Discussion:
[Samba] kerberos nfs4's principals and root access
Prunk Dump
2015-10-09 06:59:10 UTC
Permalink
Hello samba team !

I have some NFS4 exports managed by a Samba's Kerberos realm. All the
standard user accesses work fine.

I try now to setup an NFS4 root access to administer the share from
another server (the two host are DC, one PDC and one SDC). But I have
trouble understanding the kerberos/principals layer.

------------
Actually I do
-------------

-> on the server I create an nfs principal and export it to the keytab
$ samba-tool user add nfs-myserver --random-password
$ samba-tool spn add nfs/myserver.samdom.com nfs-myserver
$ samba-tool domain exportkeytab --principal=nfs/myserver.samdom.com
/etc/krb5.keytab

-> on the client I use the machine keytab.
$ samba-tool domain exportkeytab --principal=MYCLIENT$ /etc/krb5.keytab

With this setup all my domain users can write to the share. But when I
try with the root account it use the machine keytab (that's normal,
root is not a domain user but he have access to the keytab) :

-> on the client as root
$ touch /myshare/testfile

-> on the server
$ ls -al /srv/nfs4/myshare/testfile
-rw-r--r-- SAMDOM\MYCLIENT$ SAMDOM\Domain Controllers ....
/nfs4/myshare/tesfile

But I need root access !

----------
I have tried with a root/myclient service principal name
----------

-> on the client I create an root/myclient spn and export to keytab
$ samba-tool user add root-myclient --random-password
$ samba-tool spn add root/myclient.samdom.com root-myclient
$ samba-tool domain exportkeytab --principal=root/myclient.samdom.com
/etc/krb5.keytab

But nothings change when I access the share. I tried to kinit this
principal but it fail. However kinit with the machine principal works.

$ kinit -k root/myclient.samdom.com
kinit: Client 'root/***@SAMDOM.COM' not found in
kerberos database while getting initial credentials

$ kinit -k MYCLIENT$
ok

---------
I tried creating a samba root user.
---------

-> on the client I create a root user and export to keytab
$ samba-tool user add root
$ samba-tool domain exportkeytab --principal=root /etc/krb5.keytab

Same problem but here "kinit -k root" works.

$ kinit -k root
ok


------
I tried to kinit anather samba user
------

-> on the client I kinit a valid user and write to the share

$ kinit validuser
$ touch /myshare/testfile2

Here the nfs4 connection is not made with the validuser's principal.
Always with the machine's principal.


-------
So
-------

I don't understand why in can "kinit root" but not "kinit
root/myclient.samdom.com". What's the difference between there
principals ?

I don't understand how the nfs4 client choose the principal used to
make the connection to the nfs4 share. Why the root user can only use
the machine's principal ?

I don't know if the problem come from the creation of kerberos
principals or come from the nfs4 client not choosing the correct
principal...

Can someone give me a tips ?

Thanks !

Baptiste.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
L.P.H. van Belle
2015-10-09 07:13:48 UTC
Permalink
Hai,

I had it the other way around. Only root acces.

I have scripted my setup and tested on debian.
Look here
https://secure.bazuin.nl/scripts/these_are_experimental_scripts/
setup-nfsv4-kerberos.sh

If you get the file, setup-nfsv4-kerberos.sh and compair it to your setup.
If you can read the bash script maybe you see something you missed.

When i write as "root" its root and not the machine account who owns the file.


How is your exports file on the server configured?

Greetz,

Louis
-----Oorspronkelijk bericht-----
Verzonden: vrijdag 9 oktober 2015 8:59
Onderwerp: [Samba] kerberos nfs4's principals and root access
Hello samba team !
I have some NFS4 exports managed by a Samba's Kerberos realm. All the
standard user accesses work fine.
I try now to setup an NFS4 root access to administer the share from
another server (the two host are DC, one PDC and one SDC). But I have
trouble understanding the kerberos/principals layer.
------------
Actually I do
-------------
-> on the server I create an nfs principal and export it to the keytab
$ samba-tool user add nfs-myserver --random-password
$ samba-tool spn add nfs/myserver.samdom.com nfs-myserver
$ samba-tool domain exportkeytab --principal=nfs/myserver.samdom.com
/etc/krb5.keytab
-> on the client I use the machine keytab.
$ samba-tool domain exportkeytab --principal=MYCLIENT$ /etc/krb5.keytab
With this setup all my domain users can write to the share. But when I
try with the root account it use the machine keytab (that's normal,
-> on the client as root
$ touch /myshare/testfile
-> on the server
$ ls -al /srv/nfs4/myshare/testfile
-rw-r--r-- SAMDOM\MYCLIENT$ SAMDOM\Domain Controllers ....
/nfs4/myshare/tesfile
But I need root access !
----------
I have tried with a root/myclient service principal name
----------
-> on the client I create an root/myclient spn and export to keytab
$ samba-tool user add root-myclient --random-password
$ samba-tool spn add root/myclient.samdom.com root-myclient
$ samba-tool domain exportkeytab --principal=root/myclient.samdom.com
/etc/krb5.keytab
But nothings change when I access the share. I tried to kinit this
principal but it fail. However kinit with the machine principal works.
$ kinit -k root/myclient.samdom.com
kerberos database while getting initial credentials
$ kinit -k MYCLIENT$
ok
---------
I tried creating a samba root user.
---------
-> on the client I create a root user and export to keytab
$ samba-tool user add root
$ samba-tool domain exportkeytab --principal=root /etc/krb5.keytab
Same problem but here "kinit -k root" works.
$ kinit -k root
ok
------
I tried to kinit anather samba user
------
-> on the client I kinit a valid user and write to the share
$ kinit validuser
$ touch /myshare/testfile2
Here the nfs4 connection is not made with the validuser's principal.
Always with the machine's principal.
-------
So
-------
I don't understand why in can "kinit root" but not "kinit
root/myclient.samdom.com". What's the difference between there
principals ?
I don't understand how the nfs4 client choose the principal used to
make the connection to the nfs4 share. Why the root user can only use
the machine's principal ?
I don't know if the problem come from the creation of kerberos
principals or come from the nfs4 client not choosing the correct
principal...
Can someone give me a tips ?
Thanks !
Baptiste.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Prunk Dump
2015-10-09 09:33:33 UTC
Permalink
Thanks you very much Louis !

I have tried your setup and I can't mount the share neither from the
server itself or the client.

On /var/log/syslog I have :

rpc.gssd : ERROR : no credentials found for connecting to server myserver

This is because the machine principal is not present in the keytab :

$ klist -k
1 nfs/***@SAMDOM.COM
1 nfs/***@SAMDOM.COM
1 nfs/***@SAMDOM.COM

If I add the machine principal. I can mount the share but root user
write as "machine" not as "root".

Can you check your setup ? Do you have your machine credential in
/etc/krb5.keytab ? (with klist -k)

Do you do something related with kerberos when you login as root ?

Do you have additional options in "/etc/idmap.conf" ?

Can you give me the result of :

$klist
$klist -k

When you are logged as root ?

Thanks you again !

Baptiste.
Post by L.P.H. van Belle
Hai,
I had it the other way around. Only root acces.
I have scripted my setup and tested on debian.
Look here
https://secure.bazuin.nl/scripts/these_are_experimental_scripts/
setup-nfsv4-kerberos.sh
If you get the file, setup-nfsv4-kerberos.sh and compair it to your setup.
If you can read the bash script maybe you see something you missed.
When i write as "root" its root and not the machine account who owns the file.
How is your exports file on the server configured?
Greetz,
Louis
-----Oorspronkelijk bericht-----
Verzonden: vrijdag 9 oktober 2015 8:59
Onderwerp: [Samba] kerberos nfs4's principals and root access
Hello samba team !
I have some NFS4 exports managed by a Samba's Kerberos realm. All the
standard user accesses work fine.
I try now to setup an NFS4 root access to administer the share from
another server (the two host are DC, one PDC and one SDC). But I have
trouble understanding the kerberos/principals layer.
------------
Actually I do
-------------
-> on the server I create an nfs principal and export it to the keytab
$ samba-tool user add nfs-myserver --random-password
$ samba-tool spn add nfs/myserver.samdom.com nfs-myserver
$ samba-tool domain exportkeytab --principal=nfs/myserver.samdom.com
/etc/krb5.keytab
-> on the client I use the machine keytab.
$ samba-tool domain exportkeytab --principal=MYCLIENT$ /etc/krb5.keytab
With this setup all my domain users can write to the share. But when I
try with the root account it use the machine keytab (that's normal,
-> on the client as root
$ touch /myshare/testfile
-> on the server
$ ls -al /srv/nfs4/myshare/testfile
-rw-r--r-- SAMDOM\MYCLIENT$ SAMDOM\Domain Controllers ....
/nfs4/myshare/tesfile
But I need root access !
----------
I have tried with a root/myclient service principal name
----------
-> on the client I create an root/myclient spn and export to keytab
$ samba-tool user add root-myclient --random-password
$ samba-tool spn add root/myclient.samdom.com root-myclient
$ samba-tool domain exportkeytab --principal=root/myclient.samdom.com
/etc/krb5.keytab
But nothings change when I access the share. I tried to kinit this
principal but it fail. However kinit with the machine principal works.
$ kinit -k root/myclient.samdom.com
kerberos database while getting initial credentials
$ kinit -k MYCLIENT$
ok
---------
I tried creating a samba root user.
---------
-> on the client I create a root user and export to keytab
$ samba-tool user add root
$ samba-tool domain exportkeytab --principal=root /etc/krb5.keytab
Same problem but here "kinit -k root" works.
$ kinit -k root
ok
------
I tried to kinit anather samba user
------
-> on the client I kinit a valid user and write to the share
$ kinit validuser
$ touch /myshare/testfile2
Here the nfs4 connection is not made with the validuser's principal.
Always with the machine's principal.
-------
So
-------
I don't understand why in can "kinit root" but not "kinit
root/myclient.samdom.com". What's the difference between there
principals ?
I don't understand how the nfs4 client choose the principal used to
make the connection to the nfs4 share. Why the root user can only use
the machine's principal ?
I don't know if the problem come from the creation of kerberos
principals or come from the nfs4 client not choosing the correct
principal...
Can someone give me a tips ?
Thanks !
Baptiste.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
L.P.H. van Belle
2015-10-09 11:33:53 UTC
Permalink
Ok, not working...

But found this...

( http://users.suse.com/~sjayaraman/nfs4_howto.txt )

4.5 A known issue using NFS with kerberos
_________________________________________

Even if "no_root_squash" option is used, while exporting a filesystem at the
server, root on the client gets a "Permission denied" error when creating
files on the mount point.

This is because there is no proper mapping between root and the GSSAuthName.

Note: Trying to set 777 permission is not correct as it is not secure. Also,
any file created on the mountpoint will have "nobody" as owner.

There is a work around for this if both NFS server and client use umich_ldap
methods to authenticate. If the idmapd on both server and client is configured
to use umich_ldap modules then having GSSAuthName (<nfs/***@realm>)
parameter map to root user, on the ldap server will solve this problem.


