[Samba] nfs root kerberos

Jason Keltz jas at eecs.yorku.ca
Wed Nov 11 10:54:15 UTC 2020


Hi Louis,
I've looked into that and I'm not sure how this would be done?
By the way, even with your NFS translation fix (which doesn't work for me because gssproxy), do you do this before accessing root files..? 
sudo root
kinit -k 'host$'
?

Jason.

On Nov. 11, 2020, 2:48 a.m., at 2:48 a.m., "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
>Hai Jason, 
>
>Hmm, yes, well, only one thing i can think of now is
>And thats the last one..
>
>Is the server allowed to delelagate kerberos services? 
>If you have set that also? It's the last thing i can remember.
>
>Greetz, 
>
>Louis
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
>> Jason Keltz via samba
>> Verzonden: dinsdag 10 november 2020 18:23
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] nfs root kerberos
>> 
>> Hi Louis,
>> 
>> I've done all that, and my setup is similar to yours.
>> 
>> I believe it's a gss-proxy issue, which you probably aren't 
>> using, but I 
>> don't know enough about that to debug this issue, especially 
>> because it 
>> could have to do with, as Rowland says, the difference in Kerberos 
>> between Heimdal and MIT.  I was hoping one of the Samba 
>> developers might 
>> shed some light on this, or I'm stuck without root.   I 
>> wasn't going to 
>> have root on every client anyway, but it would be useful to have it 
>> temporarily on certain machines are required.
>> 
>> Jason.
>> 
>> On 11/10/2020 8:44 AM, L.P.H. van Belle via samba wrote:
>> > Well, my problem is i dont now how Centos/RH is handing this.
>> >
>> > I just know that the basics are..
>> >
>> > 1) The server must have A and PTR record. (optional you can 
>> use CNAMEs as long A+PTR match).
>> >     
>> > 2) you use nfs/$(hostname -f) and add this in the local 
>> keytab and in the computer object$
>> >     net ads keytab add_update_ads nfs/$(hostname -f)
>> >
>> >     ( you dont add the REALM here ) !
>> >
>> >
>> > 3) i know nfs tries mutiple spns, like : ( random order. )
>> > 	nfs/HOSTNAME$
>> > 	nfs/hostname.fqdn
>> > 	root/hostname.fqdn
>> > On of these must exist in the local keytab file. ( in 
>> debian /etc/krb5.keytab )
>> > klist -ke /etc/krb5.keytab
>> > Should have at least one with nfs/$(hostname -f)@REALM
>> >
>> > 4) you must add this to smb.conf :
>> >      # renew the kerberos ticket
>> >      winbind refresh tickets = yes
>> >
>> > Or the keytab will expire.
>> >
>> > Now, i as said, i dont know Centos and MIT/Heimdall 
>> differences, that might be a point.
>> > But how did you setup the exports, did you define the 
>> pseudo NFS4 root.
>> > Examples here.
>> > 
>> https://access.redhat.com/documentation/en-us/red_hat_enterpri
>> se_linux/5/html/deployment_guide/s1-nfs-server-config-exports
>> >
>> > This is how my export looks.
>> > /exports         
>> 192.168.0.0/24(rw,sync,fsid=0,no_subtree_check,crossmnt,sec=sy
>> s:krb5:krb5i:krb5p)
>> > /exports/users   
>> 192.168.0.0/24(rw,sync,no_subtree_check,sec=sys:krb5:krb5i:krb5p)
>> >
>> > I hope this helps you out.
>> >
>> >
>> > Greetz,
>> >
>> > Louis
>> >
>> >
>> >> -----Oorspronkelijk bericht-----
>> >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>> >> Rowland penny via samba
>> >> Verzonden: dinsdag 10 november 2020 13:13
>> >> Aan: samba at lists.samba.org
>> >> Onderwerp: Re: [Samba] nfs root kerberos
>> >>
>> >> On 10/11/2020 11:56, Jason Keltz via samba wrote:
>> >>> Hi Louis,
>> >>> Thanks for your message.
>> >>> However, I already have NFS working completely. I'm only
>> >> trying to work out root NFS access on the client.  I tried
>> >> your NFS translation fix via idmapd.conf  but that isn't
>> >> working for me. I've discovered that's because CentOS 7 is
>> >> using gssproxy so apparently your fix won't work. The fix
>> >> from Red Hat (adding some lines to krb.conf seen in my
>> >> original email) is not working either.  I'll keep working
>> >> away at it.   When you're testing as root I guess you use the
>> >> machine credential? That didn't work for me either.
>> >>> Jason.
>> >>>
>> >> I wonder if the problem is kerberos ? By this I mean MIT instead
>of
>> >> Heimdal, the Samba DC will be using Heimdal and the Centos 7
>> >> client will
>> >> be using MIT, so whilst the client may understand the 
>> lines added to
>> >> krb5.conf, your Samba AD DC might not.
>> >>
>> >> As I said, I do not use NFS, but Louis does, extensively. 
>> So I would
>> >> advise listening to him.
>> >>
>> >> Rowland
>> >>
>> >>
>> >>
>> >> -- 
>> >> To unsubscribe from this list go to the following URL and read the
>> >> instructions:  https://lists.samba.org/mailman/options/samba
>> >>
>> >>
>> 
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>> 
>> 
>
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba


More information about the samba mailing list