[Samba] NFSv4, homes, Kerberos...
L.P.H. van Belle
belle at bazuin.nl
Tue Oct 9 15:26:18 UTC 2018
Hai,
I'm getting somewhere, here you go, a snap of what i have atm.
And what works atm. Im asuming you have winbind already running.
Obligated is A+PTR record in the DNS.
You can turn or the rdns check in krb5.conf but i did not test that.
# Tested on Debian Stretch - NFSv4 SERVER
apt-get install --auto-remove nfs-kernel-server
systemctl stop nfs-*
Added in krb5.conf below the default_realm setting.
; ignore k5login not being accessable in the user home dir.
ignore_k5login = true
; for Windows 2008 with AES, needed by CIFS also. ( dont forget the cifs/spn )
default_tgs_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
# Server settings for NFSv4
sed -i 's/NEED_SVCGSSD=""/NEED_SVCGSSD="yes"/g' /etc/default/nfs-kernel-server
sed -i 's/NEED_STATD=/NEED_STATD=no/g' /etc/default/nfs-common
sed -i 's/NEED_IDMAPD=/NEED_IDMAPD=yes/g' /etc/default/nfs-common
sed -i 's/NEED_GSSD=/NEED_GSSD=yes/g' /etc/default/nfs-common
Idmap.conf
Add in [general]
Domain = internal.domain.tld
Local-Realm = YOUR.REALM
kinit Administrator
net ads keytab add nfs/hostname1.internal.domain.tld at YOUR.REALM -k
# The NFS server. /etc/exports cointains now.
/srv 192.168.0.0/24(rw,sync,fsid=0,crossmnt,no_subtree_check,sec=sys:krb5:krb5i:krb5p)
/srv/backups 192.168.0.0/24(rw,sync,no_subtree_check,sec=sys:krb5:krb5i:krb5p)
# For the Clients.
apt-get install nfs-common
kinit Administrator
# Todo on the NFSv4 client
net ads keytab add nfs/hostname2.internal.domain.tld at REALM -k
sed -i 's/NEED_STATD=/NEED_STATD=no/g' /etc/default/nfs-common
sed -i 's/NEED_IDMAPD=/NEED_IDMAPD=yes/g' /etc/default/nfs-common
sed -i 's/NEED_GSSD=/NEED_GSSD=yes/g' /etc/default/nfs-common
Test :
mount -t nfs4 -o sec=sys,vers=4.1 hostname1.internal.domain.tld:/backups /mnt -v
mount -t nfs4 -o sec=krb5,vers=4.1 hostname1.internal.domain.tld:/backups /mnt -v
mount -t nfs4 -o sec=krb5i,vers=4.1 hostname1.internal.domain.tld:/backups /mnt -v
mount -t nfs4 -o sec=krb5p,vers=4.1 hostname1.internal.domain.tld:/backups /mnt -v
For tomorrow, in looking to add nfs4acl_xattr in the share.
man vfs_nfs4acl_xattr
For now.. Im heading home...
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Marco Gaiarin via samba
> Verzonden: dinsdag 9 oktober 2018 11:00
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] NFSv4, homes, Kerberos...
>
>
> I was used to integrate some linux client in my samba network mounting
> homes with 'unix extensions = yes', and works as expected, at least
> with some old lubuntu derivatives. Client side i use 'pam_mount'.
>
> Now i'm working on a ubuntu mate derivative, and i've not found a way
> to start the session properly in CIFS.
> If i create a plain local home (pam_mkhome), session start as
> expected.
>
> Client are in DHCP, so it is hard to use 'normal' NFSv3 mount, eg
> security by IP.
>
>
> I've looked around at NFSv4/Kerberos setup, but i've not found a
> tutorial, or some documentation, that seems clear (at least to me).
>
> Also, for NFSv3 i use autofs. Better o use pam_mount instead?
>
>
> Breafly, someone can point me to some good documentation? Thanks.
>
> --
> dott. Marco Gaiarin GNUPG
> Key ID: 240A3D66
> Associazione ``La Nostra Famiglia''
> http://www.lanostrafamiglia.it/
> Polo FVG - Via della Bontà , 7 - 33078 - San Vito al
> Tagliamento (PN)
> marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711
> f +39-0434-842797
>
> Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
> http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
> (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list