Still reading, but should be solveable..

Greetz,

Louis
-----Oorspronkelijk bericht-----
Verzonden: vrijdag 9 oktober 2015 13:17
Onderwerp: Re: [Samba] kerberos nfs4's principals and root access
Hai Baptiste,
I re-checked my setup and your totaly correct.
I can not enter the nfsV4 mounted directory as root.
What i've added in idmap.conf
Domain = your_DNS_domain.tld
[Translation]
Method = nsswitch
And i found this link.
http://serverfault.com/questions/526762/root-access-to-kerberized-nfsv4-
host-on-ubuntu
im testing this now.
Greetz,
Louis
-----Oorspronkelijk bericht-----
Verzonden: vrijdag 9 oktober 2015 11:34
Onderwerp: Re: [Samba] kerberos nfs4's principals and root access
Thanks you very much Louis !
I have tried your setup and I can't mount the share neither from the
server itself or the client.
rpc.gssd : ERROR : no credentials found for connecting to server
myserver
$ klist -k
If I add the machine principal. I can mount the share but root user
write as "machine" not as "root".
Can you check your setup ? Do you have your machine credential in
/etc/krb5.keytab ? (with klist -k)
Do you do something related with kerberos when you login as root ?
Do you have additional options in "/etc/idmap.conf" ?
$klist
$klist -k
When you are logged as root ?
Thanks you again !
Baptiste.
Post by L.P.H. van Belle
Hai,
I had it the other way around. Only root acces.
I have scripted my setup and tested on debian.
Look here
https://secure.bazuin.nl/scripts/these_are_experimental_scripts/
setup-nfsv4-kerberos.sh
If you get the file, setup-nfsv4-kerberos.sh and compair it to your
setup.
Post by L.P.H. van Belle
If you can read the bash script maybe you see something you missed.
When i write as "root" its root and not the machine account who owns
the
file.
Post by L.P.H. van Belle
How is your exports file on the server configured?
Greetz,
Louis
-----Oorspronkelijk bericht-----
Verzonden: vrijdag 9 oktober 2015 8:59
Onderwerp: [Samba] kerberos nfs4's principals and root access
Hello samba team !
I have some NFS4 exports managed by a Samba's Kerberos realm. All the
standard user accesses work fine.
I try now to setup an NFS4 root access to administer the share from
another server (the two host are DC, one PDC and one SDC). But I
have
Post by L.P.H. van Belle
trouble understanding the kerberos/principals layer.
------------
Actually I do
-------------
-> on the server I create an nfs principal and export it to the
keytab
Post by L.P.H. van Belle
$ samba-tool user add nfs-myserver --random-password
$ samba-tool spn add nfs/myserver.samdom.com nfs-myserver
$ samba-tool domain exportkeytab --principal=nfs/myserver.samdom.com
/etc/krb5.keytab
-> on the client I use the machine keytab.
$ samba-tool domain exportkeytab --principal=MYCLIENT$
/etc/krb5.keytab
Post by L.P.H. van Belle
With this setup all my domain users can write to the share. But when
I
Post by L.P.H. van Belle
try with the root account it use the machine keytab (that's normal,
-> on the client as root
$ touch /myshare/testfile
-> on the server
$ ls -al /srv/nfs4/myshare/testfile
-rw-r--r-- SAMDOM\MYCLIENT$ SAMDOM\Domain Controllers ....
/nfs4/myshare/tesfile
But I need root access !
----------
I have tried with a root/myclient service principal name
----------
-> on the client I create an root/myclient spn and export to keytab
$ samba-tool user add root-myclient --random-password
$ samba-tool spn add root/myclient.samdom.com root-myclient
$ samba-tool domain exportkeytab --principal=root/myclient.samdom.com
/etc/krb5.keytab
But nothings change when I access the share. I tried to kinit this
principal but it fail. However kinit with the machine principal
works.
Post by L.P.H. van Belle
$ kinit -k root/myclient.samdom.com
kerberos database while getting initial credentials
$ kinit -k MYCLIENT$
ok
---------
I tried creating a samba root user.
---------
-> on the client I create a root user and export to keytab
$ samba-tool user add root
$ samba-tool domain exportkeytab --principal=root /etc/krb5.keytab
Same problem but here "kinit -k root" works.
$ kinit -k root
ok
------
I tried to kinit anather samba user
------
-> on the client I kinit a valid user and write to the share
$ kinit validuser
$ touch /myshare/testfile2
Here the nfs4 connection is not made with the validuser's principal.
Always with the machine's principal.
-------
So
-------
I don't understand why in can "kinit root" but not "kinit
root/myclient.samdom.com". What's the difference between there
principals ?
I don't understand how the nfs4 client choose the principal used to
make the connection to the nfs4 share. Why the root user can only use
the machine's principal ?
I don't know if the problem come from the creation of kerberos
principals or come from the nfs4 client not choosing the correct
principal...
Can someone give me a tips ?
Thanks !
Baptiste.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
L.P.H. van Belle
2015-10-09 11:17:19 UTC
Permalink
Hai Baptiste,

I re-checked my setup and your totaly correct.
I can not enter the nfsV4 mounted directory as root.

What i've added in idmap.conf
Is this :
Domain = your_DNS_domain.tld

[Translation]

Method = nsswitch

And i found this link.

http://serverfault.com/questions/526762/root-access-to-kerberized-nfsv4-host-on-ubuntu

im testing this now.

Greetz,

Louis
-----Oorspronkelijk bericht-----
Verzonden: vrijdag 9 oktober 2015 11:34
Onderwerp: Re: [Samba] kerberos nfs4's principals and root access
Thanks you very much Louis !
I have tried your setup and I can't mount the share neither from the
server itself or the client.
rpc.gssd : ERROR : no credentials found for connecting to server myserver
$ klist -k
If I add the machine principal. I can mount the share but root user
write as "machine" not as "root".
Can you check your setup ? Do you have your machine credential in
/etc/krb5.keytab ? (with klist -k)
Do you do something related with kerberos when you login as root ?
Do you have additional options in "/etc/idmap.conf" ?
$klist
$klist -k
When you are logged as root ?
Thanks you again !
Baptiste.
Post by L.P.H. van Belle
Hai,
I had it the other way around. Only root acces.
I have scripted my setup and tested on debian.
Look here
https://secure.bazuin.nl/scripts/these_are_experimental_scripts/
setup-nfsv4-kerberos.sh
If you get the file, setup-nfsv4-kerberos.sh and compair it to your
setup.
Post by L.P.H. van Belle
If you can read the bash script maybe you see something you missed.
When i write as "root" its root and not the machine account who owns the
file.
Post by L.P.H. van Belle
How is your exports file on the server configured?
Greetz,
Louis
-----Oorspronkelijk bericht-----
Verzonden: vrijdag 9 oktober 2015 8:59
Onderwerp: [Samba] kerberos nfs4's principals and root access
Hello samba team !
I have some NFS4 exports managed by a Samba's Kerberos realm. All the
standard user accesses work fine.
I try now to setup an NFS4 root access to administer the share from
another server (the two host are DC, one PDC and one SDC). But I have
trouble understanding the kerberos/principals layer.
------------
Actually I do
-------------
-> on the server I create an nfs principal and export it to the keytab
$ samba-tool user add nfs-myserver --random-password
$ samba-tool spn add nfs/myserver.samdom.com nfs-myserver
$ samba-tool domain exportkeytab --principal=nfs/myserver.samdom.com
/etc/krb5.keytab
-> on the client I use the machine keytab.
$ samba-tool domain exportkeytab --principal=MYCLIENT$ /etc/krb5.keytab
With this setup all my domain users can write to the share. But when I
try with the root account it use the machine keytab (that's normal,
-> on the client as root
$ touch /myshare/testfile
-> on the server
$ ls -al /srv/nfs4/myshare/testfile
-rw-r--r-- SAMDOM\MYCLIENT$ SAMDOM\Domain Controllers ....
/nfs4/myshare/tesfile
But I need root access !
----------
I have tried with a root/myclient service principal name
----------
-> on the client I create an root/myclient spn and export to keytab
$ samba-tool user add root-myclient --random-password
$ samba-tool spn add root/myclient.samdom.com root-myclient
$ samba-tool domain exportkeytab --principal=root/myclient.samdom.com
/etc/krb5.keytab
But nothings change when I access the share. I tried to kinit this
principal but it fail. However kinit with the machine principal works.
$ kinit -k root/myclient.samdom.com
kerberos database while getting initial credentials
$ kinit -k MYCLIENT$
ok
---------
I tried creating a samba root user.
---------
-> on the client I create a root user and export to keytab
$ samba-tool user add root
$ samba-tool domain exportkeytab --principal=root /etc/krb5.keytab
Same problem but here "kinit -k root" works.
$ kinit -k root
ok
------
I tried to kinit anather samba user
------
-> on the client I kinit a valid user and write to the share
$ kinit validuser
$ touch /myshare/testfile2
Here the nfs4 connection is not made with the validuser's principal.
Always with the machine's principal.
-------
So
-------
I don't understand why in can "kinit root" but not "kinit
root/myclient.samdom.com". What's the difference between there
principals ?
I don't understand how the nfs4 client choose the principal used to
make the connection to the nfs4 share. Why the root user can only use
the machine's principal ?
I don't know if the problem come from the creation of kerberos
principals or come from the nfs4 client not choosing the correct
principal...
Can someone give me a tips ?
Thanks !
Baptiste.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
L.P.H. van Belle
2015-10-09 11:39:44 UTC
Permalink
Ok, now its clear to me.

We need to set UMICH_SCHEMA in idmap.conf
Read : http://linux.die.net/man/5/idmapd.conf

Working on it now.

