[Samba] Using Samba AD for NFSV4 Kerberos servers and clients

Ken McDonald ken at generation.tech
Mon Feb 5 13:21:57 UTC 2018


Hi Kevin,

Thanks for your detailed reply. Just to confirm details of your overall 
implementation:

1) You are using a non-Samba AD LDAP/Kerberos directory as your main 
source of users/groups? (the LDAP server configuration is not shown here)

2) Through some nifty scripts you synchronize users between that LDAP 
server and Samba AD? (because as I understand it, Samba AD will not use 
and external LDAP server)

3 ) Is NFS also used export file shares or are your Linux clients 
mount'ing SMB shares?

4) If NFS, would you post your server /etc/exports and client mount command?

Thanks for the assistance. It's been a while since I considered using 
Samba at customer sites (because the NT4 style was limited and required 
manual registry entries to reduce security on modern Windows OS's in 
order to join domain). Now I think with a little effort I can fully 
deploy Samba AD as an alternative to native Windows AD and realize the 
cost savings for customers. Also I find the AD tools and AD server 
software (whether Windows AD or Samba AD) much easier to work with than 
a Linux LDAP server. I never liked the fact there seemed to be little 
GUI tools for Linux LDAP besides paid versions or Apache Studio, which 
required Java...

-Ken



On 02/05/2018 08:01 AM, Luc Lalonde wrote:
>
> Hello Kevin,
>
> We have a  Samba/Windows20008R2 domain that's been running a few years 
> now.
>
> Here are the details:
>
>   * clients auth with SSSD (ldap, kerberos, ldap_schema=rfc2307bis)
>   * idmap
>   * samba on clients/server for joining domain
>
> We have scripts that automatically create users with UnixHomeDir, UID 
> and GUID numbers within AD.
>
> I don't know about using WInbind...  I dropped that option during 
> testing.   I found it to be a flaky daemon.   SSSD also had more options.
>
> Here's a sanitized version of some of some config files:
>
> ########## /etc/auto.master #################################
> /users          /etc/auto.home_all --timeout=60
> #############################################################
>
> ########## /etc/auto.home_all ###############################
> *    -fstype=nfs4,rw,sec=krb5      server.example.com:/&
> #############################################################
>
> ########## begin client /etc/samba/smb.conf ##########################
> [global]
>    workgroup = GIGL
>    realm = example.com
>    netbios name = workstation-name
>    security = ADS
>    password server = DOMSERVER1.EXAMPLE.COM, DOMSERVER2.EXAMPLE.COM
>    client signing = yes
>    client use spnego = yes
>    kerberos method = secrets and keytab
>    log file = /var/log/samba/%m.log
>    dedicated keytab file = /etc/krb5.keytab
> ########## end client /etc/samba/smb.conf ############################
>
> ########## begin server /etc/samba/smb.conf ##########################
> [global]
>    workgroup = GIGL
>    realm = example.com
>    netbios name = SERVER
>    security = ADS
>    password server = DOMSERVER1.EXAMPLE.COM, DOMSERVER2.EXAMPLE.COM
>    client signing = yes
>    client use spnego = yes
>    kerberos method = secrets and keytab
>    log file = /var/log/samba/%m.log
>    dedicated keytab file = /etc/krb5.keytab
>
> [homes]
>         comment = homes
>         read only = No
>         directory mask = 0700
>         force directory mode = 0700
>         create mask = 0600
>         force create mode = 0600
>         browseable = No
>         valid users = %S
>         follow symlinks = yes
> ########## end server /etc/samba/smb.conf ############################
>
> ############## begin /etc/krb5.conf ####################
> [logging]
>  default = SYSLOG:INFO:DAEMON
>  kdc = SYSLOG:INFO:DAEMON
>  admin_server = SYSLOG:INFO:DAEMON
>
> [libdefaults]
>  default_realm = EXAMPLE.COM
>  dns_lookup_realm = false
>  dns_lookup_kdc = false
>  ticket_lifetime = 10h
>  renew_lifetime = 7d
>  forwardable = true
>  allow_weak_crypto = true
>
> [realms]
>  EXAMPLE.COM = {
>    default_domain = example.com
>    master_kdc= domserver1.example.com
>    kdc=domserver1.example.com
>    kdc=domserver2.example.com
>    admin_server=domserver1.example.com
>  }
>
> [domain_realm]
>  example.com = EXAMPLE.COM
>  subnet1.example.com = EXAMPLE.COM
>  .subnet1.example.com = EXAMPLE.COM
>  subnet2.example.com = EXAMPLE.COM
>  .subnet2.example.com = EXAMPLE.COM
>
> [appdefaults]
>  pam = {
>    debug = false
>    ticket_lifetime = 10h
>    renew_lifetime = 7d
>    forwardable = true
>    krb4_convert = false
>    validate = true
>  }
> ############## end /etc/krb5.conf #####################
>
> Here's the command that I run to generate the keytab on the nfs server 
> (after properly configuring '/etc/samba/smb.conf':
>
> #############
> kinit Administrator at EXMAPLE.COM
> rm -rf /etc/krb5.keytab;
> msktutil --delegation --dont-expire-password \
> --no-pac --computer-name server \
> --enctypes 0x1F -b "OU=Services" \
> -k /etc/krb5.keytab -h server.example.com \
