[Samba] Howto NFSv4 and kerberized mounts debian/ubuntu
L.P.H. van Belle
belle at bazuin.nl
Fri Apr 26 13:39:41 UTC 2019
Hai,
Since im in a very good mooth today.
I'll tell how I did setup NFSv4 and CIFS kerberozed mounts these days (with systemd)
I saw a lot of howto's on the internet, that are not correct or just not working.
.. Ps you want cifs? Change the nfs/spn to cifs and change the mounts to cifs.
After that, should be almost the same. ( note, needs to be tested, i dont use it.. yet. )
Now this is tested AND in production on my Debian Jessie/Stretch and Ubuntu 18.04 servers
I hope you guys can decrypt my setup. ;-)
- Im assuming Samba is already setup and this is a MEMBER server.
I did check if the members did have an A and PTR record in the dns.
All servers have as setup base this.
hostname.int.dom.tld A + PTR (+ optional CNAME, cname for example for a webserver,
Use cname www to hostname and you can use the kerberized logins on the cname.
And i use this part of samba to make this work with a samba AD backend configured.
All users have primary group "Domain Users" and i did assigned a GID to it.
smb.conf needs: (again might work with different settings also, but this is what i use and i know it does work.)
kerberos method = secrets and keytab
dedicated keytab file = /etc/krb5.keytab
winbind refresh tickets = yes
winbind use default domain = yes # i use this so dont need any translation of dom\ dom\\ to only username.
idmap config AD-DOM : unix_primary_group = yes
idmap config AD-DOM : unix_nss_info = yes
[users]
# NOTE1: direct access here, on this server, for the windows clients.
browseable = yes
# This path could/should be normaly /home/users, that saves a mount bind... Explained below.
path = /home/samba/users
read only = no
acl_xattr:ignore system acl = yes
I'll show my setup of NFSv4 kerberize and automounting, which is in production for 3 years now.
After a lot of changes in the setup, i can now say, this as shown below, works great.
On my linux servers, where i login with ssh (SSO) kerberos, i end up in the homedir /home/users/MyUserName/
And might be done a bit better, that is for later, this is working good for now.
THE SETUP OF SAMBA and USERSHOMEDIR AND THE NFS SERVER..
- based on Samba member
apt install samba winbind samba-dsdb-modules samba-vfs-modules krb5-user acl attr libpam-krb5 libpam-winbind libnss-winbind ldb-tools bind9utils
This give everything you need for samba as member.
NFS
apt install nfs-kernel-server nfs4-acl-tools
Edit : /etc/default/nfs-kernel-server
Set NEED_SVCGSSD="yes"
# create the folder with the correct user/group/rights.
install -o nobody -g nogroup -m 1777 -d /exports
install -o nobody -g nogroup -m 1777 -d /exports/users
# This is NFSv3 and 4 compliant and supports all security options.
Edit /etc/exports
/exports 192.168.0.0/24(rw,sync,fsid=0,no_subtree_check,crossmnt,sec=sys:krb5:krb5i:krb5p)
/exports/users 192.168.0.0/24(rw,sync,no_subtree_check,sec=sys:krb5:krb5i:krb5p)
Now, this might be a bit off.
Now my real users homedir on member1 is : /home/samba/users/ ( users folders here )
But i use on ALL my server /home/users as mount point, and this is set as homedir in AD. ( unix/NIS extensions)
Yes, including member1
These directories are created through ADUC, where i put the user homedir in this format.
Homedir: \\servername.fqdn\users\%username%
This path is set to /home/samba/users
Howto configure this, use a domain join windows PC, configure the share as DOMIN\Administrator and folder rights and ..
DONT TOUCH IT WITH CHMOD! EVER! If you do you risk losing your windows ACL's
Any other user, outside samba-ad, is in /home as normal on linux.
The mount-bind export to map /home/samba/users to /exports/users for the NFS export.
The systemd mounter for it. ( ONLY on nfs server )
# /etc/systemd/system/exports-users.mount
[Unit]
Description=Used for NFS (/exports/users)
Wants=network-online.target
[Mount]
What=/home/samba/users
Where=/exports/users
Type=none
Options=bind
[Install]
WantedBy=multi-user.target
systemctl enable export-users.mount
systemctl start export-users.mount
And i need the same mount bind for the homedir /home/users. Because in my UNIX extenstions i defined homedir : /home/users.
The mount for the folder, we enter after login with SSH.(the homedir)
# ONLY on NFS Server, the NFS client server get bit diffent set.
# /etc/systemd/system/home-users.mount
[Unit]
Description=NFS export (/home/users)
Wants=network-online.target
[Mount]
What=/home/samba/users
Where=/home/users
Type=none
Options=bind
[Install]
WantedBy=multi-user.target
# Note, above homedir setup : This can be done more easy, but when i started samba4 5 years ago,
# I did not know what i know now. ;-)
# you need to have the NFS SPN/UPN and root/ << this make your automounted homedir mount as user.
kinit Administrator
net ads keytab add root/$(hostname -f) -k
net ads keytab add nfs/$(hostname -f) -k
Now this added root and nfs to the LOCAL keytab file.
You need to add these spns also in the AD.
Which i do through ADUC, simple goto the computer object, tab Atribute editor.