Greetz,

Louis
-----Oorspronkelijk bericht-----
Verzonden: vrijdag 9 oktober 2015 13:34
Onderwerp: Re: [Samba] kerberos nfs4's principals and root access
Ok, not working...
But found this...
( http://users.suse.com/~sjayaraman/nfs4_howto.txt )
4.5 A known issue using NFS with kerberos
_________________________________________
Even if "no_root_squash" option is used, while exporting a filesystem at
the
server, root on the client gets a "Permission denied" error when creating
files on the mount point.
This is because there is no proper mapping between root and the
GSSAuthName.
Note: Trying to set 777 permission is not correct as it is not secure.
Also,
any file created on the mountpoint will have "nobody" as owner.
There is a work around for this if both NFS server and client use
umich_ldap
methods to authenticate. If the idmapd on both server and client is
configured
parameter map to root user, on the ldap server will solve this problem.
Still reading, but should be solveable..
Greetz,
Louis
-----Oorspronkelijk bericht-----
Belle
Verzonden: vrijdag 9 oktober 2015 13:17
Onderwerp: Re: [Samba] kerberos nfs4's principals and root access
Hai Baptiste,
I re-checked my setup and your totaly correct.
I can not enter the nfsV4 mounted directory as root.
What i've added in idmap.conf
Domain = your_DNS_domain.tld
[Translation]
Method = nsswitch
And i found this link.
http://serverfault.com/questions/526762/root-access-to-kerberized-nfsv4-
host-on-ubuntu
im testing this now.
Greetz,
Louis
-----Oorspronkelijk bericht-----
Verzonden: vrijdag 9 oktober 2015 11:34
Onderwerp: Re: [Samba] kerberos nfs4's principals and root access
Thanks you very much Louis !
I have tried your setup and I can't mount the share neither from the
server itself or the client.
rpc.gssd : ERROR : no credentials found for connecting to server
myserver
$ klist -k
If I add the machine principal. I can mount the share but root user
write as "machine" not as "root".
Can you check your setup ? Do you have your machine credential in
/etc/krb5.keytab ? (with klist -k)
Do you do something related with kerberos when you login as root ?
Do you have additional options in "/etc/idmap.conf" ?
$klist
$klist -k
When you are logged as root ?
Thanks you again !
Baptiste.
Post by L.P.H. van Belle
Hai,
I had it the other way around. Only root acces.
I have scripted my setup and tested on debian.
Look here
https://secure.bazuin.nl/scripts/these_are_experimental_scripts/
setup-nfsv4-kerberos.sh
If you get the file, setup-nfsv4-kerberos.sh and compair it to your
setup.
Post by L.P.H. van Belle
If you can read the bash script maybe you see something you missed.
When i write as "root" its root and not the machine account who owns
the
file.
Post by L.P.H. van Belle
How is your exports file on the server configured?
Greetz,
Louis
-----Oorspronkelijk bericht-----
Verzonden: vrijdag 9 oktober 2015 8:59
Onderwerp: [Samba] kerberos nfs4's principals and root access
Hello samba team !
I have some NFS4 exports managed by a Samba's Kerberos realm. All
the
Post by L.P.H. van Belle
standard user accesses work fine.
I try now to setup an NFS4 root access to administer the share from
another server (the two host are DC, one PDC and one SDC). But I
have
Post by L.P.H. van Belle
trouble understanding the kerberos/principals layer.
------------
Actually I do
-------------
-> on the server I create an nfs principal and export it to the
keytab
Post by L.P.H. van Belle
$ samba-tool user add nfs-myserver --random-password
$ samba-tool spn add nfs/myserver.samdom.com nfs-myserver
$ samba-tool domain exportkeytab --
principal=nfs/myserver.samdom.com
Post by L.P.H. van Belle
/etc/krb5.keytab
-> on the client I use the machine keytab.
$ samba-tool domain exportkeytab --principal=MYCLIENT$
/etc/krb5.keytab
Post by L.P.H. van Belle
With this setup all my domain users can write to the share. But
when
I
Post by L.P.H. van Belle
try with the root account it use the machine keytab (that's normal,
-> on the client as root
$ touch /myshare/testfile
-> on the server
$ ls -al /srv/nfs4/myshare/testfile
-rw-r--r-- SAMDOM\MYCLIENT$ SAMDOM\Domain Controllers ....
/nfs4/myshare/tesfile
But I need root access !
----------
I have tried with a root/myclient service principal name
----------
-> on the client I create an root/myclient spn and export to keytab
$ samba-tool user add root-myclient --random-password
$ samba-tool spn add root/myclient.samdom.com root-myclient
$ samba-tool domain exportkeytab --
principal=root/myclient.samdom.com
Post by L.P.H. van Belle
/etc/krb5.keytab
But nothings change when I access the share. I tried to kinit this
principal but it fail. However kinit with the machine principal
works.
Post by L.P.H. van Belle
$ kinit -k root/myclient.samdom.com
kerberos database while getting initial credentials
$ kinit -k MYCLIENT$
ok
---------
I tried creating a samba root user.
---------
-> on the client I create a root user and export to keytab
$ samba-tool user add root
$ samba-tool domain exportkeytab --principal=root /etc/krb5.keytab
Same problem but here "kinit -k root" works.
$ kinit -k root
ok
------
I tried to kinit anather samba user
------
-> on the client I kinit a valid user and write to the share
$ kinit validuser
$ touch /myshare/testfile2
Here the nfs4 connection is not made with the validuser's
principal.
Post by L.P.H. van Belle
Always with the machine's principal.
-------
So
-------
I don't understand why in can "kinit root" but not "kinit
root/myclient.samdom.com". What's the difference between there
principals ?
I don't understand how the nfs4 client choose the principal used to
make the connection to the nfs4 share. Why the root user can only
use
Post by L.P.H. van Belle
the machine's principal ?
I don't know if the problem come from the creation of kerberos
principals or come from the nfs4 client not choosing the correct
principal...
Can someone give me a tips ?
Thanks !
Baptiste.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Prunk Dump
2015-10-09 12:10:57 UTC
Permalink
Thanks Louis ! Very interesting !

Maybe the simplest method is to set a static translation.

1) Enabling the no_root_squash option in /etc/exports

2) Set the translation in /etc/idmapd.conf

------------------------
/etc/idmap.conf
------------------------

...
[Translation]

Method = static,nsswitch

[Static]

MYCLIENT$@SAMDOM.COM = root

------------------------

But I don't understand why, with samba, we can't authenticate as
client with nfs/myclient.samdom.com or root/myclient.samdom.com. It
seem that it is because we can't kinit them. But I don't understand
why...

Thanks again !

Baptiste.
Post by L.P.H. van Belle
Ok, now its clear to me.
We need to set UMICH_SCHEMA in idmap.conf
Read : http://linux.die.net/man/5/idmapd.conf
Working on it now.
Greetz,
Louis
-----Oorspronkelijk bericht-----
Verzonden: vrijdag 9 oktober 2015 13:34
Onderwerp: Re: [Samba] kerberos nfs4's principals and root access
Ok, not working...
But found this...
( http://users.suse.com/~sjayaraman/nfs4_howto.txt )
4.5 A known issue using NFS with kerberos
_________________________________________
Even if "no_root_squash" option is used, while exporting a filesystem at the
server, root on the client gets a "Permission denied" error when creating
files on the mount point.
This is because there is no proper mapping between root and the GSSAuthName.
Note: Trying to set 777 permission is not correct as it is not secure. Also,
any file created on the mountpoint will have "nobody" as owner.
There is a work around for this if both NFS server and client use umich_ldap
methods to authenticate. If the idmapd on both server and client is configured
parameter map to root user, on the ldap server will solve this problem.
Still reading, but should be solveable..
Greetz,
Louis
-----Oorspronkelijk bericht-----
Belle
Verzonden: vrijdag 9 oktober 2015 13:17
Onderwerp: Re: [Samba] kerberos nfs4's principals and root access
Hai Baptiste,
I re-checked my setup and your totaly correct.
I can not enter the nfsV4 mounted directory as root.
What i've added in idmap.conf
Domain = your_DNS_domain.tld
[Translation]
Method = nsswitch
And i found this link.
http://serverfault.com/questions/526762/root-access-to-kerberized-nfsv4-
host-on-ubuntu
im testing this now.
Greetz,
Louis
-----Oorspronkelijk bericht-----
Verzonden: vrijdag 9 oktober 2015 11:34
Onderwerp: Re: [Samba] kerberos nfs4's principals and root access
Thanks you very much Louis !
I have tried your setup and I can't mount the share neither from the
server itself or the client.
rpc.gssd : ERROR : no credentials found for connecting to server
myserver
$ klist -k
If I add the machine principal. I can mount the share but root user
write as "machine" not as "root".
Can you check your setup ? Do you have your machine credential in
/etc/krb5.keytab ? (with klist -k)
Do you do something related with kerberos when you login as root ?
Do you have additional options in "/etc/idmap.conf" ?
$klist
$klist -k
When you are logged as root ?
Thanks you again !
Baptiste.
Post by L.P.H. van Belle
Hai,
I had it the other way around. Only root acces.
I have scripted my setup and tested on debian.
Look here
https://secure.bazuin.nl/scripts/these_are_experimental_scripts/
setup-nfsv4-kerberos.sh
If you get the file, setup-nfsv4-kerberos.sh and compair it to your
setup.
Post by L.P.H. van Belle
If you can read the bash script maybe you see something you missed.
When i write as "root" its root and not the machine account who owns
the
file.
Post by L.P.H. van Belle
How is your exports file on the server configured?
Greetz,
Louis
-----Oorspronkelijk bericht-----
Verzonden: vrijdag 9 oktober 2015 8:59
Onderwerp: [Samba] kerberos nfs4's principals and root access
Hello samba team !
I have some NFS4 exports managed by a Samba's Kerberos realm. All
the
Post by L.P.H. van Belle
standard user accesses work fine.
I try now to setup an NFS4 root access to administer the share from
another server (the two host are DC, one PDC and one SDC). But I
have
Post by L.P.H. van Belle
trouble understanding the kerberos/principals layer.
------------
Actually I do
-------------
-> on the server I create an nfs principal and export it to the
keytab
Post by L.P.H. van Belle
$ samba-tool user add nfs-myserver --random-password
$ samba-tool spn add nfs/myserver.samdom.com nfs-myserver
$ samba-tool domain exportkeytab --
principal=nfs/myserver.samdom.com
Post by L.P.H. van Belle
/etc/krb5.keytab
-> on the client I use the machine keytab.
$ samba-tool domain exportkeytab --principal=MYCLIENT$
/etc/krb5.keytab
Post by L.P.H. van Belle
With this setup all my domain users can write to the share. But
when
I
Post by L.P.H. van Belle
try with the root account it use the machine keytab (that's normal,
-> on the client as root
$ touch /myshare/testfile
-> on the server
$ ls -al /srv/nfs4/myshare/testfile
-rw-r--r-- SAMDOM\MYCLIENT$ SAMDOM\Domain Controllers ....
/nfs4/myshare/tesfile
But I need root access !
----------
I have tried with a root/myclient service principal name
----------
-> on the client I create an root/myclient spn and export to keytab
$ samba-tool user add root-myclient --random-password
$ samba-tool spn add root/myclient.samdom.com root-myclient
$ samba-tool domain exportkeytab --
principal=root/myclient.samdom.com
Post by L.P.H. van Belle
/etc/krb5.keytab
But nothings change when I access the share. I tried to kinit this
principal but it fail. However kinit with the machine principal
works.
Post by L.P.H. van Belle
$ kinit -k root/myclient.samdom.com
kerberos database while getting initial credentials
$ kinit -k MYCLIENT$
ok
---------
I tried creating a samba root user.
---------
-> on the client I create a root user and export to keytab
$ samba-tool user add root
$ samba-tool domain exportkeytab --principal=root /etc/krb5.keytab
Same problem but here "kinit -k root" works.
$ kinit -k root
ok
------
I tried to kinit anather samba user
------
-> on the client I kinit a valid user and write to the share
$ kinit validuser
$ touch /myshare/testfile2
Here the nfs4 connection is not made with the validuser's
principal.
Post by L.P.H. van Belle
Always with the machine's principal.
-------
So
-------
I don't understand why in can "kinit root" but not "kinit
root/myclient.samdom.com". What's the difference between there
principals ?
I don't understand how the nfs4 client choose the principal used to
make the connection to the nfs4 share. Why the root user can only
use
Post by L.P.H. van Belle
the machine's principal ?
I don't know if the problem come from the creation of kerberos
principals or come from the nfs4 client not choosing the correct
principal...
Can someone give me a tips ?
Thanks !
Baptiste.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
L.P.H. van Belle
2015-10-09 13:42:54 UTC
Permalink
Hai Batiste,

Ok, thanks for these, i'll test that also.

