[Samba] Howto NFSv4 and kerberized mounts debian/ubuntu

L.P.H. van Belle belle at bazuin.nl
Fri Apr 26 13:39:41 UTC 2019


Since im in a very good mooth today. 

I'll tell how I did setup NFSv4 and CIFS kerberozed mounts these days (with systemd)

I saw a lot of howto's on the internet, that are not correct or just not working.
.. Ps you want cifs? Change the nfs/spn to cifs and change the mounts to cifs. 
After that, should be almost the same. ( note, needs to be tested, i dont use it.. yet. )

Now this is tested AND in production on my Debian Jessie/Stretch and Ubuntu 18.04 servers
I hope you guys can decrypt my setup. ;-) 

- Im assuming Samba is already setup and this is a MEMBER server. 

I did check if the members did have an A and PTR record in the dns.

All servers have as setup base this. 
hostname.int.dom.tld  A + PTR (+ optional CNAME, cname for example for a webserver, 
Use cname www to hostname and you can use the kerberized logins on the cname. 

And i use this part of samba to make this work with a samba AD backend configured. 
All users have primary group "Domain Users" and i did assigned a GID to it. 

smb.conf needs: (again might work with different settings also, but this is what i use and i know it does work.)
    kerberos method = secrets and keytab
    dedicated keytab file = /etc/krb5.keytab
    winbind refresh tickets = yes
    winbind use default domain = yes	# i use this so dont need any translation of dom\ dom\\ to only username.
    idmap config AD-DOM : unix_primary_group = yes 
    idmap config AD-DOM : unix_nss_info = yes    

    # NOTE1: direct access here, on this server, for the windows clients. 
    browseable = yes
    # This path could/should be normaly /home/users, that saves a mount bind... Explained below. 
    path = /home/samba/users
    read only = no
    acl_xattr:ignore system acl = yes

I'll show my setup of NFSv4 kerberize and automounting,  which is in production for 3 years now. 
After a lot of changes in the setup, i can now say, this as shown below, works great.

On my linux servers, where i login with ssh (SSO) kerberos, i end up in the homedir /home/users/MyUserName/
And might be done a bit better, that is for later, this is working good for now.

- based on Samba member 
apt install samba winbind samba-dsdb-modules samba-vfs-modules krb5-user acl attr libpam-krb5 libpam-winbind libnss-winbind ldb-tools bind9utils
This give everything you need for samba as member. 

apt install nfs-kernel-server nfs4-acl-tools

Edit : /etc/default/nfs-kernel-server 

# create the folder with the correct user/group/rights. 
install -o nobody -g nogroup -m 1777 -d /exports
install -o nobody -g nogroup -m 1777 -d /exports/users

# This is NFSv3 and 4 compliant and supports all security options. 
Edit /etc/exports 

Now, this might be a bit off. 
Now my real users homedir on member1 is : /home/samba/users/ ( users folders here ) 
But i use on ALL my server /home/users as mount point, and this is set as homedir in AD. ( unix/NIS extensions) 
Yes, including member1 

These directories are created through ADUC, where i put the user homedir in this format. 
Homedir: \\servername.fqdn\users\%username% 
This path is set to /home/samba/users 

Howto configure this, use a domain join windows PC, configure the share as DOMIN\Administrator and folder rights and ..
DONT TOUCH IT WITH CHMOD! EVER! If you do you risk losing your windows ACL's 

Any other user, outside samba-ad, is in /home as normal on linux.

The mount-bind export to map /home/samba/users to /exports/users for the NFS export. 

The systemd mounter for it. ( ONLY on nfs server ) 
# /etc/systemd/system/exports-users.mount
Description=Used for NFS (/exports/users)



systemctl enable export-users.mount 
systemctl start export-users.mount 
And i need the same mount bind for the homedir /home/users. Because in my UNIX extenstions i defined homedir : /home/users. 

The mount for the folder, we enter after login with SSH.(the homedir)  
# ONLY on NFS Server, the NFS client server get bit diffent set.

# /etc/systemd/system/home-users.mount
Description=NFS export (/home/users)



# Note, above homedir setup : This can be done more easy, but when i started samba4 5 years ago, 
# I did not know what i know now. ;-)

# you need to have the NFS SPN/UPN and root/  << this make your automounted homedir mount as user. 
kinit Administrator
net ads keytab add root/$(hostname -f) -k
net ads keytab add nfs/$(hostname -f) -k

Now this added root and nfs to the LOCAL keytab file. 
You need to add these spns also in the AD. 
Which i do through ADUC, simple goto the computer object, tab Atribute editor. 
Lookup servicePrincipleName and add: 
Dont add the REALM not needed. 