> -s nfs/server.example.com \
> --upn nfs/server.example.com  --verbose
>
> rm -rf /etc/krb5.keytab
> net ads join -k -UAdministrator
> #############
>
> Also, don't forget that you need the 'ServicePrincipalNames' enabled 
> for your NFS service.  I don't know the command on Samba, but here's 
> the command on Windows2008R2 (I keep these in the OU=Services):
>
> #############
>
> setspn -A nfs/server.example.com example
> setspn -A nfs/server server
> setspn -L server
> Registered ServicePrincipalNames for 
> CN=server,OU=Services,DC=example,DC=com:
>         nfs/server
>         nfs/server.example.com
>         HOST/server.example.com
>         HOST/server
>
> #############
>
>
> And on the client:
>
> #############
> kinit Administrator at EXMAPLE.COM
> rm -rf /etc/krb5.keytab;
> msktutil --server domserver1.example.com --delegation \
> --dont-expire-password --no-pac --computer-name workstation-client-nfs \
> --enctypes 0x1F -b "OU=Services" -k /etc/krb5.keytab \
> -h workstation-client.example.com \
> -s nfs/workstation-client.example.com \
> --upn nfs/workstation-client.example.com  --verbose
> #############
>
> There are more details... too much to put in this email. Hopefully, 
> this can get you on the right path.   Maybe I should take the time to 
> document this on the Samba Wiki.
>
> Bye.
>
> On 2018-02-05 12:13 AM, Ken McDonald via samba wrote:
>> I found one of my problems was that on the client, in the 
>> /etc/krb5.conf file, the domain name was in lower case. The one on 
>> the server was upper case. Upper case'ing the client one fixed my 
>> nfs4 mount issue, but now I have another one.
>>
>> The nfs4 krb5 export mounts on the remote client, but doesn't seem to 
>> recognize permissions. The mount directory is shown as owned by root 
>> and the group is 4294967294
>>
>> If I mount the export using nfs4 without krb5 it works as expected 
>> and the mount directory is owned by root and the group is from Samba 
>> AD as DOMAIN\group
>>
>> I suppose this has something to do with id mapping and a special 
>> requirement for nfs4 krb5. I have winbindd running, which of course 
>> is why my perms are working non-krb5.
>>
>> Help?
>>
>>
>> On 02/04/2018 08:23 PM, Ken McDonald via samba wrote:
>>> Thanks Luc,
>>>
>>> First, can I just use the small /etc/krb5.conf suggested in Samba AD 
>>> docs or do I need something more substantial on the server & client 
>>> for Kerberos NFS to work?
>>>
>>> [libdefaults]
>>>         default_realm = SUBDOMAIN.DOMAIN.COM
>>>         dns_lookup_realm = false
>>>         dns_lookup_kdc = true
>>>
>>> I understand a /etc/krb5.keytab file has to be created on both 
>>> server & client. Most of the existing docs show commands to do this 
>>> using a real KDC, not Samba AD. If I try to use the kadmin tool, 
>>> there's a message about the krb5.conf being incomplete. I am able to 
>>> use klist and ktutil
>>>
>>> How do I generate the keytab file with the correct credentials?
>>>
>>> nfs/server at subdomain.domain.com
>>>
>>> nfs/client at subdomain.domain.com
>>>
>>> Are these created manually by adding some account in ADUC and then 
>>> use "samba-tool domain exportkeytab" to export the krb5.keytab file
>>>
>>> https://wiki.samba.org/index.php/Generating_Keytabs
>>>
>>> -Ken
>>>
>>>
>>>
>>> On 02/04/2018 06:29 PM, Luc Lalonde wrote:
>>>> Hey Ken,
>>>>
>>>> We’re using AD as a Kerberos server for NFSv4 in our Linux labs to 
>>>> automount the students home directories.
>>>>
>>>> I can answer specific questions if you’ve got some.
>>>>
>>>> Cheers, Luc.
>>>>
>>>>
>>>> Luc Lalonde, analyste
>>>> -----------------------------
>>>> Département de génie informatique:
>>>> École polytechnique de MTL
>>>> (514) 340-4711 x5049
>>>> Luc.Lalonde at polymtl.ca
>>>> -----------------------------
>>>>
>>>>> On Feb 4, 2018, at 16:30, Ken McDonald via samba 
>>>>> <samba at lists.samba.org> wrote:
>>>>>
>>>>> Is it possible to use Samba AD for Kerberos KDC with NFV4 servers 
>>>>> and then have clients connect to them?
>>>>>
>>>>> I have Ubuntu Server for the server and Linux Mint for clients. So 
>>>>> far, I've got a lot setup according to these instructions
>>>>>
>>>>> https://help.ubuntu.com/community/NFSv4Howto
>>>>>
>>>>> And seem to have adapted the keytab entries from using this Samba 
>>>>> AD info
>>>>>
>>>>> https://wiki.samba.org/index.php/Generating_Keytabs
>>>>>
>>>>> But I'm kind of stuck getting the actual mount to work on a client 
>>>>> side. I'll admit to never using Kerberos with NFS before and my 
>>>>> Samba AD knowledge is also fairly new (but I do have working Samba 
>>>>> AD for Windows and Linux client logins, group, POSIX & Win ACls). 
>>>>> I can't seem to find good information or howto on implementing 
>>>>> NFSKerberos + SambaAD
>>>>>
>>>>> Before I post actual questions and logs, is this configuration 
>>>>> even possible?
>>>>>
>>>>>
>>>>> -- 
>>>>> To unsubscribe from this list go to the following URL and read the
>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>
>>>>
>>>
>>>
>>
>>
>



More information about the samba mailing list