And the "why" is a bit more explained here.
http://www.citi.umich.edu/projects/nfsv4/crossrealm/libnfsidmap_config.html
and per example,
http://www.citi.umich.edu/projects/nfsv4/crossrealm/ldap_server_setup.html

First my work here, but this is a good one which i also need to adjust in my scripts, so thank you for asking this on the samba list ;-)

Gr,

Louis
-----Oorspronkelijk bericht-----
Verzonden: vrijdag 9 oktober 2015 14:11
Onderwerp: Re: [Samba] kerberos nfs4's principals and root access
Thanks Louis ! Very interesting !
Maybe the simplest method is to set a static translation.
1) Enabling the no_root_squash option in /etc/exports
2) Set the translation in /etc/idmapd.conf
------------------------
/etc/idmap.conf
------------------------
...
[Translation]
Method = static,nsswitch
[Static]
------------------------
But I don't understand why, with samba, we can't authenticate as
client with nfs/myclient.samdom.com or root/myclient.samdom.com. It
seem that it is because we can't kinit them. But I don't understand
why...
Thanks again !
Baptiste.
Post by L.P.H. van Belle
Ok, now its clear to me.
We need to set UMICH_SCHEMA in idmap.conf
Read : http://linux.die.net/man/5/idmapd.conf
Working on it now.
Greetz,
Louis
-----Oorspronkelijk bericht-----
Belle
Post by L.P.H. van Belle
Verzonden: vrijdag 9 oktober 2015 13:34
Onderwerp: Re: [Samba] kerberos nfs4's principals and root access
Ok, not working...
But found this...
( http://users.suse.com/~sjayaraman/nfs4_howto.txt )
4.5 A known issue using NFS with kerberos
_________________________________________
Even if "no_root_squash" option is used, while exporting a filesystem
at
Post by L.P.H. van Belle
the
server, root on the client gets a "Permission denied" error when
creating
Post by L.P.H. van Belle
files on the mount point.
This is because there is no proper mapping between root and the
GSSAuthName.
Note: Trying to set 777 permission is not correct as it is not secure.
Also,
any file created on the mountpoint will have "nobody" as owner.
There is a work around for this if both NFS server and client use
umich_ldap
methods to authenticate. If the idmapd on both server and client is
configured
to use umich_ldap modules then having GSSAuthName
parameter map to root user, on the ldap server will solve this problem.
Still reading, but should be solveable..
Greetz,
Louis
-----Oorspronkelijk bericht-----
Belle
Verzonden: vrijdag 9 oktober 2015 13:17
Onderwerp: Re: [Samba] kerberos nfs4's principals and root access
Hai Baptiste,
I re-checked my setup and your totaly correct.
I can not enter the nfsV4 mounted directory as root.
What i've added in idmap.conf
Domain = your_DNS_domain.tld
[Translation]
Method = nsswitch
And i found this link.
http://serverfault.com/questions/526762/root-access-to-kerberized-
nfsv4-
Post by L.P.H. van Belle
host-on-ubuntu
im testing this now.
Greetz,
Louis
-----Oorspronkelijk bericht-----
Verzonden: vrijdag 9 oktober 2015 11:34
Onderwerp: Re: [Samba] kerberos nfs4's principals and root access
Thanks you very much Louis !
I have tried your setup and I can't mount the share neither from
the
Post by L.P.H. van Belle
server itself or the client.
rpc.gssd : ERROR : no credentials found for connecting to server
myserver
This is because the machine principal is not present in the keytab
$ klist -k
If I add the machine principal. I can mount the share but root user
write as "machine" not as "root".
Can you check your setup ? Do you have your machine credential in
/etc/krb5.keytab ? (with klist -k)
Do you do something related with kerberos when you login as root ?
Do you have additional options in "/etc/idmap.conf" ?
$klist
$klist -k
When you are logged as root ?
Thanks you again !
Baptiste.
Post by L.P.H. van Belle
Hai,
I had it the other way around. Only root acces.
I have scripted my setup and tested on debian.
Look here
https://secure.bazuin.nl/scripts/these_are_experimental_scripts/
setup-nfsv4-kerberos.sh
If you get the file, setup-nfsv4-kerberos.sh and compair it to
your
Post by L.P.H. van Belle
setup.
Post by L.P.H. van Belle
If you can read the bash script maybe you see something you
missed.
Post by L.P.H. van Belle
Post by L.P.H. van Belle
When i write as "root" its root and not the machine account who
owns
Post by L.P.H. van Belle
the
file.
Post by L.P.H. van Belle
How is your exports file on the server configured?
Greetz,
Louis
-----Oorspronkelijk bericht-----
Dump
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Verzonden: vrijdag 9 oktober 2015 8:59
Onderwerp: [Samba] kerberos nfs4's principals and root access
Hello samba team !
I have some NFS4 exports managed by a Samba's Kerberos realm.
All
Post by L.P.H. van Belle
the
Post by L.P.H. van Belle
standard user accesses work fine.
I try now to setup an NFS4 root access to administer the share
from
Post by L.P.H. van Belle
Post by L.P.H. van Belle
another server (the two host are DC, one PDC and one SDC). But
I
Post by L.P.H. van Belle
have
Post by L.P.H. van Belle
trouble understanding the kerberos/principals layer.
------------
Actually I do
-------------
-> on the server I create an nfs principal and export it to the
keytab
Post by L.P.H. van Belle
$ samba-tool user add nfs-myserver --random-password
$ samba-tool spn add nfs/myserver.samdom.com nfs-myserver
$ samba-tool domain exportkeytab --
principal=nfs/myserver.samdom.com
Post by L.P.H. van Belle
/etc/krb5.keytab
-> on the client I use the machine keytab.
$ samba-tool domain exportkeytab --principal=MYCLIENT$
/etc/krb5.keytab
Post by L.P.H. van Belle
With this setup all my domain users can write to the share. But
when
I
Post by L.P.H. van Belle
try with the root account it use the machine keytab (that's
normal,
Post by L.P.H. van Belle
Post by L.P.H. van Belle
-> on the client as root
$ touch /myshare/testfile
-> on the server
$ ls -al /srv/nfs4/myshare/testfile
-rw-r--r-- SAMDOM\MYCLIENT$ SAMDOM\Domain Controllers
....
Post by L.P.H. van Belle
Post by L.P.H. van Belle
/nfs4/myshare/tesfile
But I need root access !
----------
I have tried with a root/myclient service principal name
----------
-> on the client I create an root/myclient spn and export to
keytab
Post by L.P.H. van Belle
Post by L.P.H. van Belle
$ samba-tool user add root-myclient --random-password
$ samba-tool spn add root/myclient.samdom.com root-myclient
$ samba-tool domain exportkeytab --
principal=root/myclient.samdom.com
Post by L.P.H. van Belle
/etc/krb5.keytab
But nothings change when I access the share. I tried to kinit
this
Post by L.P.H. van Belle
Post by L.P.H. van Belle
principal but it fail. However kinit with the machine principal
works.
Post by L.P.H. van Belle
$ kinit -k root/myclient.samdom.com
kerberos database while getting initial credentials
$ kinit -k MYCLIENT$
ok
---------
I tried creating a samba root user.
---------
-> on the client I create a root user and export to keytab
$ samba-tool user add root
$ samba-tool domain exportkeytab --principal=root
/etc/krb5.keytab
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Same problem but here "kinit -k root" works.
$ kinit -k root
ok
------
I tried to kinit anather samba user
------
-> on the client I kinit a valid user and write to the share
$ kinit validuser
$ touch /myshare/testfile2
Here the nfs4 connection is not made with the validuser's
principal.
Post by L.P.H. van Belle
Always with the machine's principal.
-------
So
-------
I don't understand why in can "kinit root" but not "kinit
root/myclient.samdom.com". What's the difference between there
principals ?
I don't understand how the nfs4 client choose the principal used
to
Post by L.P.H. van Belle
Post by L.P.H. van Belle
make the connection to the nfs4 share. Why the root user can
only
Post by L.P.H. van Belle
use
Post by L.P.H. van Belle
the machine's principal ?
I don't know if the problem come from the creation of kerberos
principals or come from the nfs4 client not choosing the correct
principal...
Can someone give me a tips ?
Thanks !
Baptiste.
--
To unsubscribe from this list go to the following URL and read
the
Post by L.P.H. van Belle
Post by L.P.H. van Belle
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read
the
Post by L.P.H. van Belle
Post by L.P.H. van Belle
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Bruno MACADRÉ
2016-08-01 15:16:05 UTC
Permalink
Hi,

Sorry for this necrobump.... But I'm still can't use my local root
user to browse content of my NFSv4/Krb5 share...... (others permission
are checked when root use this share)

So a lot of questions appeared during my tests :

- Must i have same idmap.conf on both client and server ?
- Why rpc.idmapd only use 'nsswitch' method even if 'static' is
placed before it in 'Method' and 'GSS-Methods' list ?
- Must root user use kinit before exploring ?

And the most important question : Is there anybody who sucess to
access (in a real root behaviour !!) to a nfsv4/krb5 share in a
Samba4/Krb5/NFSv4 setup ?

