[Samba] Using Samba AD for NFSV4 Kerberos servers and clients

L.P.H. van Belle belle at bazuin.nl
Mon Feb 5 13:37:58 UTC 2018

Hai Ken, 

I suggest, have a look here : 

This is my production setup on debian Stretch. 
Now for Ubuntu 16.04 its about the same, i suggest, read through it., you see it and get it ;-) 
The order how i install helps preventing error in other steps so take note of that. 

I work with AD backend for every server with shares and auth only members can use rid in the mix, like a proxy server.
Why AD backend, very advisable for file servers, see

My only reason : AD Advantage: 
IDs are not stored in a local database that can corrupt and thus file ownerships are not lost. 
.... I hate corruptions, happend one time... Never again.. .

And see below i commented a bit also inbetween your lines. 

> -----Oorspronkelijk bericht-----
> Van: Ken McDonald [mailto:ken at generation.tech] 
> Verzonden: maandag 5 februari 2018 14:10
> Aan: L.P.H. van Belle; samba at lists.samba.org
> Onderwerp: Re: [Samba] Using Samba AD for NFSV4 Kerberos 
> servers and clients
> Louis,
> Thank you for your insightful response. It's a shame that 
> once I figured 
> this all out, I got to such a terminal problem. I suppose the 
> NFS4 krb5 
> remote mount ACL issue works OK with other, non- Samba AD, KDC's? Is 
> that the core issue of this problem, the KDC portion?
Its only linux as far i know, but this is only a matter of time to get it fixed.

> My plan was almost done: from a single bare-metal Ubuntu 16.04.3 server, 
> setup Samba AD as the user/group directory and make a file server 
> sharing to both Windows and Linux Mint clients using SMB and NFS4 
> (encrypted) with POSIX & Windows ACLs for each style. I got that 
> implementation to work quite well all the way down to the NFS4 Kerberos 
> ACL problem in this thread. It all works OK with non-Kerberos NFS4 and I 
> suppose I'll have to deploy it that way for now; changing to the 
> encrypted style should be no problem in the future.
For that i use : ignore system acls = yes
Man smb.conf for the info about this one. 

> Strangely, I did not run into the "Using the Domain 
> Controller as a File 
> Server" problem "Running shares with POSIX ACLs on a Samba DC is not 
> supported" mentioned here:
> https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller
> I guess this works because my Linux clients connect through 
> NFS and get  POSIX ACL's that way, (even though those POSIX ACL's are  making use of 
> Samda AD users/groups through winbindd (with "idmap config DOMAIN:backend = ad")?
> Any other helpful comments by anyone for this particulr Samba AD file 
> server implementation would be appreciated. I think I'll make a full 
> step-by-step writeup once I get all this working.
See my howtos and change them to Ubuntu, and send me a copy when done.  ;-) 
Or better put them on github so i can fork them. 

> -Ken

Good luck. 


More information about the samba mailing list