[Samba] nfs root kerberos

Rowland penny rpenny at samba.org
Mon Nov 9 20:57:52 UTC 2020 

On 09/11/2020 20:20, Jason Keltz via samba wrote:
> On 11/9/2020 3:00 PM, Rowland penny via samba wrote:
>>> I figured that I should just need to do a "kinit Administrator" on 
>>> the client, and take on the root identity, then I could write as 
>>> root where I have no_root_squash configured...  However, when I 
>>> tried this on a client, I get a permission denied when trying to write.
>>
>> You need to do the kinit as root or using sudo, so the resultant 
>> ticket belongs to root.
>>
> So that would mean I need to "samba-tool user create root "password" 
> ?  I was under the impression that the "idmapd.conf" mapping would 
> have avoided that..
No, 'root' is a Unix user and should never be in AD, the same way that 
the Windows user 'Administrator' should never be /etc/passwd
>
> But that's fine... I created "root" with samba-tool, then did a kinit 
> root, but removed all the other things I did, and it surprisingly 
> still doesn't work.
It wouldn't, see above, I suggest you remove 'root' from AD again.

> Do I still need this in nfsidmap.conf?
Probably, but I would wait until Louis comments, he uses NFS in production.
>
> I had the username map defined on the DC and on all the AD clients.  
> They all actually point to the same file, but it only has that one 
> line and it's otherwise just empty (which is the case now).  I restart 
> the samba-ad-dc on DC and rebooted the client... no difference.

The Samba DC's do not need the username.map, but each Unix domain member 
requires it.

Do you have Unix clients ? (not talking about Samba servers here), if 
you don't, why are you using NFS ?

>
> on the dc:
>
> # Global parameters
> [global]
>         netbios name = DC1
>         realm = AD.EECS.YORKU.CA
>         workgroup = EECSYORKUCA
>         dns forwarder = 130.63.94.4
>         server role = active directory domain controller
>         idmap_ldb:use rfc2307 = yes
>         interfaces = 127.0.0.1 130.63.94.66
>         bind interfaces only = yes
>
> [netlogon]
>         path = /local/samba/sysvol/ad.eecs.yorku.ca/scripts
>         read only = no
>         guest ok = no
>
> [sysvol]
>         path = /local/samba/sysvol
>         read only = no
>         guest ok = no
>
The 'guest ok = no' lines are not required, it is the default.
> and on the AD client:
>
> [global]
> workgroup = EECSYORKUCA
> security = ADS
> realm = AD.EECS.YORKU.CA
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
>
>
> idmap config * : backend = tdb
> idmap config * : range = 1000000-1999999
> idmap config EECSYORKUCA : backend = ad
> idmap config EECSYORKUCA : schema_mode = rfc2307
> idmap config EECSYORKUCA : range = 1000-999999
> idmap config EECSYORKUCA : unix_primary_group = yes
> idmap config EECSYORKUCA : unix_nss_info = yes

Have you added any uidNumber & gidNumber attributes to AD ?

Why are you using '1000' as the start number for the 'EECSYORKUCA' 
domain, this means you cannot have any local Unix users (not to be 
confused with Unix domain users).

Rowland

More information about the samba mailing list