Thanks by advance,
Best regards,
Bruno

PS: I sent this morning a mail about access to this share from local
user (www-data), but I think that granting access to root may be a good
start point !!
Post by L.P.H. van Belle
Hai Batiste,
Ok, thanks for these, i'll test that also.
And the "why" is a bit more explained here.
http://www.citi.umich.edu/projects/nfsv4/crossrealm/libnfsidmap_config.html
and per example,
http://www.citi.umich.edu/projects/nfsv4/crossrealm/ldap_server_setup.html
First my work here, but this is a good one which i also need to adjust in my scripts, so thank you for asking this on the samba list ;-)
Gr,
Louis
-----Oorspronkelijk bericht-----
Verzonden: vrijdag 9 oktober 2015 14:11
Onderwerp: Re: [Samba] kerberos nfs4's principals and root access
Thanks Louis ! Very interesting !
Maybe the simplest method is to set a static translation.
1) Enabling the no_root_squash option in /etc/exports
2) Set the translation in /etc/idmapd.conf
------------------------
/etc/idmap.conf
------------------------
...
[Translation]
Method = static,nsswitch
[Static]
------------------------
But I don't understand why, with samba, we can't authenticate as
client with nfs/myclient.samdom.com or root/myclient.samdom.com. It
seem that it is because we can't kinit them. But I don't understand
why...
Thanks again !
Baptiste.
Post by L.P.H. van Belle
Ok, now its clear to me.
We need to set UMICH_SCHEMA in idmap.conf
Read : http://linux.die.net/man/5/idmapd.conf
Working on it now.
Greetz,
Louis
-----Oorspronkelijk bericht-----
Belle
Post by L.P.H. van Belle
Verzonden: vrijdag 9 oktober 2015 13:34
Onderwerp: Re: [Samba] kerberos nfs4's principals and root access
Ok, not working...
But found this...
( http://users.suse.com/~sjayaraman/nfs4_howto.txt )
4.5 A known issue using NFS with kerberos
_________________________________________
Even if "no_root_squash" option is used, while exporting a filesystem
at
Post by L.P.H. van Belle
the
server, root on the client gets a "Permission denied" error when
creating
Post by L.P.H. van Belle
files on the mount point.
This is because there is no proper mapping between root and the
GSSAuthName.
Note: Trying to set 777 permission is not correct as it is not secure.
Also,
any file created on the mountpoint will have "nobody" as owner.
There is a work around for this if both NFS server and client use
umich_ldap
methods to authenticate. If the idmapd on both server and client is
configured
to use umich_ldap modules then having GSSAuthName
parameter map to root user, on the ldap server will solve this problem.
Still reading, but should be solveable..
Greetz,
Louis
-----Oorspronkelijk bericht-----
Belle
Verzonden: vrijdag 9 oktober 2015 13:17
Onderwerp: Re: [Samba] kerberos nfs4's principals and root access
Hai Baptiste,
I re-checked my setup and your totaly correct.
I can not enter the nfsV4 mounted directory as root.
What i've added in idmap.conf
Domain = your_DNS_domain.tld
[Translation]
Method = nsswitch
And i found this link.
http://serverfault.com/questions/526762/root-access-to-kerberized-
nfsv4-
Post by L.P.H. van Belle
host-on-ubuntu
im testing this now.
Greetz,
Louis
-----Oorspronkelijk bericht-----
Verzonden: vrijdag 9 oktober 2015 11:34
Onderwerp: Re: [Samba] kerberos nfs4's principals and root access
Thanks you very much Louis !
I have tried your setup and I can't mount the share neither from
the
Post by L.P.H. van Belle
server itself or the client.
rpc.gssd : ERROR : no credentials found for connecting to server
myserver
This is because the machine principal is not present in the keytab
$ klist -k
If I add the machine principal. I can mount the share but root user
write as "machine" not as "root".
Can you check your setup ? Do you have your machine credential in
/etc/krb5.keytab ? (with klist -k)
Do you do something related with kerberos when you login as root ?
Do you have additional options in "/etc/idmap.conf" ?
$klist
$klist -k
When you are logged as root ?
Thanks you again !
Baptiste.
Post by L.P.H. van Belle
Hai,
I had it the other way around. Only root acces.
I have scripted my setup and tested on debian.
Look here
https://secure.bazuin.nl/scripts/these_are_experimental_scripts/
setup-nfsv4-kerberos.sh
If you get the file, setup-nfsv4-kerberos.sh and compair it to
your
Post by L.P.H. van Belle
setup.
Post by L.P.H. van Belle
If you can read the bash script maybe you see something you
missed.
Post by L.P.H. van Belle
Post by L.P.H. van Belle
When i write as "root" its root and not the machine account who
owns
Post by L.P.H. van Belle
the
file.
Post by L.P.H. van Belle
How is your exports file on the server configured?
Greetz,
Louis
-----Oorspronkelijk bericht-----
Dump
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Verzonden: vrijdag 9 oktober 2015 8:59
Onderwerp: [Samba] kerberos nfs4's principals and root access
Hello samba team !
I have some NFS4 exports managed by a Samba's Kerberos realm.
All
Post by L.P.H. van Belle
the
Post by L.P.H. van Belle
standard user accesses work fine.
I try now to setup an NFS4 root access to administer the share
from
Post by L.P.H. van Belle
Post by L.P.H. van Belle
another server (the two host are DC, one PDC and one SDC). But
I
Post by L.P.H. van Belle
have
Post by L.P.H. van Belle
trouble understanding the kerberos/principals layer.
------------
Actually I do
-------------
-> on the server I create an nfs principal and export it to the
keytab
Post by L.P.H. van Belle
$ samba-tool user add nfs-myserver --random-password
$ samba-tool spn add nfs/myserver.samdom.com nfs-myserver
$ samba-tool domain exportkeytab --
principal=nfs/myserver.samdom.com
Post by L.P.H. van Belle
/etc/krb5.keytab
-> on the client I use the machine keytab.
$ samba-tool domain exportkeytab --principal=MYCLIENT$
/etc/krb5.keytab
Post by L.P.H. van Belle
With this setup all my domain users can write to the share. But
when
I
Post by L.P.H. van Belle
try with the root account it use the machine keytab (that's
normal,
Post by L.P.H. van Belle
Post by L.P.H. van Belle
-> on the client as root
$ touch /myshare/testfile
-> on the server
$ ls -al /srv/nfs4/myshare/testfile
-rw-r--r-- SAMDOM\MYCLIENT$ SAMDOM\Domain Controllers
....
Post by L.P.H. van Belle
Post by L.P.H. van Belle
/nfs4/myshare/tesfile
But I need root access !
----------
I have tried with a root/myclient service principal name
----------
-> on the client I create an root/myclient spn and export to
keytab
Post by L.P.H. van Belle
Post by L.P.H. van Belle
$ samba-tool user add root-myclient --random-password
$ samba-tool spn add root/myclient.samdom.com root-myclient
$ samba-tool domain exportkeytab --
principal=root/myclient.samdom.com
Post by L.P.H. van Belle
/etc/krb5.keytab
But nothings change when I access the share. I tried to kinit
this
Post by L.P.H. van Belle
Post by L.P.H. van Belle
principal but it fail. However kinit with the machine principal
works.
Post by L.P.H. van Belle
$ kinit -k root/myclient.samdom.com
kerberos database while getting initial credentials
$ kinit -k MYCLIENT$
ok
---------
I tried creating a samba root user.
---------
-> on the client I create a root user and export to keytab
$ samba-tool user add root
$ samba-tool domain exportkeytab --principal=root
/etc/krb5.keytab
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Same problem but here "kinit -k root" works.
$ kinit -k root
ok
------
I tried to kinit anather samba user
------
-> on the client I kinit a valid user and write to the share
$ kinit validuser
$ touch /myshare/testfile2
Here the nfs4 connection is not made with the validuser's
principal.
Post by L.P.H. van Belle
Always with the machine's principal.
-------
So
-------
I don't understand why in can "kinit root" but not "kinit
root/myclient.samdom.com". What's the difference between there
principals ?
I don't understand how the nfs4 client choose the principal used
to
Post by L.P.H. van Belle
Post by L.P.H. van Belle
make the connection to the nfs4 share. Why the root user can
only
Post by L.P.H. van Belle
use
Post by L.P.H. van Belle
the machine's principal ?
I don't know if the problem come from the creation of kerberos
principals or come from the nfs4 client not choosing the correct
principal...
Can someone give me a tips ?
Thanks !
Baptiste.
--
To unsubscribe from this list go to the following URL and read
the
Post by L.P.H. van Belle
Post by L.P.H. van Belle
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read
the
Post by L.P.H. van Belle
Post by L.P.H. van Belle
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
Bruno MACADRE
-------------------------------------------------------------------
Ingénieur Systèmes et Réseau | Systems and Network Engineer
Département Informatique | Department of computer science
Responsable Info SER | SER IT Manager
Université de Rouen | University of Rouen
-------------------------------------------------------------------
Coordonnées / Contact :
Université de Rouen
Faculté des Sciences et Techniques - Madrillet
Avenue de l'Université
CS 70012
76801 St Etienne du Rouvray CEDEX
FRANCE

Tél : +33 (0)2-32-95-51-86
Mob : +33 (0)6-74-71-45-64
-------------------------------------------------------------------
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Bruno Macadré
2016-08-02 06:21:30 UTC
Permalink
Thanks for your answer,

I already use Winbind AD backend with RFC2307. The only difference is
when i use 'getent passwd' logins are never prefixed by domainname....

So, if I understand well your solution, I must :

1. Add unix attributes to my Administrator user (it's mandatory to show
the account with getent)
2. Adding 'username map' option in the member smb.conf
3. Creating mapping file like you said

And after, when I want to access my kerberized NFS share, I just need to
'kinit Administrator' before ?

Thanks a lot,
Regards,
Bruno.
Post by Bruno MACADRÉ
Hi,
Sorry for this necrobump.... But I'm still can't use my local
root user to browse content of my NFSv4/Krb5 share...... (others
permission are checked when root use this share)
- Must i have same idmap.conf on both client and server ?
- Why rpc.idmapd only use 'nsswitch' method even if 'static' is
placed before it in 'Method' and 'GSS-Methods' list ?
- Must root user use kinit before exploring ?
And the most important question : Is there anybody who sucess to
access (in a real root behaviour !!) to a nfsv4/krb5 share in a
Samba4/Krb5/NFSv4 setup ?
Thanks by advance,
Best regards,
Bruno
PS: I sent this morning a mail about access to this share from local
user (www-data), but I think that granting access to root may be a
good start point !!
I scanned through the rest of what you posted and I think you have
Samba 4 running as a DC with Unix clients joined to it, is this correct ?
If so, then the only way to get the same UIDs & GIDs on all of them,
is to use RFC2307 attributes and the winbind 'ad' backend on the clients.
Now we come to the root user, this user is somewhat similar to the
'Local Administrator' on windows and as such shouldn't be in AD. On
SAMDOM\administrator:*:0:10000::/home/administrator:/bin/bash
This doesn't happen on a Samba Unix domain member, but what you can do
is do the mapping in smb.conf. Add the line
username map = /etcl/samba/user.map
!root = SAMDOM\Administrator SAMDOM\administrator Administrator
administrator
Restart Samba and then 'Administrator' should be mapped to 'root'. The
'root' user should never be in AD.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
L.P.H. van Belle
2016-08-02 06:57:36 UTC
Permalink
Post by Bruno Macadré
And after, when I want to access my kerberized NFS share, I just need
to 'kinit Administrator' before ?
Why do you need to do this ??
Even root cant access a user homedir over nfsv4.
You need to kinit administrator to make you way to all user dirs.
Or kinit as user for a single user dir

But if you need to kinit as user then something is wrong, thats not needed is setup correctly. At least i never kinit as user.


Greetz,

Louis
-----Oorspronkelijk bericht-----
Verzonden: dinsdag 2 augustus 2016 8:48
Onderwerp: Re: [Samba] kerberos nfs4's principals and root access
On Tue, 2 Aug 2016 08:21:30 +0200
Post by Bruno Macadré
Thanks for your answer,
I already use Winbind AD backend with RFC2307. The only difference is
when i use 'getent passwd' logins are never prefixed by domainname....
1. Add unix attributes to my Administrator user (it's mandatory to
show the account with getent)
No, you should never add RFC2307 attributes to Administrator, it will
break the mapping on a DC and you need this.
Post by Bruno Macadré
2. Adding 'username map' option in the member smb.conf
3. Creating mapping file like you said
Yes
Post by Bruno Macadré
And after, when I want to access my kerberized NFS share, I just need
to 'kinit Administrator' before ?
Why do you need to do this ??
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
L.P.H. van Belle
2016-08-02 06:11:10 UTC
Permalink
Hai,

Here you go..

