[Samba] NFSv4, homes, Kerberos...

L.P.H. van Belle belle at bazuin.nl
Thu Oct 11 12:27:18 UTC 2018 

Hai Marco,  

> -----Oorspronkelijk bericht-----
> Van: Marco Gaiarin [mailto:gaio at sv.lnf.it] 
> Verzonden: donderdag 11 oktober 2018 14:15
> Aan: L.P.H. van Belle
> Onderwerp: Re: [Samba] NFSv4, homes, Kerberos...
> 
> Mandi! L.P.H. van Belle
>   In chel di` si favelave...
> 
> > If you want to test the module, i have a set ready to test. 
> 
> Ahe, really i don't understand why i *need* to use that module.
> Better ACL compatibility between NFSv4 and CIFS?
> 
> Anyway, now i need to mount homes, where unix permission suffices. ;-)
> 
> -- 
Well you dont need to, but in my case i've restricted administrators and root to access the users homedir. 
Then i need to, because not this only works with sec=sys ( like nfs3 ) one of the reasons why im setting up a new test server.  

It bit long but it explains a lot imo. If not ask again.  ;-) 
I was typing this in the first reply, so added it in this email.. 
 

> Sorry, but i'm totally ''puzzled'' by your email. I try to summarize,
> hoping correctly (and hoping someone can put after on wiki).

Ah that happens often, im writing down all my steps of this install, when done i'll put it online.
Hopefully on the new website thats coming soon, because the current is .....  
Im just not a coder. Try to, doing my best..  ;-) 

> 
> 1) ON SERVER
> 
> a) if you want to use CIFS, add on /etc/krb5.conf that, to force
> ''ciphers compatibility'' between samba and kernel cifs module
> 	default_tgs_enctypes = aes128-cts-hmac-sha1-96 
> aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
> 	default_tkt_enctypes = aes128-cts-hmac-sha1-96 
> aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
> 	permitted_enctypes = aes128-cts-hmac-sha1-96 
> aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
> 
> add also:
> 	ignore_k5login = true
> 
> because by default kerberos try to read that file on user's home, and
> they are not mounted (but, this is on client... WHY on server?).
Yes, your correct not really needed on the server but i mount bind my home folder so its the same on every server.
Because of that i use the setting also on the server. 
I also do advise to set the ciphers compatibility on all server. 
Why, because it just helps on multiple places like cifs (smbclient) 


> b) add SPN for 'NFS' on the NFS server, eg:  <<< so in this case talking about server its NFS server ( and samba AD member ) 
> 	samba-tool spn add NFS/mynfs.server.tld mynfs$
If you do this on the AD DC, then yes, correct, but do it here, then you need to export and transer the keys also. 

> 
> c) create keytab for that SPN on the NFS server..
> 	net ads keytab add NFS/mynfs.server.tld at YOUR.REALM -k
If you do this on the AD Member, then yes, correct, and with 
kerberos method = secrets and keytab     < preffered. 
Or 
kerberos method = keytab
Its automatily added to the keytab file. ( which i preffer ) 

But you only need todo 1 of these 2.  ( b or c ) 


> 
> d) configure server settings:
> 	sed -i 's/NEED_SVCGSSD=""/NEED_SVCGSSD="yes"/g' /etc/default/nfs-kernel-server
> 	sed -i 's/NEED_STATD=/NEED_STATD=no/g' /etc/default/nfs-common 
>     sed -i 's/NEED_IDMAPD=/NEED_IDMAPD=yes/g' /etc/default/nfs-common
> 	sed -i 's/NEED_GSSD=/NEED_GSSD=yes/g' /etc/default/nfs-common
Yes, correct needed for all nfs server startups 
Type : systemctl cat nfs*

And see all nfs systemd nfs services at once.
Dont forget to enable it :  systemctl enable nfs-kernel-server 

> 
> 	Idmap.conf
> 	Add in [general]
> 	Domain = internal.domain.tld
> 	Local-Realm = YOUR.REALM
This make sure you have the correct mappings,
Open a console and type : rpc.idmapd -fvvv on both server, and now access the nfs mount. 
It tells you a lot. ;-) 

A handy one i did not mention. 
! Optional you can do this in idmap.conf add: 

[Translation]
Method = nsswitch,static
GSS-Methods = nsswitch,static

[Static]
HOSTNAME$@YOUR.REALM = root

I've mapped a server (user=computer$ ) to root. 
But i do advice start without this, its kind of a 'last resort' to try to make something work.

> 
> e) defined export dirs 
> /srv            192.168.0.0/24(rw,sync,fsid=0,crossmnt,no_subtree_check,sec=sys:krb5:krb5i:krb5p)
> /srv/backups    192.168.0.0/24(rw,sync,no_subtree_check,sec=sys:krb5:krb5i:krb5p)
Yes, for the server only.
Based on the /home/users example above can be 2 diffent setups. 

