[Samba] NFSv4, homes, Kerberos...

Wed Oct 10 07:25:16 UTC 2018

Hai,

Hmm.. Bummer.. 
I just discovered the debian package dont have the vfs_nfs4acl include in the build. 

And because of that it's not in my packages. I'll have a look into it, see what i can make of it. 

Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> L.P.H. van Belle via samba
> Verzonden: dinsdag 9 oktober 2018 17:26
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] NFSv4, homes, Kerberos...
> 
> Hai, 
> 
> I'm getting somewhere, here you go, a snap of what i have atm. 
> And what works atm. Im asuming you have winbind already running. 
> 
> Obligated is A+PTR record in the DNS. 
> You can turn or the rdns check in krb5.conf but i did not test that. 
> 
> # Tested on Debian Stretch - NFSv4 SERVER 
> apt-get install --auto-remove nfs-kernel-server
> systemctl stop nfs-*
> 
> Added in krb5.conf below the default_realm setting. 
> ; ignore k5login not being accessable in the user home dir.
>         ignore_k5login = true
> 
> ; for Windows 2008 with AES, needed by CIFS also. ( dont 
> forget the cifs/spn )
>         default_tgs_enctypes = aes128-cts-hmac-sha1-96 
> aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
>         default_tkt_enctypes = aes128-cts-hmac-sha1-96 
> aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
>         permitted_enctypes = aes128-cts-hmac-sha1-96 
> aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
> 
> # Server settings for NFSv4 
> sed -i 's/NEED_SVCGSSD=""/NEED_SVCGSSD="yes"/g' 
> /etc/default/nfs-kernel-server
> sed -i 's/NEED_STATD=/NEED_STATD=no/g' /etc/default/nfs-common
> sed -i 's/NEED_IDMAPD=/NEED_IDMAPD=yes/g' /etc/default/nfs-common
> sed -i 's/NEED_GSSD=/NEED_GSSD=yes/g' /etc/default/nfs-common
> 
> Idmap.conf
> Add in [general] 
> Domain = internal.domain.tld
> Local-Realm = YOUR.REALM
> 
> kinit Administrator
> net ads keytab add nfs/hostname1.internal.domain.tld at YOUR.REALM -k
> 
> # The NFS server.  /etc/exports cointains now. 
> /srv            
> 192.168.0.0/24(rw,sync,fsid=0,crossmnt,no_subtree_check,sec=sy
> s:krb5:krb5i:krb5p)
> /srv/backups    
> 192.168.0.0/24(rw,sync,no_subtree_check,sec=sys:krb5:krb5i:krb5p)
> 
> 
> # For the Clients. 
> apt-get install nfs-common
> 
> kinit Administrator
> # Todo on the NFSv4 client
> net ads keytab add nfs/hostname2.internal.domain.tld at REALM -k
> 
> sed -i 's/NEED_STATD=/NEED_STATD=no/g' /etc/default/nfs-common
> sed -i 's/NEED_IDMAPD=/NEED_IDMAPD=yes/g' /etc/default/nfs-common
> sed -i 's/NEED_GSSD=/NEED_GSSD=yes/g' /etc/default/nfs-common
> 
> Test : 
> mount -t nfs4 -o sec=sys,vers=4.1 
> hostname1.internal.domain.tld:/backups /mnt -v
> mount -t nfs4 -o sec=krb5,vers=4.1 
> hostname1.internal.domain.tld:/backups /mnt -v
> mount -t nfs4 -o sec=krb5i,vers=4.1 
> hostname1.internal.domain.tld:/backups /mnt -v
> mount -t nfs4 -o sec=krb5p,vers=4.1 
> hostname1.internal.domain.tld:/backups /mnt -v
> 
> For tomorrow, in looking to add nfs4acl_xattr in the share. 
>  man vfs_nfs4acl_xattr 
> 
> For now.. Im heading home... 
> 
> 
> Greetz, 
> 
> Louis
> 
> 
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> > Marco Gaiarin via samba
> > Verzonden: dinsdag 9 oktober 2018 11:00
> > Aan: samba at lists.samba.org
> > Onderwerp: [Samba] NFSv4, homes, Kerberos...
> > 
> > 
> > I was used to integrate some linux client in my samba 
> network mounting
> > homes with 'unix extensions = yes', and works as expected, at least
> > with some old lubuntu derivatives. Client side i use 'pam_mount'.
> > 
> > Now i'm working on a ubuntu mate derivative, and i've not 
> found a way
> > to start the session properly in CIFS.
> > If i create a plain local home (pam_mkhome), session start as 
> > expected.
> > 
> > Client are in DHCP, so it is hard to use 'normal' NFSv3 mount, eg
> > security by IP.
> > 
> > 
> > I've looked around at NFSv4/Kerberos setup, but i've not found a
> > tutorial, or some documentation, that seems clear (at least to me).
> > 
> > Also, for NFSv3 i use autofs. Better o use pam_mount instead?
> > 
> > 
> > Breafly, someone can point me to some good documentation? Thanks.
> > 
> > -- 
> > dott. Marco Gaiarin				        GNUPG 
> > Key ID: 240A3D66
> >   Associazione ``La Nostra Famiglia''          
> > http://www.lanostrafamiglia.it/
> >   Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al 
> > Tagliamento (PN)
> >   marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   
> > f +39-0434-842797
> > 
> > 		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
> >       http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
> > 	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
> > 
> > -- 
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> > 
> > 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 