[Samba] Using Samba AD for NFSV4 Kerberos servers and clients

Ken McDonald ken at generation.tech
Mon Feb 5 13:10:18 UTC 2018


Thank you for your insightful response. It's a shame that once I figured 
this all out, I got to such a terminal problem. I suppose the NFS4 krb5 
remote mount ACL issue works OK with other, non- Samba AD, KDC's? Is 
that the core issue of this problem, the KDC portion?

My plan was almost done: from a single bare-metal Ubuntu 16.04.3 server, 
setup Samba AD as the user/group directory and make a file server 
sharing to both Windows and Linux Mint clients using SMB and NFS4 
(encrypted) with POSIX & Windows ACLs for each style. I got that 
implementation to work quite well all the way down to the NFS4 Kerberos 
ACL problem in this thread. It all works OK with non-Kerberos NFS4 and I 
suppose I'll have to deploy it that way for now; changing to the 
encrypted style should be no problem in the future.

Strangely, I did not run into the "Using the Domain Controller as a File 
Server" problem "Running shares with POSIX ACLs on a Samba DC is not 
supported" mentioned here:


I guess this works because my Linux clients connect through NFS and get 
POSIX ACL's that way, (even though those POSIX ACL's are making use of 
Samda AD users/groups through windindd (with "idmap config 
DOMAIN:backend = ad")?

Any other helpful comments by anyone for this particulr Samba AD file 
server implementation would be appreciated. I think I'll make a full 
step-by-step writeup once I get all this working.