Lookup servicePrincipleName and add:
root/fq.domname.tld
nfs/fq.domname.tld
Dont add the REALM not needed.
NOTE ! Yes you can do this with samba-tool also, i know.
There is a BUT here.. If i add with samba tool i dont get them in /etc/krb5.keytab at least not consistantly.
Thats something for later on.
systemctl restart nfs-server
Export the nfs server settings.
exportfs -rv
And i always advice, to clear logs, do a reboot and check logs again.
Repeat/fix untill you server is free of any error.
And your NFS SERVER/ SAMBA MEMBER server is ready
END OF MEMBER1
------------------------------------------------------
MEMBER2 : Next NFS CLIENT / SAMBA MEMBER setup.
The shorted version here, is the auth-only setup, you can add the rest yourself.. ;-)
This setup covers ssh login and nfs(v4 krb5) automounted homedir.
The client setup.
smb.conf , same as above. ( execpt the netbios name ofcourse thats the HOSTNAME IN CAPS. )
# Note, this example give you server+ssh+kerberos+nfsclient and SSO login, samba shares, well, see wiki ;-)
apt install winbind krb5-user acl attr libpam-krb5 libpam-winbind libnss-winbind bind9utils nfs-common nfs4-acl-tools
( Do note, for shares add : samba samba-dsdb-modules samba-vfs-modules , see the line for member1, you can use that also. )
Now same as every other member, join the domain, and start winbind.
kinit Administrator
net ads keytab add root/$(hostname -f) -k
net ads keytab add nfs/$(hostname -f) -k
Now this added root and nfs to the LOCAL keytab file.
You need to add these spns also in the AD.
Which i do through ADUC, simple goto the computer object, tab Atribute editor.
Lookup servicePrincipleName and add:
root/fq.domname.tld
nfs/fq.domname.tld
First i know i need the homedir to exist.
mkdir /home/users
I need nfs client to use kerberos.
Edit /etc/default/nfs-common
Set : NEED_GSSD=yes
I want to be able to login (sso) on ssh.
Add at the end of /etc/ssh/sshd_config
# Use Dns for kerberos auth
UseDNS yes
# Enable kerberos GSSAPI tickets
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
GSSAPIStrictAcceptorCheck yes
GSSAPIKeyExchange yes
GSSAPIStoreCredentialsOnRekey yes
systemctl restart ssh
Now i can login, i need the homedir.
Adding the Systemd mount/automount settings.
# /etc/systemd/system/home-users.mount
[Unit]
Description=User Homes
[Mount]
What=member1.your.domain.tld:/users
Where=/home/users
Type=nfs4
# sec options: sys krb5 krb5i krb5p
Options=sec=krb5p
# Auto unmount after 2.5 min.
TimeoutSec=150
[Install]
WantedBy=multi-user.target
And the automount part.
# /etc/systemd/system/home-users.automount
[Unit]
Description=Automount Home-Users
[Automount]
Where=/home/users
[Install]
WantedBy=multi-user.target
systemctl enable home-users.automount
systemctl start home-users.automount
Edit /etc/default/nfs-common
Set : NEED_GSSD=yes
Run : pam-auth-update --force
So you can login with winbind/kerberos.
systemctl daemon-reload
systemctl restart nfs-client
Test mount.
And test the mount.
mount member1.your.domain.tld:/users /home/users -t nfs4 -o sec=krb5
Umount /home/users
Teset automount
Just: ls /home/user
Do you see your users.
Dont get scared if you only see : root:root as user/owner, that should be fine.
IF you created the homedir from within windows.
Then you see this for example.
drwxrwx---+ 13 root root 4096 Sep 26 2015 username
Check the "real" rights: ( which for me results in ).
getfacl /home/users/username
getfacl: Removing leading '/' from absolute path names
# file: home/users/username
# owner: username
# group: root
user::rwx
user:root:rwx
user:username:rwx
group::---
group:root:---
group:BUILTIN\134administrators:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:username:rwx
default:group::---
default:group:root:---
default:group:BUILTIN\134administrators:rwx
default:mask::rwx
default:other::---
This results in a private homedir, not even accessable for user root, but it is for BUILTIN\administrators
And, keep in mind that "Domain Admins" is member of "BUILTIN\Administrators" by default
So this environment (/home/user) is locked out for linux admins but allows Windows Admins.
Now, Clear logs, Reboot, check/fix reboot and its ready.
And last few small notes.
For systemd and mount/automount
If you homedir base is : /home/users
Then you mount is : systemctl enable home-users.(auto)mount
If you homedir is : /srv/users
Then you mount is : systemctl enable srv-users.(auto)mount
The path MUST reflex to the service name.
Multiple domains or $(ls /home/user) shows only nobody/nogroup.
Then try edit : /etc/idmapd.conf
Configure:
Domain = internal.dom.tld
Local-Realm = YOUR.REALM.TLD
( which is often you dnsdomain but in CAPS )
Good luck, questions, i'll probaly responce after the weekend,
It kingsday tomorrow and then i probaly cant write or talk within a few hours..
:-/ << that reprecents me at that time i think. On it side..
Ow and know, im dislectis so i might have missed something above but, after 3x reread, i think its ok.
If not, if you quick, im available for about 1 1/4 hours as of this mail hits the list.
Greetz,
Louis
More information about the samba
mailing list