[Samba] nfs root kerberos
Rowland penny
rpenny at samba.org
Thu Nov 12 15:05:20 UTC 2020
On 12/11/2020 14:19, Jason Keltz via samba wrote:
>
> On 11/12/2020 8:52 AM, Rowland penny via samba wrote:
>> On 12/11/2020 13:27, Jason Keltz via samba wrote:
>>>
>>> On 11/12/2020 8:17 AM, Rowland penny via samba wrote:
>>>> On 11/11/2020 10:54, Jason Keltz via samba wrote:
>>>>> Hi Louis,
>>>>> I've looked into that and I'm not sure how this would be done?
>>>>> By the way, even with your NFS translation fix (which doesn't work
>>>>> for me because gssproxy), do you do this before accessing root
>>>>> files..?
>>>>> sudo root
>>>>> kinit -k 'host$'
>>>>>
>>>> OK, after a bit of a battle, I now have a Centos 7 Unix domain
>>>> member mounting an NFS share from a Devuan NFS4 server.
>>>>
>>>> The actual mount wasn't a problem, it was getting the NFS server to
>>>> work 😮
>>>>
>>>> I used Samba AD DC's for the authentication, a Unix domain member
>>>> as the NFS server and a Centos 7 Unix domain member as the NFS
>>>> client. I did minimal setup on the Centos machine.
>>>
>>> Hi Rowland,
>>>
>>> The problem wasn't getting NFS to work - it was getting NFS "root"
>>> access to work between a CentOS 7 client and CentOS 7 server (AKA
>>> no_root_squash in /etc/exports).
>>>
>>> Finally, after a significant amount of effort, I figured that out
>>> last night.
>>>
>>> In my case, I needed to add a realms section for realm
>>> AD.EECS.YORKU.CA and include 2 auth_to_local rules as follows:
>>>
>>> [realms]
>>> AD.EECS.YORKU.CA = {
>>> auth_to_local = RULE:[1:$1@$0](J1\$@AD.EECS.YORKU.CA)s/.*/root/
>>> auth_to_local = DEFAULT
>>> }
>>>
>>> This allows root on "J1" to "really" be root. Additional of the
>>> first line are required for each system. The DEFAULT line is
>>> required. Lots of fun let me tell ya.
>>>
>>> Jason.
>>>
>>>
>> Define what you mean by 'really root' ?
>>
>> The root user is a Unix user and, as such, has nothing to do with AD
>> (or NFS).
>>
>> If you can login into a Unix domain member, you should be able to use
>> root and if you login into a Windows domain member, then try to use
>> root, it should go 'root ? who is that ?'
>>
>> So, when you log into a Unix domain member, what isn't working ?
>
> Rowland,
>
> In the NFS world, by default, "root" on the NFS client is actually
> mapped to user "nobody" or "nfsnobody" on the NFS share for security.
> Try it. Go into the NFS share, and touch a file as root. With a
> sec=sys mount (no Kerberos security), you can allow root on the NFS
> client to access the NFS filesystem as root only if you export the
> share with the no_root_squash option (which is not the default). With
> Kerberos, sec=krb5, etc. in order to not have root mapped to nfsnobody
> on the NFS share, you have to do use the no_root_squash option, PLUS
> the additional step that I described (at least for CentOS 7 with
> gssproxy). When using Debian, without gssproxy, you would use
> /etc/idmapd.conf in the way that Louis described for creating a
> translation of the root user to "root".
>
> Jason.
>
>
>
Well, you learn something new everyday 😂
I suppose the next question is, why do you need to use root in a NFS share ?
I keep reading that is easier to use NFS instead of CIFS, which it may
be, just as long as you do not want to secure it with Kerberos. I think
I will stick to CIFS 😁
Rowland
More information about the samba
mailing list