[Samba] Kerberized-nfs4 home-dir stopped working
Andrew Bartlett
abartlet at samba.org
Tue Jun 21 08:09:12 UTC 2022
On Tue, 2022-06-14 at 23:25 +0200, Kees van Vloten via samba wrote:
> Hi Team,
>
>
> I have been using Kerberized nfs4 between 2 domain-members
> successfully
> since August last year.
>
> All machines are Debian 11. The NFS-server and the desktop run with
> stock Samba 4.13.
> In the end I replaced sec=krb5p on both sides (exports and autofs)
> with
> sec=sys and then there is immediately access. That tells me the
> problem
> must be related to Kerberos, which was my initial suspicion due to
> the
> way it stopped working 2 days ago (nothing changed in the
> configurations
> on either side).
>
> What would be the next thing to investigate?
This isn't what you were looking for, and want to first say that if
only administrators in your AD can create users you should be fine, but
I did want to mention a security concern that hits Kerberised NFS (and
other non-Samba services in an AD):
I would warn you to look at the first few slides of:
https://sambaxp.org/fileadmin/user_upload/sambaxp2022-Slides/Bartlett-Kerberos.pdf
https://www.youtube.com/watch?v=1BnraIAcybg
Name-based authorization in AD can be very dangerous, if domain users
are mapping the local users without any DOM\ prefix. If this was a
Windows AD then accounts can be created in the domain via
machineAccountQuota that match sensitive local users, like root.
As you run Samba, you are safe if you only delegate user creation to
users you trust to choose 'safe' names (eg not root$ or root), but I
just want to start sharing this concern a bit more broadly.
Andrew,
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba
Samba Development and Support, Catalyst IT - Expert Open Source
Solutions
More information about the samba
mailing list