But all my settings are scripted.
https://github.com/thctlo/samba4
found here.

Read the script : samba-with-nfsv4.sh
Start it like ./ samba-with-nfsv4.sh (client or server)

Its tested and works on debian jessie.
I contains the nfs server settings and client settings.

Greetz,

Louis
-----Oorspronkelijk bericht-----
Verzonden: maandag 1 augustus 2016 17:16
Onderwerp: Re: [Samba] kerberos nfs4's principals and root access
Hi,
Sorry for this necrobump.... But I'm still can't use my local root
user to browse content of my NFSv4/Krb5 share...... (others permission
are checked when root use this share)
- Must i have same idmap.conf on both client and server ?
- Why rpc.idmapd only use 'nsswitch' method even if 'static' is
placed before it in 'Method' and 'GSS-Methods' list ?
- Must root user use kinit before exploring ?
And the most important question : Is there anybody who sucess to
access (in a real root behaviour !!) to a nfsv4/krb5 share in a
Samba4/Krb5/NFSv4 setup ?
Thanks by advance,
Best regards,
Bruno
PS: I sent this morning a mail about access to this share from local
user (www-data), but I think that granting access to root may be a good
start point !!
Post by L.P.H. van Belle
Hai Batiste,
Ok, thanks for these, i'll test that also.
And the "why" is a bit more explained here.
http://www.citi.umich.edu/projects/nfsv4/crossrealm/libnfsidmap_config.htm
l
Post by L.P.H. van Belle
and per example,
http://www.citi.umich.edu/projects/nfsv4/crossrealm/ldap_server_setup.html
Post by L.P.H. van Belle
First my work here, but this is a good one which i also need to adjust
in my scripts, so thank you for asking this on the samba list ;-)
Post by L.P.H. van Belle
Gr,
Louis
-----Oorspronkelijk bericht-----
Verzonden: vrijdag 9 oktober 2015 14:11
Onderwerp: Re: [Samba] kerberos nfs4's principals and root access
Thanks Louis ! Very interesting !
Maybe the simplest method is to set a static translation.
1) Enabling the no_root_squash option in /etc/exports
2) Set the translation in /etc/idmapd.conf
------------------------
/etc/idmap.conf
------------------------
...
[Translation]
Method = static,nsswitch
[Static]
------------------------
But I don't understand why, with samba, we can't authenticate as
client with nfs/myclient.samdom.com or root/myclient.samdom.com. It
seem that it is because we can't kinit them. But I don't understand
why...
Thanks again !
Baptiste.
Post by L.P.H. van Belle
Ok, now its clear to me.
We need to set UMICH_SCHEMA in idmap.conf
Read : http://linux.die.net/man/5/idmapd.conf
Working on it now.
Greetz,
Louis
-----Oorspronkelijk bericht-----
Belle
Post by L.P.H. van Belle
Verzonden: vrijdag 9 oktober 2015 13:34
Onderwerp: Re: [Samba] kerberos nfs4's principals and root access
Ok, not working...
But found this...
( http://users.suse.com/~sjayaraman/nfs4_howto.txt )
4.5 A known issue using NFS with kerberos
_________________________________________
Even if "no_root_squash" option is used, while exporting a filesystem
at
Post by L.P.H. van Belle
the
server, root on the client gets a "Permission denied" error when
creating
Post by L.P.H. van Belle
files on the mount point.
This is because there is no proper mapping between root and the
GSSAuthName.
Note: Trying to set 777 permission is not correct as it is not
secure.
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Also,
any file created on the mountpoint will have "nobody" as owner.
There is a work around for this if both NFS server and client use
umich_ldap
methods to authenticate. If the idmapd on both server and client is
configured
to use umich_ldap modules then having GSSAuthName
parameter map to root user, on the ldap server will solve this
problem.
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Still reading, but should be solveable..
Greetz,
Louis
-----Oorspronkelijk bericht-----
Belle
Verzonden: vrijdag 9 oktober 2015 13:17
Onderwerp: Re: [Samba] kerberos nfs4's principals and root access
Hai Baptiste,
I re-checked my setup and your totaly correct.
I can not enter the nfsV4 mounted directory as root.
What i've added in idmap.conf
Domain = your_DNS_domain.tld
[Translation]
Method = nsswitch
And i found this link.
http://serverfault.com/questions/526762/root-access-to-kerberized-
nfsv4-
Post by L.P.H. van Belle
host-on-ubuntu
im testing this now.
Greetz,
Louis
-----Oorspronkelijk bericht-----
Verzonden: vrijdag 9 oktober 2015 11:34
Onderwerp: Re: [Samba] kerberos nfs4's principals and root access
Thanks you very much Louis !
I have tried your setup and I can't mount the share neither from
the
Post by L.P.H. van Belle
server itself or the client.
rpc.gssd : ERROR : no credentials found for connecting to server
myserver
This is because the machine principal is not present in the keytab
$ klist -k
If I add the machine principal. I can mount the share but root user
write as "machine" not as "root".
Can you check your setup ? Do you have your machine credential in
/etc/krb5.keytab ? (with klist -k)
Do you do something related with kerberos when you login as root ?
Do you have additional options in "/etc/idmap.conf" ?
$klist
$klist -k
When you are logged as root ?
Thanks you again !
Baptiste.
Post by L.P.H. van Belle
Hai,
I had it the other way around. Only root acces.
I have scripted my setup and tested on debian.
Look here
https://secure.bazuin.nl/scripts/these_are_experimental_scripts/
setup-nfsv4-kerberos.sh
If you get the file, setup-nfsv4-kerberos.sh and compair it to
your
Post by L.P.H. van Belle
setup.
Post by L.P.H. van Belle
If you can read the bash script maybe you see something you
missed.
Post by L.P.H. van Belle
Post by L.P.H. van Belle
When i write as "root" its root and not the machine account who
owns
Post by L.P.H. van Belle
the
file.
Post by L.P.H. van Belle
How is your exports file on the server configured?
Greetz,
Louis
-----Oorspronkelijk bericht-----
Dump
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Verzonden: vrijdag 9 oktober 2015 8:59
Onderwerp: [Samba] kerberos nfs4's principals and root access
Hello samba team !
I have some NFS4 exports managed by a Samba's Kerberos realm.
All
Post by L.P.H. van Belle
the
Post by L.P.H. van Belle
standard user accesses work fine.
I try now to setup an NFS4 root access to administer the share
from
Post by L.P.H. van Belle
Post by L.P.H. van Belle
another server (the two host are DC, one PDC and one SDC). But
I
Post by L.P.H. van Belle
have
Post by L.P.H. van Belle
trouble understanding the kerberos/principals layer.
------------
Actually I do
-------------
-> on the server I create an nfs principal and export it to the
keytab
Post by L.P.H. van Belle
$ samba-tool user add nfs-myserver --random-password
$ samba-tool spn add nfs/myserver.samdom.com nfs-myserver
$ samba-tool domain exportkeytab --
principal=nfs/myserver.samdom.com
Post by L.P.H. van Belle
/etc/krb5.keytab
-> on the client I use the machine keytab.
$ samba-tool domain exportkeytab --principal=MYCLIENT$
/etc/krb5.keytab
Post by L.P.H. van Belle
With this setup all my domain users can write to the share. But
when
I
Post by L.P.H. van Belle
try with the root account it use the machine keytab (that's
normal,
Post by L.P.H. van Belle
Post by L.P.H. van Belle
-> on the client as root
$ touch /myshare/testfile
-> on the server
$ ls -al /srv/nfs4/myshare/testfile
-rw-r--r-- SAMDOM\MYCLIENT$ SAMDOM\Domain Controllers
....
Post by L.P.H. van Belle
Post by L.P.H. van Belle
/nfs4/myshare/tesfile
But I need root access !
----------
I have tried with a root/myclient service principal name
----------
-> on the client I create an root/myclient spn and export to
keytab
Post by L.P.H. van Belle
Post by L.P.H. van Belle
$ samba-tool user add root-myclient --random-password
$ samba-tool spn add root/myclient.samdom.com root-myclient
$ samba-tool domain exportkeytab --
principal=root/myclient.samdom.com
Post by L.P.H. van Belle
/etc/krb5.keytab
But nothings change when I access the share. I tried to kinit
this
Post by L.P.H. van Belle
Post by L.P.H. van Belle
principal but it fail. However kinit with the machine principal
works.
Post by L.P.H. van Belle
$ kinit -k root/myclient.samdom.com
kerberos database while getting initial credentials
$ kinit -k MYCLIENT$
ok
---------
I tried creating a samba root user.
---------
-> on the client I create a root user and export to keytab
$ samba-tool user add root
$ samba-tool domain exportkeytab --principal=root
/etc/krb5.keytab
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Same problem but here "kinit -k root" works.
$ kinit -k root
ok
------
I tried to kinit anather samba user
------
-> on the client I kinit a valid user and write to the share
$ kinit validuser
$ touch /myshare/testfile2
Here the nfs4 connection is not made with the validuser's
principal.
Post by L.P.H. van Belle
Always with the machine's principal.
-------
So
-------
I don't understand why in can "kinit root" but not "kinit
root/myclient.samdom.com". What's the difference between there
principals ?
I don't understand how the nfs4 client choose the principal used
to
Post by L.P.H. van Belle
Post by L.P.H. van Belle
make the connection to the nfs4 share. Why the root user can
only
Post by L.P.H. van Belle
use
Post by L.P.H. van Belle
the machine's principal ?
I don't know if the problem come from the creation of kerberos
principals or come from the nfs4 client not choosing the correct
principal...
Can someone give me a tips ?
Thanks !
Baptiste.
--
To unsubscribe from this list go to the following URL and read
the
Post by L.P.H. van Belle
Post by L.P.H. van Belle
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read
the
Post by L.P.H. van Belle
Post by L.P.H. van Belle
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
Bruno MACADRE
-------------------------------------------------------------------
Ingénieur Systèmes et Réseau | Systems and Network Engineer
Département Informatique | Department of computer science
Responsable Info SER | SER IT Manager
Université de Rouen | University of Rouen
-------------------------------------------------------------------
Université de Rouen
Faculté des Sciences et Techniques - Madrillet
Avenue de l'Université
CS 70012
76801 St Etienne du Rouvray CEDEX
FRANCE
Tél : +33 (0)2-32-95-51-86
Mob : +33 (0)6-74-71-45-64
-------------------------------------------------------------------
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Bruno Macadré
2016-08-02 06:24:28 UTC
Permalink
Thanks,

I'll see that today and come back !

