[Samba] nfs root kerberos

L.P.H. van Belle belle at bazuin.nl
Wed Nov 11 07:48:28 UTC 2020 

Hai Jason, 

Hmm, yes, well, only one thing i can think of now is
And thats the last one..

Is the server allowed to delelagate kerberos services? 
If you have set that also? It's the last thing i can remember.

Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Jason Keltz via samba
> Verzonden: dinsdag 10 november 2020 18:23
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] nfs root kerberos
> 
> Hi Louis,
> 
> I've done all that, and my setup is similar to yours.
> 
> I believe it's a gss-proxy issue, which you probably aren't 
> using, but I 
> don't know enough about that to debug this issue, especially 
> because it 
> could have to do with, as Rowland says, the difference in Kerberos 
> between Heimdal and MIT.  I was hoping one of the Samba 
> developers might 
> shed some light on this, or I'm stuck without root.   I 
> wasn't going to 
> have root on every client anyway, but it would be useful to have it 
> temporarily on certain machines are required.
> 
> Jason.
> 
> On 11/10/2020 8:44 AM, L.P.H. van Belle via samba wrote:
> > Well, my problem is i dont now how Centos/RH is handing this.
> >
> > I just know that the basics are..
> >
> > 1) The server must have A and PTR record. (optional you can 
> use CNAMEs as long A+PTR match).
> >     
> > 2) you use nfs/$(hostname -f) and add this in the local 
> keytab and in the computer object$
> >     net ads keytab add_update_ads nfs/$(hostname -f)
> >
> >     ( you dont add the REALM here ) !
> >
> >
> > 3) i know nfs tries mutiple spns, like : ( random order. )
> > 	nfs/HOSTNAME$
> > 	nfs/hostname.fqdn
> > 	root/hostname.fqdn
> > On of these must exist in the local keytab file. ( in 
> debian /etc/krb5.keytab )
> > klist -ke /etc/krb5.keytab
> > Should have at least one with nfs/$(hostname -f)@REALM
> >
> > 4) you must add this to smb.conf :
> >      # renew the kerberos ticket
> >      winbind refresh tickets = yes
> >
> > Or the keytab will expire.
> >
> > Now, i as said, i dont know Centos and MIT/Heimdall 
> differences, that might be a point.
> > But how did you setup the exports, did you define the 
> pseudo NFS4 root.
> > Examples here.
> > 
> https://access.redhat.com/documentation/en-us/red_hat_enterpri
> se_linux/5/html/deployment_guide/s1-nfs-server-config-exports
> >
> > This is how my export looks.
> > /exports         
> 192.168.0.0/24(rw,sync,fsid=0,no_subtree_check,crossmnt,sec=sy
> s:krb5:krb5i:krb5p)
> > /exports/users   
> 192.168.0.0/24(rw,sync,no_subtree_check,sec=sys:krb5:krb5i:krb5p)
> >
> > I hope this helps you out.
> >
> >
> > Greetz,
> >
> > Louis
> >
> >
> >> -----Oorspronkelijk bericht-----
> >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> >> Rowland penny via samba
> >> Verzonden: dinsdag 10 november 2020 13:13
> >> Aan: samba at lists.samba.org
> >> Onderwerp: Re: [Samba] nfs root kerberos
> >>
> >> On 10/11/2020 11:56, Jason Keltz via samba wrote:
> >>> Hi Louis,
> >>> Thanks for your message.
> >>> However, I already have NFS working completely. I'm only
> >> trying to work out root NFS access on the client.  I tried
> >> your NFS translation fix via idmapd.conf  but that isn't
> >> working for me. I've discovered that's because CentOS 7 is
> >> using gssproxy so apparently your fix won't work. The fix
> >> from Red Hat (adding some lines to krb.conf seen in my
> >> original email) is not working either.  I'll keep working
> >> away at it.   When you're testing as root I guess you use the
> >> machine credential? That didn't work for me either.
> >>> Jason.
> >>>
> >> I wonder if the problem is kerberos ? By this I mean MIT instead of
> >> Heimdal, the Samba DC will be using Heimdal and the Centos 7
> >> client will
> >> be using MIT, so whilst the client may understand the 
> lines added to
> >> krb5.conf, your Samba AD DC might not.
> >>
> >> As I said, I do not use NFS, but Louis does, extensively. 
> So I would
> >> advise listening to him.
> >>
> >> Rowland
> >>
> >>
> >>
> >> -- 
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/options/samba
> >>
> >>
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

More information about the samba mailing list