[Samba] nfs root kerberos
Jason Keltz
jas at eecs.yorku.ca
Tue Nov 10 17:22:33 UTC 2020
Hi Louis,
I've done all that, and my setup is similar to yours.
I believe it's a gss-proxy issue, which you probably aren't using, but I
don't know enough about that to debug this issue, especially because it
could have to do with, as Rowland says, the difference in Kerberos
between Heimdal and MIT. I was hoping one of the Samba developers might
shed some light on this, or I'm stuck without root. I wasn't going to
have root on every client anyway, but it would be useful to have it
temporarily on certain machines are required.
Jason.
On 11/10/2020 8:44 AM, L.P.H. van Belle via samba wrote:
> Well, my problem is i dont now how Centos/RH is handing this.
>
> I just know that the basics are..
>
> 1) The server must have A and PTR record. (optional you can use CNAMEs as long A+PTR match).
>
> 2) you use nfs/$(hostname -f) and add this in the local keytab and in the computer object$
> net ads keytab add_update_ads nfs/$(hostname -f)
>
> ( you dont add the REALM here ) !
>
>
> 3) i know nfs tries mutiple spns, like : ( random order. )
> nfs/HOSTNAME$
> nfs/hostname.fqdn
> root/hostname.fqdn
> On of these must exist in the local keytab file. ( in debian /etc/krb5.keytab )
> klist -ke /etc/krb5.keytab
> Should have at least one with nfs/$(hostname -f)@REALM
>
> 4) you must add this to smb.conf :
> # renew the kerberos ticket
> winbind refresh tickets = yes
>
> Or the keytab will expire.
>
> Now, i as said, i dont know Centos and MIT/Heimdall differences, that might be a point.
> But how did you setup the exports, did you define the pseudo NFS4 root.
> Examples here.
> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/5/html/deployment_guide/s1-nfs-server-config-exports
>
> This is how my export looks.
> /exports 192.168.0.0/24(rw,sync,fsid=0,no_subtree_check,crossmnt,sec=sys:krb5:krb5i:krb5p)
> /exports/users 192.168.0.0/24(rw,sync,no_subtree_check,sec=sys:krb5:krb5i:krb5p)
>
> I hope this helps you out.
>
>
> Greetz,
>
> Louis
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>> Rowland penny via samba
>> Verzonden: dinsdag 10 november 2020 13:13
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] nfs root kerberos
>>
>> On 10/11/2020 11:56, Jason Keltz via samba wrote:
>>> Hi Louis,
>>> Thanks for your message.
>>> However, I already have NFS working completely. I'm only
>> trying to work out root NFS access on the client. I tried
>> your NFS translation fix via idmapd.conf but that isn't
>> working for me. I've discovered that's because CentOS 7 is
>> using gssproxy so apparently your fix won't work. The fix
>> from Red Hat (adding some lines to krb.conf seen in my
>> original email) is not working either. I'll keep working
>> away at it. When you're testing as root I guess you use the
>> machine credential? That didn't work for me either.
>>> Jason.
>>>
>> I wonder if the problem is kerberos ? By this I mean MIT instead of
>> Heimdal, the Samba DC will be using Heimdal and the Centos 7
>> client will
>> be using MIT, so whilst the client may understand the lines added to
>> krb5.conf, your Samba AD DC might not.
>>
>> As I said, I do not use NFS, but Louis does, extensively. So I would
>> advise listening to him.
>>
>> Rowland
>>
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>>
More information about the samba
mailing list