Bruno
Post by L.P.H. van Belle
Hai,
Here you go..
But all my settings are scripted.
https://github.com/thctlo/samba4
found here.
Read the script : samba-with-nfsv4.sh
Start it like ./ samba-with-nfsv4.sh (client or server)
Its tested and works on debian jessie.
I contains the nfs server settings and client settings.
Greetz,
Louis
-----Oorspronkelijk bericht-----
Verzonden: maandag 1 augustus 2016 17:16
Onderwerp: Re: [Samba] kerberos nfs4's principals and root access
Hi,
Sorry for this necrobump.... But I'm still can't use my local root
user to browse content of my NFSv4/Krb5 share...... (others permission
are checked when root use this share)
- Must i have same idmap.conf on both client and server ?
- Why rpc.idmapd only use 'nsswitch' method even if 'static' is
placed before it in 'Method' and 'GSS-Methods' list ?
- Must root user use kinit before exploring ?
And the most important question : Is there anybody who sucess to
access (in a real root behaviour !!) to a nfsv4/krb5 share in a
Samba4/Krb5/NFSv4 setup ?
Thanks by advance,
Best regards,
Bruno
PS: I sent this morning a mail about access to this share from local
user (www-data), but I think that granting access to root may be a good
start point !!
Post by L.P.H. van Belle
Hai Batiste,
Ok, thanks for these, i'll test that also.
And the "why" is a bit more explained here.
http://www.citi.umich.edu/projects/nfsv4/crossrealm/libnfsidmap_config.htm
l
Post by L.P.H. van Belle
and per example,
http://www.citi.umich.edu/projects/nfsv4/crossrealm/ldap_server_setup.html
Post by L.P.H. van Belle
First my work here, but this is a good one which i also need to adjust
in my scripts, so thank you for asking this on the samba list ;-)
Post by L.P.H. van Belle
Gr,
Louis
-----Oorspronkelijk bericht-----
Verzonden: vrijdag 9 oktober 2015 14:11
Onderwerp: Re: [Samba] kerberos nfs4's principals and root access
Thanks Louis ! Very interesting !
Maybe the simplest method is to set a static translation.
1) Enabling the no_root_squash option in /etc/exports
2) Set the translation in /etc/idmapd.conf
------------------------
/etc/idmap.conf
------------------------
...
[Translation]
Method = static,nsswitch
[Static]
------------------------
But I don't understand why, with samba, we can't authenticate as
client with nfs/myclient.samdom.com or root/myclient.samdom.com. It
seem that it is because we can't kinit them. But I don't understand
why...
Thanks again !
Baptiste.
Post by L.P.H. van Belle
Ok, now its clear to me.
We need to set UMICH_SCHEMA in idmap.conf
Read : http://linux.die.net/man/5/idmapd.conf
Working on it now.
Greetz,
Louis
-----Oorspronkelijk bericht-----
Belle
Post by L.P.H. van Belle
Verzonden: vrijdag 9 oktober 2015 13:34
Onderwerp: Re: [Samba] kerberos nfs4's principals and root access
Ok, not working...
But found this...
( http://users.suse.com/~sjayaraman/nfs4_howto.txt )
4.5 A known issue using NFS with kerberos
_________________________________________
Even if "no_root_squash" option is used, while exporting a filesystem
at
Post by L.P.H. van Belle
the
server, root on the client gets a "Permission denied" error when
creating
Post by L.P.H. van Belle
files on the mount point.
This is because there is no proper mapping between root and the
GSSAuthName.
Note: Trying to set 777 permission is not correct as it is not
secure.
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Also,
any file created on the mountpoint will have "nobody" as owner.
There is a work around for this if both NFS server and client use
umich_ldap
methods to authenticate. If the idmapd on both server and client is
configured
to use umich_ldap modules then having GSSAuthName
parameter map to root user, on the ldap server will solve this
problem.
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Still reading, but should be solveable..
Greetz,
Louis
-----Oorspronkelijk bericht-----
Belle
Verzonden: vrijdag 9 oktober 2015 13:17
Onderwerp: Re: [Samba] kerberos nfs4's principals and root access
Hai Baptiste,
I re-checked my setup and your totaly correct.
I can not enter the nfsV4 mounted directory as root.
What i've added in idmap.conf
Domain = your_DNS_domain.tld
[Translation]
Method = nsswitch
And i found this link.
http://serverfault.com/questions/526762/root-access-to-kerberized-
nfsv4-
Post by L.P.H. van Belle
host-on-ubuntu
im testing this now.
Greetz,
Louis
-----Oorspronkelijk bericht-----
Verzonden: vrijdag 9 oktober 2015 11:34
Onderwerp: Re: [Samba] kerberos nfs4's principals and root access
Thanks you very much Louis !
I have tried your setup and I can't mount the share neither from
the
Post by L.P.H. van Belle
server itself or the client.
rpc.gssd : ERROR : no credentials found for connecting to server
myserver
This is because the machine principal is not present in the keytab
$ klist -k
If I add the machine principal. I can mount the share but root user
write as "machine" not as "root".
Can you check your setup ? Do you have your machine credential in
/etc/krb5.keytab ? (with klist -k)
Do you do something related with kerberos when you login as root ?
Do you have additional options in "/etc/idmap.conf" ?
$klist
$klist -k
When you are logged as root ?
Thanks you again !
Baptiste.
Post by L.P.H. van Belle
Hai,
I had it the other way around. Only root acces.
I have scripted my setup and tested on debian.
Look here
https://secure.bazuin.nl/scripts/these_are_experimental_scripts/
setup-nfsv4-kerberos.sh
If you get the file, setup-nfsv4-kerberos.sh and compair it to
your
Post by L.P.H. van Belle
setup.
Post by L.P.H. van Belle
If you can read the bash script maybe you see something you
missed.
Post by L.P.H. van Belle
Post by L.P.H. van Belle
When i write as "root" its root and not the machine account who
owns
Post by L.P.H. van Belle
the
file.
Post by L.P.H. van Belle
How is your exports file on the server configured?
Greetz,
Louis
-----Oorspronkelijk bericht-----
Dump
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Verzonden: vrijdag 9 oktober 2015 8:59
Onderwerp: [Samba] kerberos nfs4's principals and root access
Hello samba team !
I have some NFS4 exports managed by a Samba's Kerberos realm.
All
Post by L.P.H. van Belle
the
Post by L.P.H. van Belle
standard user accesses work fine.
I try now to setup an NFS4 root access to administer the share
from
Post by L.P.H. van Belle
Post by L.P.H. van Belle
another server (the two host are DC, one PDC and one SDC). But
I
Post by L.P.H. van Belle
have
Post by L.P.H. van Belle
trouble understanding the kerberos/principals layer.
------------
Actually I do
-------------
-> on the server I create an nfs principal and export it to the
keytab
Post by L.P.H. van Belle
$ samba-tool user add nfs-myserver --random-password
$ samba-tool spn add nfs/myserver.samdom.com nfs-myserver
$ samba-tool domain exportkeytab --
principal=nfs/myserver.samdom.com
Post by L.P.H. van Belle
/etc/krb5.keytab
-> on the client I use the machine keytab.
$ samba-tool domain exportkeytab --principal=MYCLIENT$
/etc/krb5.keytab
Post by L.P.H. van Belle
With this setup all my domain users can write to the share. But
when
I
Post by L.P.H. van Belle
try with the root account it use the machine keytab (that's
normal,
Post by L.P.H. van Belle
Post by L.P.H. van Belle
-> on the client as root
$ touch /myshare/testfile
-> on the server
$ ls -al /srv/nfs4/myshare/testfile
-rw-r--r-- SAMDOM\MYCLIENT$ SAMDOM\Domain Controllers
....
Post by L.P.H. van Belle
Post by L.P.H. van Belle
/nfs4/myshare/tesfile
But I need root access !
----------
I have tried with a root/myclient service principal name
----------
-> on the client I create an root/myclient spn and export to
keytab
Post by L.P.H. van Belle
Post by L.P.H. van Belle
$ samba-tool user add root-myclient --random-password
$ samba-tool spn add root/myclient.samdom.com root-myclient
$ samba-tool domain exportkeytab --
principal=root/myclient.samdom.com
Post by L.P.H. van Belle
/etc/krb5.keytab
But nothings change when I access the share. I tried to kinit
this
Post by L.P.H. van Belle
Post by L.P.H. van Belle
principal but it fail. However kinit with the machine principal
works.
Post by L.P.H. van Belle
$ kinit -k root/myclient.samdom.com
kerberos database while getting initial credentials
$ kinit -k MYCLIENT$
ok
---------
I tried creating a samba root user.
---------
-> on the client I create a root user and export to keytab
$ samba-tool user add root
$ samba-tool domain exportkeytab --principal=root
/etc/krb5.keytab
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Same problem but here "kinit -k root" works.
$ kinit -k root
ok
------
I tried to kinit anather samba user
------
-> on the client I kinit a valid user and write to the share
$ kinit validuser
$ touch /myshare/testfile2
Here the nfs4 connection is not made with the validuser's
principal.
Post by L.P.H. van Belle
Always with the machine's principal.
-------
So
-------
I don't understand why in can "kinit root" but not "kinit
root/myclient.samdom.com". What's the difference between there
principals ?
I don't understand how the nfs4 client choose the principal used
to
Post by L.P.H. van Belle
Post by L.P.H. van Belle
make the connection to the nfs4 share. Why the root user can
only
Post by L.P.H. van Belle
use
Post by L.P.H. van Belle
the machine's principal ?
I don't know if the problem come from the creation of kerberos
principals or come from the nfs4 client not choosing the correct
principal...
Can someone give me a tips ?
Thanks !
Baptiste.
--
To unsubscribe from this list go to the following URL and read
the
Post by L.P.H. van Belle
Post by L.P.H. van Belle
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read
the
Post by L.P.H. van Belle
Post by L.P.H. van Belle
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
Bruno MACADRE
-------------------------------------------------------------------
Ingénieur Systèmes et Réseau | Systems and Network Engineer
Département Informatique | Department of computer science
Responsable Info SER | SER IT Manager
Université de Rouen | University of Rouen
-------------------------------------------------------------------
Université de Rouen
Faculté des Sciences et Techniques - Madrillet
Avenue de l'Université
CS 70012
76801 St Etienne du Rouvray CEDEX
FRANCE
Tél : +33 (0)2-32-95-51-86
Mob : +33 (0)6-74-71-45-64
-------------------------------------------------------------------
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Bruno MACADRÉ
2016-08-02 08:45:57 UTC
Permalink
Hi Louis,

I read your script and changed my configuration accordingly, but it
still does not work.

Here are my conf files :
----- NFS SERVER SIDE (Ubuntu Server 14.04 x64) -----
/etc/fstab:
...
/home /nfs4export/homes none bind 0 0
...

/etc/exports:
...
/nfs4export NETWORK/24(ro,fsid=0,no_subtree_check,sync,sec=krb5)
/nfs4export/homes
NETWORK/24(rw,sync,no_root_squash,no_subtree_check,sec=krb5)
...

