[Samba] nfs root kerberos

Rowland penny rpenny at samba.org
Mon Nov 9 20:00:02 UTC 2020 

On 09/11/2020 19:41, Jason Keltz via samba wrote:
> Hi.
>
> I have Samba AD configured correctly, and can mount kerberized NFS 
> from all the CentOS 7 clients.  I'm not able to use "root" on the 
> client even though the nfs export specifies the option: no_root_squash 
> option.
>
> I completely understand that in order to use the "root" identity 
> (which doesn't exist as a user in the domain) on the NFS client, this 
> identity has to be mapped to somewhere else.  That's why my samba 
> config specifies a file for "username map" which contains:
>
> !root = SAMDOM\Administrator
This works in the opposite way to what you think it does, it maps 
Administrator on the client to root on the server i.e. it allows 
Administrator on one machine to do things on another. The only problem 
is that Administrator is a Windows user and shouldn't be used on a Unix 
machine, so it only really works from Windows machines.
>
> I figured that I should just need to do a "kinit Administrator" on the 
> client, and take on the root identity, then I could write as root 
> where I have no_root_squash configured...  However, when I tried this 
> on a client, I get a permission denied when trying to write.

You need to do the kinit as root or using sudo, so the resultant ticket 
belongs to root.

>
> I saw a reference to adding  to /etc/idmapd.conf a static mapping:
>
> Method = static,nsswitch
> [Static]
> MYHOST$@MYREALM = root
>
> ... but it's really not clear why this would be necessary if the 
> username map entry is working. I added this on the server and it's not 
> working either after restarting rpcidmapd.
The username map is probably working, just not as you think.
>
> I also saw a red hat document that talked about adding to /etc/krb5.conf:
>
> [realms]
>> EXAMPLE.COM = {
>> auth_to_local = 
> RULE:[2:$1/$2@$0](host/nfsclient.example.com at EXAMPLE.COM)s/.*/root/
> auth_to_local = DEFAULT
> }
>
> ... but that doesn't seem to change the permission denied.

Not sure if that will work.

Where do you have the username map defined, if it is on the DC, remove 
it immediately, the mapping is already done in idmap.ldb.

Can you please post the smb.conf

Rowland


>
> Any feedback would be greatly appreciated.
>
> Thanks!
>
> Jason.
>
>
>

More information about the samba mailing list