[Samba] NFSv4, homes, Kerberos...

Andreas Hauffe andreas.hauffe at tu-dresden.de
Wed Oct 10 10:43:14 UTC 2018 

Hi,

just a hint. In our case it was impossible to use the rpc.svcgssd 
service for kerberized nfs4, due to a bug (our server OS: Debian 9). We 
got some kind of kernel panic on the server, when a client mounted an 
kerberized nfs4 export. So we are using the "gssproxy" package right now.

see https://bugs.launchpad.net/ubuntu/+source/nfs-utils/+bug/1466654

-- 
Regards,
Andreas Hauffe

Am 09.10.18 um 17:26 schrieb L.P.H. van Belle via samba:
> Hai,
>
> I'm getting somewhere, here you go, a snap of what i have atm.
> And what works atm. Im asuming you have winbind already running.
>
> Obligated is A+PTR record in the DNS.
> You can turn or the rdns check in krb5.conf but i did not test that.
>
> # Tested on Debian Stretch - NFSv4 SERVER
> apt-get install --auto-remove nfs-kernel-server
> systemctl stop nfs-*
>
> Added in krb5.conf below the default_realm setting.
> ; ignore k5login not being accessable in the user home dir.
>          ignore_k5login = true
>
> ; for Windows 2008 with AES, needed by CIFS also. ( dont forget the cifs/spn )
>          default_tgs_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
>          default_tkt_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
>          permitted_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
>
> # Server settings for NFSv4
> sed -i 's/NEED_SVCGSSD=""/NEED_SVCGSSD="yes"/g' /etc/default/nfs-kernel-server
> sed -i 's/NEED_STATD=/NEED_STATD=no/g' /etc/default/nfs-common
> sed -i 's/NEED_IDMAPD=/NEED_IDMAPD=yes/g' /etc/default/nfs-common
> sed -i 's/NEED_GSSD=/NEED_GSSD=yes/g' /etc/default/nfs-common
>
> Idmap.conf
> Add in [general]
> Domain = internal.domain.tld
> Local-Realm = YOUR.REALM
>
> kinit Administrator
> net ads keytab add nfs/hostname1.internal.domain.tld at YOUR.REALM -k
>
> # The NFS server.  /etc/exports cointains now.
> /srv            192.168.0.0/24(rw,sync,fsid=0,crossmnt,no_subtree_check,sec=sys:krb5:krb5i:krb5p)
> /srv/backups    192.168.0.0/24(rw,sync,no_subtree_check,sec=sys:krb5:krb5i:krb5p)
>
>
> # For the Clients.
> apt-get install nfs-common
>
> kinit Administrator
> # Todo on the NFSv4 client
> net ads keytab add nfs/hostname2.internal.domain.tld at REALM -k
>
> sed -i 's/NEED_STATD=/NEED_STATD=no/g' /etc/default/nfs-common
> sed -i 's/NEED_IDMAPD=/NEED_IDMAPD=yes/g' /etc/default/nfs-common
> sed -i 's/NEED_GSSD=/NEED_GSSD=yes/g' /etc/default/nfs-common
>
> Test :
> mount -t nfs4 -o sec=sys,vers=4.1 hostname1.internal.domain.tld:/backups /mnt -v
> mount -t nfs4 -o sec=krb5,vers=4.1 hostname1.internal.domain.tld:/backups /mnt -v
> mount -t nfs4 -o sec=krb5i,vers=4.1 hostname1.internal.domain.tld:/backups /mnt -v
> mount -t nfs4 -o sec=krb5p,vers=4.1 hostname1.internal.domain.tld:/backups /mnt -v
>
> For tomorrow, in looking to add nfs4acl_xattr in the share.
>   man vfs_nfs4acl_xattr
>
> For now.. Im heading home...
>
>
> Greetz,
>
> Louis
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>> Marco Gaiarin via samba
>> Verzonden: dinsdag 9 oktober 2018 11:00
>> Aan: samba at lists.samba.org
>> Onderwerp: [Samba] NFSv4, homes, Kerberos...
>>
>>
>> I was used to integrate some linux client in my samba network mounting
>> homes with 'unix extensions = yes', and works as expected, at least
>> with some old lubuntu derivatives. Client side i use 'pam_mount'.
>>
>> Now i'm working on a ubuntu mate derivative, and i've not found a way
>> to start the session properly in CIFS.
>> If i create a plain local home (pam_mkhome), session start as
>> expected.
>>
>> Client are in DHCP, so it is hard to use 'normal' NFSv3 mount, eg
>> security by IP.
>>
>>
>> I've looked around at NFSv4/Kerberos setup, but i've not found a
>> tutorial, or some documentation, that seems clear (at least to me).
>>
>> Also, for NFSv3 i use autofs. Better o use pam_mount instead?
>>
>>
>> Breafly, someone can point me to some good documentation? Thanks.
>>
>> -- 
>> dott. Marco Gaiarin				        GNUPG
>> Key ID: 240A3D66
>>    Associazione ``La Nostra Famiglia''
>> http://www.lanostrafamiglia.it/
>>    Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al
>> Tagliamento (PN)
>>    marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711
>> f +39-0434-842797
>>
>> 		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
>>        http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
>> 	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>>

More information about the samba mailing list