & Win ACls). I
>>>> can't seem to find good information or howto on implementing
>>>> NFSKerberos + SambaAD
>>>>
>>>> Before I post actual questions and logs, is this configuration even
>>>> possible?
>>>>
>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>
>>>
>>
>>
>
>
More information about the samba
mailing list