[Samba] Using Samba AD for NFSV4 Kerberos servers and clients

Ken McDonald ken at generation.tech
Mon Mar 5 00:36:07 UTC 2018


Louis,

Can we revisit this idea? As I posted in another thread, I am not able 
to get NFS-Kerberos to work normally, after snipping some source code I 
was able to get a mount to work. Beyond that hangup, I have found that I 
can get id mapping and permissions to work with remote mounted NFS share 
using Kerberos by editing the file:

/etc/modprobe.d/nfsd.conf

and adding this line

options nfsd nfs4_disable_idmapping=0

after rebooting, verify it's working by

cat /sys/module/nfsd/parameters/nfs4_disable_idmapping

which should return "N." This seems to make the permission, user, group 
mapping work across NFS

Got the info here

https://serverfault.com/questions/766869/nfs4-id-mapping

-Ken


On 02/05/2018 06:00 AM, L.P.H. van Belle via samba wrote:
> Hai,
>
> NfsV4 and samba works fine but there is a big BUT and you have found it already.
>> The nfs4 krb5 export mounts on the remote client, but doesn't seem to
>> recognize permissions. The mount directory is shown as owned by root and the group is 4294967294
> Yes, the nfsv4 acls and system acl over kerberos doent match anymore.
> This is a know problem and i dont know when it wil be fixed.
>
> I use atm this for for the NFS Server.
>
> # Test all sec variable.
> /exports         192.168.0.0/24(rw,sync,fsid=0,no_subtree_check,crossmnt,sec=sys:krb5:krb5i:krb5p)
> /exports/users   192.168.0.0/24(rw,sync,no_subtree_check,sec=sys:krb5:krb5i:krb5p)
>
> This gives the option to test all sec= settings.
> Now if you use sys, ( not kerberos ) all right work ok and you should have a 100% match.
>
> I've tried with one of the latest libnfsidmap files and builded it for debian stretch.
> http://apt.van-belle.nl/current-packages-in-stretch-experimental-apt.txt
>>   stretch-experimental|main|amd64: libnfsidmap2 0.27-0.1~deb9
> Since changlogs indicate that it should be fixed with 0.27 but its not,
> well at least i did not get the correct acls also with kerberos mounts.
> Irritation is, it did work for some time in Debian Jessie about 6-12 months ago, then it stopped there also.
>
> See also my message to debian:
> https://lists.debian.org/debian-kernel/2017/11/msg00079.html
>
>
> Now about the keytab nfs generation. ( use sys for now that works fine.)
>  From : https://wiki.samba.org/index.php/Generating_Keytabs
>
> samba-tool spn add host/hostname.dom.tld "NETBIOSNAME\$"
> samba-tool spn add host/hostname.dom.tld at REALM "NETBIOSNAME\$"  < i dont use this one, imo only when you use muliple REALMS.
> samba-tool domain exportkeytab --principal=nfs/hostname.dom.tld ~/nfs-hostname.keytab
> Copy ~/nfs-hostname.keytab to the correct server.
>
> ktutil
> rkt /etc/krb5.keytab
> rkt ~/nfs-hostname.keytab
> list   ... Aka check it.
> wkt /etc/krb5.keytab.NEW
>
> stop samba/winbind
> cp /etc/krb5.keytab{,.backup}
> cp /etc/krb5.keytab.NEW /etc/krb5.keytab
> Start samba/winbind
>
> Give it a try
>
>
> Greetz,
>
> Louis
>
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ken
>> McDonald via samba
>> Verzonden: maandag 5 februari 2018 6:14
>> Aan: samba
>> Onderwerp: Re: [Samba] Using Samba AD for NFSV4 Kerberos
>> servers and clients
>>
>> I found one of my problems was that on the client, in the
>> /etc/krb5.conf
>> file, the domain name was in lower case. The one on the
>> server was upper
>> case. Upper case'ing the client one fixed my nfs4 mount
>> issue, but now I
>> have another one.
>>