1) as shown above
/srv            192.168.0.0/24(rw,sync,fsid=0,crossmnt,no_subtree_check,sec=sys:krb5:krb5i:krb5p)
/srv/users    192.168.0.0/24(rw,sync,no_subtree_check,sec=sys:krb5:krb5i:krb5p)

optional a mount -o bind /home/users /srv/users or without the mount bind, 
just check what applies to your setup the most. 

And enable "this computer may delegate to all service (only kerberos)" for server and client.


> 
> 
> 2) ON CLIENT
> 
> a) install and configure nfs-common:
> 	sed -i 's/NEED_STATD=/NEED_STATD=no/g' /etc/default/nfs-common
> 	sed -i 's/NEED_IDMAPD=/NEED_IDMAPD=yes/g' 
> /etc/default/nfs-common
> 	sed -i 's/NEED_GSSD=/NEED_GSSD=yes/g' /etc/default/nfs-common
> 
> b) create keytab for NFS SPN for the CLIENT
> 	net ads keytab add NFS/mynfs.server.tld at YOUR.REALM -k
> 
>  WHY that? It not suffices to create keytab only once?
Both server and client must have the nfs/spn but each only the one of itself. 
After adding them you can find them on the computer object in the AD to check them manualy. ( servicePrincipalName )
And enable "this computer may delegate to all service (only kerberos) 
Now a "user" is allow to mount also, which leaves us at... The automount. 


> 
> c) define systemd automount
> 
> 
> Misc question:
> 
> > With in systemd the following : 
> > cat /etc/systemd/system/exports-users.mount
> > [Unit]
> > Description=NFS export (/exports/users)
> > Wants=network-online.target
> 
> Why?! Seems to me that define /etc/exports suffices...

Because of the next line, the .mount is the real mount with the settings. 
> 
> 
> > systemctl cat home-users.automount
> > # /etc/systemd/system/home-users.automount
And once you touch the location, its is mounted. 

> 
> Cool! I was still using 'autofs', i was not aware of systemd 
> automount!
> 
Im using i now over a year and it works great. 
Just keep in mind you need to reflex the file to the location of the mount. 

So in this case. 
home-users.automount
home-users.mount
Reflexs to /home/users
Ah now i see, .. 
Let me correct something here, the above example has 2 servers settings mixed. 
My new in testing atm and one old..

So this part 
> > cat /etc/systemd/system/exports-users.mount
> > [Unit]
> > Description=NFS export (/exports/users)
> > Wants=network-online.target
> 
Should be. 
 
cat /etc/systemd/system/home-users.mount
[Unit]
Description=NFS mount (/home/users)
Wants=network-online.target


Last why im working hard on this. 
Im setting up a system even cleaner then before, with the network config also fully in systemd.
Which save my even more packages to install and less is better in my opinion. 

I needed some extra bandwith for a storage server and i enabled a trunk on my swith to get 2GB. 

This is the network example of my system setting. 
First setup and match some mac adresses.. 
( bond0 is a reserved interface dont use it. )  

! Note, below are 4 different files. ! 

#############################################
# /etc/systemd/network/30-bond1-dev1.network
[Match]
MACAddress=aa:b2:bc:02:d6:01

[Network]
Bond=bond1

#############################################
# /etc/systemd/network/30-bond1-dev2.network
[Match]
MACAddress=aa:b2:bc:02:d6:01

[Network]
Bond=bond1

#############################################
# /etc/systemd/network/30-bond1.netdev
[NetDev]
Name=bond1
Kind=bond

[Bond]
Mode=802.3ad
MIIMonitorSec=1s
#LACPTransmitRate=fast
#UpDelaySec=2s
#DownDelaySec=8s
#TransmitHashPolicy=layer2
#TransmitHashPolicy=layer3+4

#############################################
# /etc/systemd/network/30-bond1.network
[Match]
Name=bond1

[Network]
DNS=192.168.0.1
DNS=192.168.0.2
Domains=internal.domain.tld
NTP=dc1.internal.domain.tld
NTP=dc2.internal.domain.tld

[Address]
Address=192.168.0.200/24

[Route]
Destination=0.0.0.0/0
Gateway=192.168.0.1

#############################################

You can add extra routes here also. 

Now i did run :  systemctl enable systemd-timesyncd.service 
Which enable the systemd time daemon. So no need for ntp packages. 
( for member only!  )

Resulting in with the above DNS and NTP settings, i dont need to touch resolv.conf or any ntp package anymore. 

Do note for the above network bonding setup you need to trunk you switch ports also. 
If you cant trunk you ports set Mode=802.3ad  to something else that does not need a trunk setting. 
This link 
https://www.cyberciti.biz/tips/debian-ubuntu-teaming-aggregating-multiple-network-connections.html 

Shows a table with the settings and some explanation. 

Now as Rowland would say, "systemd" fanboy, no im not, and dont attack him for that, 
but when i use things like this, i try to use it at it best.

And i really like the chain linking of service in systemd much easier and more precise.. 

Sofar, ... More questions, just ask. 

Greetz, 

Louis

More information about the samba mailing list