[Samba] NFSv4, homes, Kerberos...
L.P.H. van Belle
belle at bazuin.nl
Wed Oct 10 11:35:15 UTC 2018
Thank you for that, i did have a good look at that one.
And i use Debian 9, if you test what i posted below in the thread, you will see NFSv4 works fine.
Below is missing one more thing, the "allow to delegate (kerberos only) " on the computer object in the AD, should be enabled.
And yes, i've see bugchecks also but only on my debian .. Lenny.. Stt.. ;-) .. Its my last lenny server.
No craches on jessie or stretch, i dont have fstab entries, everything is done by systemd.
My problem is not crashing, but building the vfs_nfs4acl_xattr module.
Kerberos and NFSv4 works fine here, but now i want the vfs_nfs4acl_xattr module with it.
But thank you for the reply, the more info i find/get the quicker i've found the problem.
Anyone else an other hint. I do think outside the box so trow anything at me. :-)
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Andreas Hauffe via samba
> Verzonden: woensdag 10 oktober 2018 12:43
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] NFSv4, homes, Kerberos...
>
> Hi,
>
> just a hint. In our case it was impossible to use the rpc.svcgssd
> service for kerberized nfs4, due to a bug (our server OS:
> Debian 9). We
> got some kind of kernel panic on the server, when a client mounted an
> kerberized nfs4 export. So we are using the "gssproxy"
> package right now.
>
> see https://bugs.launchpad.net/ubuntu/+source/nfs-utils/+bug/1466654
>
> --
> Regards,
> Andreas Hauffe
>
> Am 09.10.18 um 17:26 schrieb L.P.H. van Belle via samba:
> > Hai,
> >
> > I'm getting somewhere, here you go, a snap of what i have atm.
> > And what works atm. Im asuming you have winbind already running.
> >
> > Obligated is A+PTR record in the DNS.
> > You can turn or the rdns check in krb5.conf but i did not test that.
> >
> > # Tested on Debian Stretch - NFSv4 SERVER
> > apt-get install --auto-remove nfs-kernel-server
> > systemctl stop nfs-*
> >
> > Added in krb5.conf below the default_realm setting.
> > ; ignore k5login not being accessable in the user home dir.
> > ignore_k5login = true
> >
> > ; for Windows 2008 with AES, needed by CIFS also. ( dont
> forget the cifs/spn )
> > default_tgs_enctypes = aes128-cts-hmac-sha1-96
> aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
> > default_tkt_enctypes = aes128-cts-hmac-sha1-96
> aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
> > permitted_enctypes = aes128-cts-hmac-sha1-96
> aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
> >
> > # Server settings for NFSv4
> > sed -i 's/NEED_SVCGSSD=""/NEED_SVCGSSD="yes"/g'
> /etc/default/nfs-kernel-server
> > sed -i 's/NEED_STATD=/NEED_STATD=no/g' /etc/default/nfs-common
> > sed -i 's/NEED_IDMAPD=/NEED_IDMAPD=yes/g' /etc/default/nfs-common
> > sed -i 's/NEED_GSSD=/NEED_GSSD=yes/g' /etc/default/nfs-common
> >
> > Idmap.conf
> > Add in [general]
> > Domain = internal.domain.tld
> > Local-Realm = YOUR.REALM
> >
> > kinit Administrator
> > net ads keytab add nfs/hostname1.internal.domain.tld at YOUR.REALM -k
> >
> > # The NFS server. /etc/exports cointains now.
> > /srv
> 192.168.0.0/24(rw,sync,fsid=0,crossmnt,no_subtree_check,sec=sy
> s:krb5:krb5i:krb5p)
> > /srv/backups
> 192.168.0.0/24(rw,sync,no_subtree_check,sec=sys:krb5:krb5i:krb5p)
> >
> >
> > # For the Clients.
> > apt-get install nfs-common
> >
> > kinit Administrator
> > # Todo on the NFSv4 client
> > net ads keytab add nfs/hostname2.internal.domain.tld at REALM -k
> >
> > sed -i 's/NEED_STATD=/NEED_STATD=no/g' /etc/default/nfs-common
> > sed -i 's/NEED_IDMAPD=/NEED_IDMAPD=yes/g' /etc/default/nfs-common
> > sed -i 's/NEED_GSSD=/NEED_GSSD=yes/g' /etc/default/nfs-common
> >
> > Test :
> > mount -t nfs4 -o sec=sys,vers=4.1
> hostname1.internal.domain.tld:/backups /mnt -v
> > mount -t nfs4 -o sec=krb5,vers=4.1
> hostname1.internal.domain.tld:/backups /mnt -v
> > mount -t nfs4 -o sec=krb5i,vers=4.1
> hostname1.internal.domain.tld:/backups /mnt -v
> > mount -t nfs4 -o sec=krb5p,vers=4.1
> hostname1.internal.domain.tld:/backups /mnt -v
> >
> > For tomorrow, in looking to add nfs4acl_xattr in the share.
> > man vfs_nfs4acl_xattr
> >
> > For now.. Im heading home...
> >
> >
> > Greetz,
> >
> > Louis
> >
> >
> >> -----Oorspronkelijk bericht-----
> >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> >> Marco Gaiarin via samba
> >> Verzonden: dinsdag 9 oktober 2018 11:00
> >> Aan: samba at lists.samba.org
> >> Onderwerp: [Samba] NFSv4, homes, Kerberos...
> >>
> >>
> >> I was used to integrate some linux client in my samba
> network mounting
> >> homes with 'unix extensions = yes', and works as expected, at least
> >> with some old lubuntu derivatives. Client side i use 'pam_mount'.
> >>
> >> Now i'm working on a ubuntu mate derivative, and i've not
> found a way
> >> to start the session properly in CIFS.
> >> If i create a plain local home (pam_mkhome), session start as
> >> expected.
> >>
> >> Client are in DHCP, so it is hard to use 'normal' NFSv3 mount, eg
> >> security by IP.
> >>
> >>
> >> I've looked around at NFSv4/Kerberos setup, but i've not found a
> >> tutorial, or some documentation, that seems clear (at least to me).
> >>
> >> Also, for NFSv3 i use autofs. Better o use pam_mount instead?
> >>
> >>
> >> Breafly, someone can point me to some good documentation? Thanks.
> >>
> >> --
> >> dott. Marco Gaiarin GNUPG
> >> Key ID: 240A3D66
> >> Associazione ``La Nostra Famiglia''
> >> http://www.lanostrafamiglia.it/
> >> Polo FVG - Via della Bontà , 7 - 33078 - San Vito al
> >> Tagliamento (PN)
> >> marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711
> >> f +39-0434-842797
> >>
> >> Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
> >>
> http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
> >> (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions: https://lists.samba.org/mailman/options/samba
> >>
> >>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list