[Samba] Kerberized-nfs4 home-dir stopped working

Kees van Vloten keesvanvloten at gmail.com
Tue Jun 21 09:56:24 UTC 2022

Hi Andrew,

I did set "ms-DS-MachineAccountQuota: 0" and indeed only admins create 
users. Is that a sufficient mitigation for the Dollar Ticket attack?

The other thing is I have smb-filesharing for Windows clients and 
nfs-filesharing for Linux clients, currently on separate sub-trees to 
avoid issues. I would like to consolidate those to one technology, 
But I do have some questions:

 1. Do I need the unix-extensions for Linux clients (I have disabled <
    smb3, i.e. cannot use unix-extensions at the moment)?
 2. Are there any thoughts about sharing a home-dir between Windows and
    Linux, currently nfs-home is at /home/<user> and smb (windows)
    home-dir is somewhere else?
 3. Is pam_mount the way to go to mount the smb-homedir at login? I
    could not find much on the Wiki.

- Kees

Op 21-06-2022 om 10:09 schreef Andrew Bartlett:
> On Tue, 2022-06-14 at 23:25 +0200, Kees van Vloten via samba wrote:
>> Hi Team,
>> I have been using Kerberized nfs4 between 2 domain-members
>> successfully
>> since August last year.
>> All machines are Debian 11. The NFS-server and the desktop run with
>> stock Samba 4.13.
>> In the end I replaced sec=krb5p on both sides (exports and autofs)
>> with
>> sec=sys and then there is immediately access. That tells me the
>> problem
>> must be related to Kerberos, which was my initial suspicion due to
>> the
>> way it stopped working 2 days ago (nothing changed in the
>> configurations
>> on either side).
>> What would be the next thing to investigate?
> This isn't what you were looking for, and want to first say that if
> only administrators in your AD can create users you should be fine, but
> I did want to mention a security concern that hits Kerberised NFS (and
> other non-Samba services in an AD):
> I would warn you to look at the first few slides of:
> https://sambaxp.org/fileadmin/user_upload/sambaxp2022-Slides/Bartlett-Kerberos.pdf
> https://www.youtube.com/watch?v=1BnraIAcybg
> Name-based authorization in AD can be very dangerous, if domain users
> are mapping the local users without any DOM\ prefix.  If this was a
> Windows AD then accounts can be created in the domain via
> machineAccountQuota that match sensitive local users, like root.
> As you run Samba, you are safe if you only delegate user creation to
> users you trust to choose 'safe' names (eg not root$ or root), but I
> just want to start sharing this concern a bit more broadly.
> Andrew,

More information about the samba mailing list