[Samba] NFSv4, homes, Kerberos...
Marco Gaiarin
gaio at sv.lnf.it
Thu Oct 11 11:02:56 UTC 2018
Mandi! L.P.H. van Belle via samba
In chel di` si favelave...
> You will hit muliple problems, most can be solved.
Sorry, but i'm totally ''puzzled'' by your email. I try to summarize,
hoping correctly (and hoping someone can put after on wiki).
1) ON SERVER
a) if you want to use CIFS, add on /etc/krb5.conf that, to force
''ciphers compatibility'' between samba and kernel cifs module
default_tgs_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
add also:
ignore_k5login = true
because by default kerberos try to read that file on user's home, and
they are not mounted (but, this is on client... WHY on server?).
b) add SPN for 'NFS' on server, eg:
samba-tool spn add NFS/mynfs.server.tld mynfs$
c) create keytab for that SPN:
net ads keytab add NFS/mynfs.server.tld at YOUR.REALM -k
d) configure server settings:
sed -i 's/NEED_SVCGSSD=""/NEED_SVCGSSD="yes"/g' /etc/default/nfs-kernel-server
sed -i 's/NEED_STATD=/NEED_STATD=no/g' /etc/default/nfs-common
sed -i 's/NEED_IDMAPD=/NEED_IDMAPD=yes/g' /etc/default/nfs-common
sed -i 's/NEED_GSSD=/NEED_GSSD=yes/g' /etc/default/nfs-common
Idmap.conf
Add in [general]
Domain = internal.domain.tld
Local-Realm = YOUR.REALM
e) defined export dirs
/srv 192.168.0.0/24(rw,sync,fsid=0,crossmnt,no_subtree_check,sec=sys:krb5:krb5i:krb5p)
/srv/backups 192.168.0.0/24(rw,sync,no_subtree_check,sec=sys:krb5:krb5i:krb5p)
2) ON CLIENT
a) install and configure nfs-common:
sed -i 's/NEED_STATD=/NEED_STATD=no/g' /etc/default/nfs-common
sed -i 's/NEED_IDMAPD=/NEED_IDMAPD=yes/g' /etc/default/nfs-common
sed -i 's/NEED_GSSD=/NEED_GSSD=yes/g' /etc/default/nfs-common
b) create again keytab for NFS SPN:
net ads keytab add NFS/mynfs.server.tld at YOUR.REALM -k
WHY that? It not suffices to create keytab only once?
c) define systemd automount
Misc question:
> With in systemd the following :
> cat /etc/systemd/system/exports-users.mount
> [Unit]
> Description=NFS export (/exports/users)
> Wants=network-online.target
Why?! Seems to me that define /etc/exports suffices...
> systemctl cat home-users.automount
> # /etc/systemd/system/home-users.automount
Cool! I was still using 'autofs', i was not aware of systemd automount!
Thanks.
--
dott. Marco Gaiarin GNUPG Key ID: 240A3D66
Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/
Polo FVG - Via della Bontà , 7 - 33078 - San Vito al Tagliamento (PN)
marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797
Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
More information about the samba
mailing list