[Samba] nfs root kerberos

[Jason Keltz]

Hi.

I have Samba AD configured correctly, and can mount kerberized NFS from 
all the CentOS 7 clients.  I'm not able to use "root" on the client even 
though the nfs export specifies the option: no_root_squash option.

I completely understand that in order to use the "root" identity (which 
doesn't exist as a user in the domain) on the NFS client, this identity 
has to be mapped to somewhere else.  That's why my samba config 
specifies a file for "username map" which contains:

!root = SAMDOM\Administrator

I figured that I should just need to do a "kinit Administrator" on the 
client, and take on the root identity, then I could write as root where 
I have no_root_squash configured...  However, when I tried this on a 
client, I get a permission denied when trying to write.

I saw a reference to adding  to /etc/idmapd.conf a static mapping:

Method = static,nsswitch
[Static]
MYHOST$@MYREALM = root

... but it's really not clear why this would be necessary if the 
username map entry is working. I added this on the server and it's not 
working either after restarting rpcidmapd.

I also saw a red hat document that talked about adding to /etc/krb5.conf:

[realms]
…
EXAMPLE.COM = {
…
auth_to_local = 
RULE:[2:$1/$2@$0](host/nfsclient.example.com at EXAMPLE.COM)s/.*/root/
auth_to_local = DEFAULT
}

... but that doesn't seem to change the permission denied.

Any feedback would be greatly appreciated.

Thanks!

Jason.