On 02/05/2018 06:00 AM, L.P.H. van Belle via samba wrote:
> Hai,
> NfsV4 and samba works fine but there is a big BUT and you have found it already.
>> The nfs4 krb5 export mounts on the remote client, but doesn't seem to
>> recognize permissions. The mount directory is shown as owned by root and the group is 4294967294
> Yes, the nfsv4 acls and system acl over kerberos doent match anymore.
> This is a know problem and i dont know when it wil be fixed.
> I use atm this for for the NFS Server.
> # Test all sec variable.
> /exports,sync,fsid=0,no_subtree_check,crossmnt,sec=sys:krb5:krb5i:krb5p)
> /exports/users,sync,no_subtree_check,sec=sys:krb5:krb5i:krb5p)
> This gives the option to test all sec= settings.
> Now if you use sys, ( not kerberos ) all right work ok and you should have a 100% match.
> I've tried with one of the latest libnfsidmap files and builded it for debian stretch.
> http://apt.van-belle.nl/current-packages-in-stretch-experimental-apt.txt
>>   stretch-experimental|main|amd64: libnfsidmap2 0.27-0.1~deb9
> Since changlogs indicate that it should be fixed with 0.27 but its not,
> well at least i did not get the correct acls also with kerberos mounts.
> Irritation is, it did work for some time in Debian Jessie about 6-12 months ago, then it stopped there also.
> See also my message to debian:
> https://lists.debian.org/debian-kernel/2017/11/msg00079.html
> Now about the keytab nfs generation. ( use sys for now that works fine.)
>  From : https://wiki.samba.org/index.php/Generating_Keytabs
> samba-tool spn add host/hostname.dom.tld "NETBIOSNAME\$"
> samba-tool spn add host/hostname.dom.tld at REALM "NETBIOSNAME\$"  < i dont use this one, imo only when you use muliple REALMS.
> samba-tool domain exportkeytab --principal=nfs/hostname.dom.tld ~/nfs-hostname.keytab
> Copy ~/nfs-hostname.keytab to the correct server.
> ktutil
> rkt /etc/krb5.keytab
> rkt ~/nfs-hostname.keytab
> list   ... Aka check it.
> wkt /etc/krb5.keytab.NEW
> stop samba/winbind
> cp /etc/krb5.keytab{,.backup}
> cp /etc/krb5.keytab.NEW /etc/krb5.keytab
> Start samba/winbind
> Give it a try
> Greetz,
> Louis
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ken
>> McDonald via samba
>> Verzonden: maandag 5 februari 2018 6:14
>> Aan: samba
>> Onderwerp: Re: [Samba] Using Samba AD for NFSV4 Kerberos
>> servers and clients
>> I found one of my problems was that on the client, in the
>> /etc/krb5.conf
>> file, the domain name was in lower case. The one on the
>> server was upper
>> case. Upper case'ing the client one fixed my nfs4 mount
>> issue, but now I
>> have another one.
>> The nfs4 krb5 export mounts on the remote client, but doesn't seem to
>> recognize permissions. The mount directory is shown as owned
>> by root and
>> the group is 4294967294
>> If I mount the export using nfs4 without krb5 it works as
>> expected and
>> the mount directory is owned by root and the group is from
>> Samba AD as
>> DOMAIN\group
>> I suppose this has something to do with id mapping and a special
>> requirement for nfs4 krb5. I have winbindd running, which of
>> course is
>> why my perms are working non-krb5.
>> Help?
>> On 02/04/2018 08:23 PM, Ken McDonald via samba wrote:
>>> Thanks Luc,
>>> First, can I just use the small /etc/krb5.conf suggested in
>> Samba AD
>>> docs or do I need something more substantial on the server & client
>>> for Kerberos NFS to work?
>>> [libdefaults]
>>>          default_realm = SUBDOMAIN.DOMAIN.COM
>>>          dns_lookup_realm = false
>>>          dns_lookup_kdc = true
>>> I understand a /etc/krb5.keytab file has to be created on
>> both server
>>> & client. Most of the existing docs show commands to do
>> this using a
>>> real KDC, not Samba AD. If I try to use the kadmin tool, there's a
>>> message about the krb5.conf being incomplete. I am able to
>> use klist
>>> and ktutil
>>> How do I generate the keytab file with the correct credentials?
>>> nfs/server at subdomain.domain.com
>>> nfs/client at subdomain.domain.com
>>> Are these created manually by adding some account in ADUC
>> and then use
>>> "samba-tool domain exportkeytab" to export the krb5.keytab file
>>> https://wiki.samba.org/index.php/Generating_Keytabs
>>> -Ken
>>> On 02/04/2018 06:29 PM, Luc Lalonde wrote:
>>>> Hey Ken,
>>>> We?re using AD as a Kerberos server for NFSv4 in our Linux labs to
>>>> automount the students home directories.
>>>> I can answer specific questions if you?ve got some.
>>>> Cheers, Luc.
>>>> Luc Lalonde, analyste
>>>> -----------------------------
>>>> Département de génie informatique:
>>>> École polytechnique de MTL
>>>> (514) 340-4711 x5049
>>>> Luc.Lalonde at polymtl.ca
>>>> -----------------------------
>>>>> On Feb 4, 2018, at 16:30, Ken McDonald via samba
>>>>> <samba at lists.samba.org> wrote:
>>>>> Is it possible to use Samba AD for Kerberos KDC with NFV4 servers
>>>>> and then have clients connect to them?
>>>>> I have Ubuntu Server for the server and Linux Mint for
>> clients. So
>>>>> far, I've got a lot setup according to these instructions
>>>>> https://help.ubuntu.com/community/NFSv4Howto
>>>>> And seem to have adapted the keytab entries from using
>> this Samba AD
>>>>> info
>>>>> https://wiki.samba.org/index.php/Generating_Keytabs
>>>>> But I'm kind of stuck getting the actual mount to work on
>> a client
>>>>> side. I'll admit to never using Kerberos with NFS before and my
>>>>> Samba AD knowledge is also fairly new (but I do have
>> working Samba
>>>>> AD for Windows and Linux client logins, group, POSIX &
>> Win ACls). I
>>>>> can't seem to find good information or howto on implementing
>>>>> NFSKerberos + SambaAD
>>>>> Before I post actual questions and logs, is this
>> configuration even
>>>>> possible?
>>>>> -- 
>>>>> To unsubscribe from this list go to the following URL and read the
>>>>> instructions:  https://lists.samba.org/mailman/options/samba
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list