[Samba] NFSv4, homes, Kerberos...

Marco Gaiarin gaio at sv.lnf.it
Thu Oct 11 11:02:56 UTC 2018


Mandi! L.P.H. van Belle via samba
  In chel di` si favelave...

> You will hit muliple problems, most can be solved. 

Sorry, but i'm totally ''puzzled'' by your email. I try to summarize,
hoping correctly (and hoping someone can put after on wiki).

1) ON SERVER

a) if you want to use CIFS, add on /etc/krb5.conf that, to force
''ciphers compatibility'' between samba and kernel cifs module
	default_tgs_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
	default_tkt_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
	permitted_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5

add also:
	ignore_k5login = true

because by default kerberos try to read that file on user's home, and
they are not mounted (but, this is on client... WHY on server?).

b) add SPN for 'NFS' on server, eg:
	samba-tool spn add NFS/mynfs.server.tld mynfs$

c) create keytab for that SPN:
	net ads keytab add NFS/mynfs.server.tld at YOUR.REALM -k

d) configure server settings:
	sed -i 's/NEED_SVCGSSD=""/NEED_SVCGSSD="yes"/g' /etc/default/nfs-kernel-server
	sed -i 's/NEED_STATD=/NEED_STATD=no/g' /etc/default/nfs-common
	sed -i 's/NEED_IDMAPD=/NEED_IDMAPD=yes/g' /etc/default/nfs-common
	sed -i 's/NEED_GSSD=/NEED_GSSD=yes/g' /etc/default/nfs-common

	Idmap.conf
	Add in [general]
	Domain = internal.domain.tld
	Local-Realm = YOUR.REALM

e) defined export dirs
	/srv            192.168.0.0/24(rw,sync,fsid=0,crossmnt,no_subtree_check,sec=sys:krb5:krb5i:krb5p)
	/srv/backups    192.168.0.0/24(rw,sync,no_subtree_check,sec=sys:krb5:krb5i:krb5p)


2) ON CLIENT

a) install and configure nfs-common:
	sed -i 's/NEED_STATD=/NEED_STATD=no/g' /etc/default/nfs-common
	sed -i 's/NEED_IDMAPD=/NEED_IDMAPD=yes/g' /etc/default/nfs-common
	sed -i 's/NEED_GSSD=/NEED_GSSD=yes/g' /etc/default/nfs-common

b) create again keytab for NFS SPN:
	net ads keytab add NFS/mynfs.server.tld at YOUR.REALM -k

 WHY that? It not suffices to create keytab only once?

c) define systemd automount


Misc question:

> With in systemd the following : 
> cat /etc/systemd/system/exports-users.mount
> [Unit]
> Description=NFS export (/exports/users)
> Wants=network-online.target

Why?! Seems to me that define /etc/exports suffices...


> systemctl cat home-users.automount
> # /etc/systemd/system/home-users.automount

Cool! I was still using 'autofs', i was not aware of systemd automount!


Thanks.

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)



More information about the samba mailing list