[Samba] nfs root kerberos

L.P.H. van Belle belle at bazuin.nl
Tue Nov 10 13:44:36 UTC 2020 

Well, my problem is i dont now how Centos/RH is handing this. 

I just know that the basics are.. 

1) The server must have A and PTR record. (optional you can use CNAMEs as long A+PTR match). 
   
2) you use nfs/$(hostname -f) and add this in the local keytab and in the computer object$
   net ads keytab add_update_ads nfs/$(hostname -f)

   ( you dont add the REALM here ) ! 


3) i know nfs tries mutiple spns, like : ( random order. )
	nfs/HOSTNAME$
	nfs/hostname.fqdn
	root/hostname.fqdn
On of these must exist in the local keytab file. ( in debian /etc/krb5.keytab ) 
klist -ke /etc/krb5.keytab
Should have at least one with nfs/$(hostname -f)@REALM 

4) you must add this to smb.conf : 
    # renew the kerberos ticket
    winbind refresh tickets = yes

Or the keytab will expire. 

Now, i as said, i dont know Centos and MIT/Heimdall differences, that might be a point. 
But how did you setup the exports, did you define the pseudo NFS4 root. 
Examples here. 
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/5/html/deployment_guide/s1-nfs-server-config-exports 

This is how my export looks.
/exports         192.168.0.0/24(rw,sync,fsid=0,no_subtree_check,crossmnt,sec=sys:krb5:krb5i:krb5p)
/exports/users   192.168.0.0/24(rw,sync,no_subtree_check,sec=sys:krb5:krb5i:krb5p)

I hope this helps you out. 


Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland penny via samba
> Verzonden: dinsdag 10 november 2020 13:13
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] nfs root kerberos
> 
> On 10/11/2020 11:56, Jason Keltz via samba wrote:
> > Hi Louis,
> > Thanks for your message.
> > However, I already have NFS working completely. I'm only 
> trying to work out root NFS access on the client.  I tried 
> your NFS translation fix via idmapd.conf  but that isn't 
> working for me. I've discovered that's because CentOS 7 is 
> using gssproxy so apparently your fix won't work. The fix 
> from Red Hat (adding some lines to krb.conf seen in my 
> original email) is not working either.  I'll keep working 
> away at it.   When you're testing as root I guess you use the 
> machine credential? That didn't work for me either.
> >
> > Jason.
> >
> I wonder if the problem is kerberos ? By this I mean MIT instead of 
> Heimdal, the Samba DC will be using Heimdal and the Centos 7 
> client will 
> be using MIT, so whilst the client may understand the lines added to 
> krb5.conf, your Samba AD DC might not.
> 
> As I said, I do not use NFS, but Louis does, extensively. So I would 
> advise listening to him.
> 
> Rowland
> 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

More information about the samba mailing list