NOTE ! Yes you can do this with samba-tool also, i know.  
There is a BUT here.. If i add with samba tool i dont get them in /etc/krb5.keytab at least not consistantly. 
Thats something for later on. 

systemctl restart nfs-server

Export the nfs server settings. 
exportfs -rv

And i always advice, to clear logs, do a reboot and check logs again. 
Repeat/fix untill you server is free of any error. 

And your NFS SERVER/ SAMBA MEMBER server is ready


The shorted version here, is the auth-only setup, you can add the rest yourself..  ;-) 
This setup covers ssh login and nfs(v4 krb5) automounted homedir. 

The client setup. 
smb.conf , same as above. ( execpt the netbios name ofcourse thats the HOSTNAME IN CAPS. ) 

# Note, this example give you server+ssh+kerberos+nfsclient and SSO login, samba shares, well, see wiki ;-) 
apt install winbind krb5-user acl attr libpam-krb5 libpam-winbind libnss-winbind bind9utils nfs-common nfs4-acl-tools

( Do note, for shares add : samba samba-dsdb-modules samba-vfs-modules , see the line for member1, you can use that also. ) 

Now same as every other member, join the domain, and start winbind. 
kinit Administrator
net ads keytab add root/$(hostname -f) -k
net ads keytab add nfs/$(hostname -f) -k

Now this added root and nfs to the LOCAL keytab file. 
You need to add these spns also in the AD. 
Which i do through ADUC, simple goto the computer object, tab Atribute editor. 
Lookup servicePrincipleName and add: 

First i know i need the homedir to exist. 
mkdir /home/users 

I need nfs client to use kerberos.
Edit /etc/default/nfs-common 
Set : NEED_GSSD=yes

I want to be able to login (sso) on ssh.
Add at the end of /etc/ssh/sshd_config 
# Use Dns for kerberos auth
UseDNS yes

# Enable kerberos GSSAPI tickets
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
GSSAPIStrictAcceptorCheck yes
GSSAPIKeyExchange yes
GSSAPIStoreCredentialsOnRekey yes

systemctl restart ssh

Now i can login, i need the homedir. 
Adding the Systemd mount/automount settings. 

# /etc/systemd/system/home-users.mount
Description=User Homes

# sec options: sys krb5 krb5i krb5p
# Auto unmount after 2.5 min. 


And the automount part.

# /etc/systemd/system/home-users.automount
Description=Automount Home-Users



systemctl enable home-users.automount 
systemctl start home-users.automount 

Edit /etc/default/nfs-common 
Set : NEED_GSSD=yes

Run : pam-auth-update --force 
So you can login with winbind/kerberos. 

systemctl daemon-reload
systemctl restart nfs-client

Test mount. 
And test the mount. 
mount member1.your.domain.tld:/users /home/users -t nfs4 -o sec=krb5
Umount /home/users 
Teset automount 
Just:  ls /home/user 
Do you see your users. 
Dont get scared if you only see : root:root as user/owner, that should be fine. 
IF you created the homedir from within windows. 
Then you see this for example. 
drwxrwx---+  13 root  root         4096 Sep 26  2015 username

Check the "real" rights: ( which for me results in ).
getfacl /home/users/username 
getfacl: Removing leading '/' from absolute path names
# file: home/users/username
# owner: username
# group: root

This results in a private homedir, not even accessable for user root, but it is for BUILTIN\administrators
And, keep in mind that "Domain Admins" is member of "BUILTIN\Administrators" by default 
So this environment (/home/user) is locked out for linux admins but allows Windows Admins. 

Now, Clear logs, Reboot, check/fix reboot and its ready.
And last few small notes. 

For systemd and mount/automount 
If you homedir base is : /home/users
Then you mount is : systemctl enable home-users.(auto)mount  

If you homedir is : /srv/users 
Then you mount is : systemctl enable srv-users.(auto)mount  
The path MUST reflex to the service name. 

Multiple domains or $(ls /home/user) shows only nobody/nogroup.
Then try edit : /etc/idmapd.conf
Domain = internal.dom.tld
Local-Realm = YOUR.REALM.TLD 
( which is often you dnsdomain but in CAPS ) 

Good luck, questions, i'll probaly responce after the weekend, 
It kingsday tomorrow and then i probaly cant write or talk within a few hours..
 :-/ << that reprecents me at that time i think. On it side.. 

Ow and know, im dislectis so i might have missed something above but, after 3x reread, i think its ok. 
If not, if you quick, im available for about 1 1/4 hours as of this mail hits the list. 



More information about the samba mailing list