>> The nfs4 krb5 export mounts on the remote client, but doesn't seem to
>> recognize permissions. The mount directory is shown as owned
>> by root and
>> the group is 4294967294
>>
>> If I mount the export using nfs4 without krb5 it works as
>> expected and
>> the mount directory is owned by root and the group is from
>> Samba AD as
>> DOMAIN\group
>>
>> I suppose this has something to do with id mapping and a special
>> requirement for nfs4 krb5. I have winbindd running, which of
>> course is
>> why my perms are working non-krb5.
>>
>> Help?
>>
>>
>> On 02/04/2018 08:23 PM, Ken McDonald via samba wrote:
>>> Thanks Luc,
>>>
>>> First, can I just use the small /etc/krb5.conf suggested in
>> Samba AD
>>> docs or do I need something more substantial on the server & client
>>> for Kerberos NFS to work?
>>>
>>> [libdefaults]
>>>          default_realm = SUBDOMAIN.DOMAIN.COM
>>>          dns_lookup_realm = false
>>>          dns_lookup_kdc = true
>>>
>>> I understand a /etc/krb5.keytab file has to be created on
>> both server
>>> & client. Most of the existing docs show commands to do
>> this using a
>>> real KDC, not Samba AD. If I try to use the kadmin tool, there's a
>>> message about the krb5.conf being incomplete. I am able to
>> use klist
>>> and ktutil
>>>
>>> How do I generate the keytab file with the correct credentials?
>>>
>>> nfs/server at subdomain.domain.com
>>>
>>> nfs/client at subdomain.domain.com
>>>
>>> Are these created manually by adding some account in ADUC
>> and then use
>>> "samba-tool domain exportkeytab" to export the krb5.keytab file
>>>
>>> https://wiki.samba.org/index.php/Generating_Keytabs
>>>
>>> -Ken
>>>
>>>
>>>
>>> On 02/04/2018 06:29 PM, Luc Lalonde wrote:
>>>> Hey Ken,
>>>>
>>>> We?re using AD as a Kerberos server for NFSv4 in our Linux labs to
>>>> automount the students home directories.
>>>>
>>>> I can answer specific questions if you?ve got some.
>>>>
>>>> Cheers, Luc.
>>>>
>>>>
>>>> Luc Lalonde, analyste
>>>> -----------------------------
>>>> Département de génie informatique:
>>>> École polytechnique de MTL
>>>> (514) 340-4711 x5049
>>>> Luc.Lalonde at polymtl.ca
>>>> -----------------------------
>>>>
>>>>> On Feb 4, 2018, at 16:30, Ken McDonald via samba
>>>>> <samba at lists.samba.org> wrote:
>>>>>
>>>>> Is it possible to use Samba AD for Kerberos KDC with NFV4 servers
>>>>> and then have clients connect to them?
>>>>>
>>>>> I have Ubuntu Server for the server and Linux Mint for
>> clients. So
>>>>> far, I've got a lot setup according to these instructions
>>>>>
>>>>> https://help.ubuntu.com/community/NFSv4Howto
>>>>>
>>>>> And seem to have adapted the keytab entries from using
>> this Samba AD
>>>>> info
>>>>>
>>>>> https://wiki.samba.org/index.php/Generating_Keytabs
>>>>>
>>>>> But I'm kind of stuck getting the actual mount to work on
>> a client
>>>>> side. I'll admit to never using Kerberos with NFS before and my
>>>>> Samba AD knowledge is also fairly new (but I do have
>> working Samba
>>>>> AD for Windows and Linux client logins, group, POSIX &
>> Win ACls). I
>>>>> can't seem to find good information or howto on implementing
>>>>> NFSKerberos + SambaAD
>>>>>
>>>>> Before I post actual questions and logs, is this
>> configuration even
>>>>> possible?
>>>>>
>>>>>
>>>>> -- 
>>>>> To unsubscribe from this list go to the following URL and read the
>>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>>
>>>
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>>
>




More information about the samba mailing list