[Samba] NFSv4, homes, Kerberos...

Wed Oct 10 11:49:49 UTC 2018

It was more a general hint for using kerberos and nfs4 on debian instead 
of a solution for the problem here. In our case rpc.svcgssd worked fine 
for a single domain and users of this domain. We got the problem (server 
kernel panic) when users of a trusted domain tried to use the kerberized 
nfs4 shares. And the only solution was to use gssproxy.

-- 
Viele Grüße
Andreas Hauffe
Leiter des Forschungsfeldes "Auslegungsmethoden für Luftfahrzeuge"

----------------------------------------------------------------------------------------------------
Technische Universität Dresden
Institut für Luft- und Raumfahrttechnik / Institute of Aerospace Engineering
Lehrstuhl für Luftfahrzeugtechnik / Chair of Aircraft Engineering

D-01062 Dresden
Germany

phone : +49 (351) 463 38496
fax :  +49 (351) 463 37263
mail : andreas.hauffe at tu-dresden.de
Website : http://tu-dresden.de/mw/ilr/lft
----------------------------------------------------------------------------------------------------
Do you know our free laminate analysis code eLamX²? If not, please visit the following web address:
http://www.elamx.de

Am 10.10.18 um 13:35 schrieb L.P.H. van Belle via samba:
> Thank you for that, i did have a good look at that one.
> And i use Debian 9, if you test what i posted below in the thread, you will see NFSv4 works fine.
> Below is missing one more thing, the "allow to delegate (kerberos only) " on the computer object in the AD, should be enabled.
>
> And yes, i've see bugchecks also but only on my debian .. Lenny..  Stt..  ;-) .. Its my last lenny server.
> No craches on jessie or stretch, i dont have fstab entries, everything is done by systemd.
>
> My problem is not crashing, but building the vfs_nfs4acl_xattr module.
> Kerberos and NFSv4 works fine here, but now i want the vfs_nfs4acl_xattr module with it.
>
> But thank you for the reply, the more info i find/get the quicker i've found the problem.
>
> Anyone else an other hint. I do think outside the box so trow anything at me. :-)
>
> Greetz,
>
> Louis
>
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>> Andreas Hauffe via samba
>> Verzonden: woensdag 10 oktober 2018 12:43
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] NFSv4, homes, Kerberos...
>>
>> Hi,
>>
>> just a hint. In our case it was impossible to use the rpc.svcgssd
>> service for kerberized nfs4, due to a bug (our server OS:
>> Debian 9). We
>> got some kind of kernel panic on the server, when a client mounted an
>> kerberized nfs4 export. So we are using the "gssproxy"
>> package right now.
>>
>> see https://bugs.launchpad.net/ubuntu/+source/nfs-utils/+bug/1466654
>>
>> -- 
>> Regards,
>> Andreas Hauffe
>>
>> Am 09.10.18 um 17:26 schrieb L.P.H. van Belle via samba:
>>> Hai,
>>>
>>> I'm getting somewhere, here you go, a snap of what i have atm.
>>> And what works atm. Im asuming you have winbind already running.
>>>
>>> Obligated is A+PTR record in the DNS.
>>> You can turn or the rdns check in krb5.conf but i did not test that.
>>>
>>> # Tested on Debian Stretch - NFSv4 SERVER
>>> apt-get install --auto-remove nfs-kernel-server
>>> systemctl stop nfs-*
>>>
>>> Added in krb5.conf below the default_realm setting.
>>> ; ignore k5login not being accessable in the user home dir.
>>>           ignore_k5login = true
>>>
>>> ; for Windows 2008 with AES, needed by CIFS also. ( dont
>> forget the cifs/spn )
>>>           default_tgs_enctypes = aes128-cts-hmac-sha1-96
>> aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
>>>           default_tkt_enctypes = aes128-cts-hmac-sha1-96
>> aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
>>>           permitted_enctypes = aes128-cts-hmac-sha1-96
>> aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
>>> # Server settings for NFSv4
>>> sed -i 's/NEED_SVCGSSD=""/NEED_SVCGSSD="yes"/g'
>> /etc/default/nfs-kernel-server
>>> sed -i 's/NEED_STATD=/NEED_STATD=no/g' /etc/default/nfs-common
>>> sed -i 's/NEED_IDMAPD=/NEED_IDMAPD=yes/g' /etc/default/nfs-common
>>> sed -i 's/NEED_GSSD=/NEED_GSSD=yes/g' /etc/default/nfs-common
>>>
>>> Idmap.conf
>>> Add in [general]
>>> Domain = internal.domain.tld
>>> Local-Realm = YOUR.REALM
>>>
>>> kinit Administrator
>>> net ads keytab add nfs/hostname1.internal.domain.tld at YOUR.REALM -k
>>>
>>> # The NFS server.  /etc/exports cointains now.
>>> /srv
>> 192.168.0.0/24(rw,sync,fsid=0,crossmnt,no_subtree_check,sec=sy
>> s:krb5:krb5i:krb5p)
>>> /srv/backups
>> 192.168.0.0/24(rw,sync,no_subtree_check,sec=sys:krb5:krb5i:krb5p)
>>> # For the Clients.
>>> apt-get install nfs-common
>>>
>>> kinit Administrator
>>> # Todo on the NFSv4 client
>>> net ads keytab add nfs/hostname2.internal.domain.tld at REALM -k
>>>
>>> sed -i 's/NEED_STATD=/NEED_STATD=no/g' /etc/default/nfs-common
>>> sed -i 's/NEED_IDMAPD=/NEED_IDMAPD=yes/g' /etc/default/nfs-common
>>> sed -i 's/NEED_GSSD=/NEED_GSSD=yes/g' /etc/default/nfs-common
>>>
>>> Test :
>>> mount -t nfs4 -o sec=sys,vers=4.1
>> hostname1.internal.domain.tld:/backups /mnt -v
>>> mount -t nfs4 -o sec=krb5,vers=4.1
>> hostname1.internal.domain.tld:/backups /mnt -v
>>> mount -t nfs4 -o sec=krb5i,vers=4.1
>> hostname1.internal.domain.tld:/backups /mnt -v
>>> mount -t nfs4 -o sec=krb5p,vers=4.1
>> hostname1.internal.domain.tld:/backups /mnt -v
>>> For tomorrow, in looking to add nfs4acl_xattr in the share.
>>>    man vfs_nfs4acl_xattr
>>>
>>> For now.. Im heading home...
>>>
>>>
>>> Greetz,
>>>
>>> Louis
>>>
>>>
>>>> -----Oorspronkelijk bericht-----
>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>>>> Marco Gaiarin via samba
>>>> Verzonden: dinsdag 9 oktober 2018 11:00
>>>> Aan: samba at lists.samba.org
>>>> Onderwerp: [Samba] NFSv4, homes, Kerberos...
>>>>
>>>>
>>>> I was used to integrate some linux client in my samba
>> network mounting
>>>> homes with 'unix extensions = yes', and works as expected, at least
>>>> with some old lubuntu derivatives. Client side i use 'pam_mount'.
>>>>
>>>> Now i'm working on a ubuntu mate derivative, and i've not
>> found a way
>>>> to start the session properly in CIFS.
>>>> If i create a plain local home (pam_mkhome), session start as
>>>> expected.
>>>>
>>>> Client are in DHCP, so it is hard to use 'normal' NFSv3 mount, eg
>>>> security by IP.
>>>>
>>>>
>>>> I've looked around at NFSv4/Kerberos setup, but i've not found a
>>>> tutorial, or some documentation, that seems clear (at least to me).
>>>>
>>>> Also, for NFSv3 i use autofs. Better o use pam_mount instead?
>>>>
>>>>
>>>> Breafly, someone can point me to some good documentation? Thanks.
>>>>
>>>> -- 
>>>> dott. Marco Gaiarin				        GNUPG
>>>> Key ID: 240A3D66
>>>>     Associazione ``La Nostra Famiglia''
>>>> http://www.lanostrafamiglia.it/
>>>>     Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al
>>>> Tagliamento (PN)
>>>>     marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711
>>>> f +39-0434-842797
>>>>
>>>> 		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
>>>>         
>> http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
>>>> 	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
>>>>
>>>> -- 
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>
>>>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>