/etc/default/nfs-kernel-server:
RPCNFSDCOUNT=8
RPCNFSDPRIORITY=0
RPCMOUNTDOPTS="--manage-gids --debug all"
NEED_SVCGSSD="yes"
RPCSVCGSSDOPTS="-vvv"
RPCNFSDOPTS="--debug"

/etc/idmapd.conf:
[General]

Verbosity = 5
Pipefs-Directory = /run/rpc_pipefs
Domain = domain
Local-Realm = DOMAIN

[Mapping]

Nobody-User = nobody
Nobody-Group = nogroup

[Translation]
Method = nsswitch

/etc/smb.conf (compiled samba 4.2.3):
[global]
netbios name = FILSRV
workgroup = WKG
security = ADS
realm = DOMAIN
encrypt passwords = yes

log level = 3
log file = /var/log/samba/log.%m

idmap config *:backend = tdb
idmap config *:range = 70000-80000
idmap config WKG:backend = ad
idmap config WKG:schema = rfc2307
idmap config WKG:range = 10000-60000

winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = yes
winbind expand groups = 10

...

kerberos method = system keytab

FILSRV joined fine the DC.
- Adding SPN by the use of 'net ads keytab' => net ads keytab add
nfs -U administrator

klist of FILSRV (klist -kt) :
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal
---- -------------------
------------------------------------------------------
54 01/08/2016 10:31:59 host/***@DOMAIN
54 01/08/2016 10:31:59 host/***@DOMAIN
54 01/08/2016 10:31:59 host/***@DOMAIN
54 01/08/2016 10:31:59 host/***@DOMAIN
54 01/08/2016 10:31:59 host/***@DOMAIN
54 01/08/2016 10:31:59 host/***@DOMAIN
54 01/08/2016 10:31:59 host/***@DOMAIN
54 01/08/2016 10:31:59 host/***@DOMAIN
54 01/08/2016 10:31:59 host/***@DOMAIN
54 01/08/2016 10:31:59 host/***@DOMAIN
54 01/08/2016 10:31:59 nfs/***@DOMAIN
54 01/08/2016 10:31:59 nfs/***@DOMAIN
54 01/08/2016 10:31:59 nfs/***@DOMAIN
54 01/08/2016 10:31:59 nfs/***@DOMAIN
54 01/08/2016 10:31:59 nfs/***@DOMAIN
54 01/08/2016 10:31:59 nfs/***@DOMAIN
54 01/08/2016 10:31:59 nfs/***@DOMAIN
54 01/08/2016 10:31:59 nfs/***@DOMAIN
54 01/08/2016 10:31:59 nfs/***@DOMAIN
54 01/08/2016 10:31:59 nfs/***@DOMAIN
54 01/08/2016 10:31:59 FILSRV$@DOMAIN
54 01/08/2016 10:31:59 FILSRV$@DOMAIN
54 01/08/2016 10:31:59 FILSRV$@DOMAIN
54 01/08/2016 10:31:59 FILSRV$@DOMAIN
54 01/08/2016 10:31:59 FILSRV$@DOMAIN

----- CLIENT SIDE (XUbuntu 16.04 x64) -----
/etc/fstab:
...
filsrv:/homes /home nfs4 sec=krb5 0 0
...

/etc/idmapd.conf:
[General]

Verbosity = 5
Pipefs-Directory = /run/rpc_pipefs
Domain = domain
Local-Realm = DOMAIN

[Mapping]

Nobody-User = nobody
Nobody-Group = nogroup

[Translation]
Method = static,nsswitch
GSS-Methods = static,nsswitch

[Static]
CLIENT1$@DOMAIN = root
host/***@DOMAIN = root
nfs/***@DOMAIN = root
nfs/client1.domain@ = root

/etc/smb.conf (Samba 4.3.9 from repos) :
[global]
netbios name = CLIENT1
workgroup = WKG
security = ADS
realm = DOMAIN
encrypt passwords = yes

idmap config *:backend = tdb
idmap config *:range = 70000-80000
idmap config WKG:backend = ad
idmap config WKG:schema = rfc2307
idmap config WKG:range = 10000-60000

winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = yes
winbind expand groups = 10

kerberos method = system keytab

- Joining : Ok
- Adding SPN by : net ads keytab add nfs : Ok
- Mounting NFS share : Ok
- Authenticating users against Kerberos (with libpam-krb5) : Ok


klist of Client1 (klist -kt) :

Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal
---- -------------------
------------------------------------------------------
4 01/08/2016 10:31:59 host/***@DOMAIN
4 01/08/2016 10:31:59 host/***@DOMAIN
4 01/08/2016 10:31:59 host/***@DOMAIN
4 01/08/2016 10:31:59 host/***@DOMAIN
4 01/08/2016 10:31:59 host/***@DOMAIN
4 01/08/2016 10:31:59 host/***@DOMAIN
4 01/08/2016 10:31:59 host/***@DOMAIN
4 01/08/2016 10:31:59 host/***@DOMAIN
4 01/08/2016 10:31:59 host/***@DOMAIN
4 01/08/2016 10:31:59 host/***@DOMAIN
4 01/08/2016 10:31:59 nfs/***@DOMAIN
4 01/08/2016 10:31:59 nfs/***@DOMAIN
4 01/08/2016 10:31:59 nfs/***@DOMAIN
4 01/08/2016 10:31:59 nfs/***@DOMAIN
4 01/08/2016 10:31:59 nfs/***@DOMAIN
4 01/08/2016 10:31:59 nfs/***@DOMAIN
4 01/08/2016 10:31:59 nfs/***@DOMAIN
4 01/08/2016 10:31:59 nfs/***@DOMAIN
4 01/08/2016 10:31:59 nfs/***@DOMAIN
4 01/08/2016 10:31:59 nfs/***@DOMAIN
4 01/08/2016 10:31:59 root/***@DOMAIN
4 01/08/2016 10:31:59 root/***@DOMAIN
4 01/08/2016 10:31:59 root/***@DOMAIN
4 01/08/2016 10:31:59 root/***@DOMAIN
4 01/08/2016 10:31:59 root/***@DOMAIN
4 01/08/2016 10:31:59 root/***@DOMAIN
4 01/08/2016 10:31:59 root/***@DOMAIN
4 01/08/2016 10:31:59 root/***@DOMAIN
4 01/08/2016 10:31:59 root/***@DOMAIN
4 01/08/2016 10:31:59 CLIENT1$@DOMAIN
4 01/08/2016 10:31:59 CLIENT1$@DOMAIN
4 01/08/2016 10:31:59 CLIENT1$@DOMAIN
4 01/08/2016 10:31:59 CLIENT1$@DOMAIN
4 01/08/2016 10:31:59 CLIENT1$@DOMAIN


Testing root access on NFS share :

For testing purpose a tstroot directory was created on the share
with a 0777 mode on it. When I 'touch foo' in this directory the owner
of foo was nobody and his group : nogroup...

When I see logs, something sounds strange for me : rpc.idmapd
(server side) and nfsidmap (client side -- rpc.idmapd not needed anymore
on client apparently) never use static method even if static was
specified (client side)...

Parts of syslog :
...
rpc.gssd: libnfsidmap: using domain: domain
rpc.gssd: libnfsidmap: Realms list: 'DOMAIN'
rpc.gssd: libnfsidmap: processing 'Method' list
rpc.gssd: libnfsidmap: loaded plugin
/lib/x86_64-linux-gnu/libnfsidmap/static.so for method static
rpc.gssd: libnfsidmap: loaded plugin
/lib/x86_64-linux-gnu/libnfsidmap/nsswitch.so for method nsswitch
rpc.gssd: Expiration time is 600 seconds.
...
nfsidmap: nfsdcb: authbuf=gss/krb5 authtype=user
nfsidmap: nfs4_uid_to_name: calling nsswitch->uid_to_name
nfsidmap: nfs4_uid_to_name: nsswitch->uid_to_name returned 0
nfsidmap: nfs4_uid_to_name: final return value is 0
nfsidmap: Server : (user) id "65534" -> name "***@domain"
nfsidmap: nfsdcb: authbuf=gss/krb5 authtype=group
nfsidmap: nfs4_gid_to_name: calling nsswitch->gid_to_name
nfsidmap: nfs4_gid_to_name: nsswitch->gid_to_name returned 0
nfsidmap: nfs4_gid_to_name: final return value is 0
nfsidmap: Server : (group) id "65534" -> name "***@domain"
...

That's all for the moment.... sorry for this enormous mail, but
it's so strange that i can't choose what show or not....

Greetz,
Bruno
Post by L.P.H. van Belle
Hai,
Here you go..
But all my settings are scripted.
https://github.com/thctlo/samba4
found here.
Read the script : samba-with-nfsv4.sh
Start it like ./ samba-with-nfsv4.sh (client or server)
Its tested and works on debian jessie.
I contains the nfs server settings and client settings.
Greetz,
Louis
-----Oorspronkelijk bericht-----
Verzonden: maandag 1 augustus 2016 17:16
Onderwerp: Re: [Samba] kerberos nfs4's principals and root access
Hi,
Sorry for this necrobump.... But I'm still can't use my local root
user to browse content of my NFSv4/Krb5 share...... (others permission
are checked when root use this share)
- Must i have same idmap.conf on both client and server ?
- Why rpc.idmapd only use 'nsswitch' method even if 'static' is
placed before it in 'Method' and 'GSS-Methods' list ?
- Must root user use kinit before exploring ?
And the most important question : Is there anybody who sucess to
access (in a real root behaviour !!) to a nfsv4/krb5 share in a
Samba4/Krb5/NFSv4 setup ?
Thanks by advance,
Best regards,
Bruno
PS: I sent this morning a mail about access to this share from local
user (www-data), but I think that granting access to root may be a good
start point !!
Post by L.P.H. van Belle
Hai Batiste,
Ok, thanks for these, i'll test that also.
And the "why" is a bit more explained here.
http://www.citi.umich.edu/projects/nfsv4/crossrealm/libnfsidmap_config.htm
l
Post by L.P.H. van Belle
and per example,
http://www.citi.umich.edu/projects/nfsv4/crossrealm/ldap_server_setup.html
Post by L.P.H. van Belle
First my work here, but this is a good one which i also need to adjust
in my scripts, so thank you for asking this on the samba list ;-)
Post by L.P.H. van Belle
Gr,
Louis
-----Oorspronkelijk bericht-----
Verzonden: vrijdag 9 oktober 2015 14:11
Onderwerp: Re: [Samba] kerberos nfs4's principals and root access
Thanks Louis ! Very interesting !
Maybe the simplest method is to set a static translation.
1) Enabling the no_root_squash option in /etc/exports
2) Set the translation in /etc/idmapd.conf
------------------------
/etc/idmap.conf
------------------------
...
[Translation]
Method = static,nsswitch
[Static]
------------------------
But I don't understand why, with samba, we can't authenticate as
client with nfs/myclient.samdom.com or root/myclient.samdom.com. It
seem that it is because we can't kinit them. But I don't understand
why...
Thanks again !
Baptiste.
Post by L.P.H. van Belle
Ok, now its clear to me.
We need to set UMICH_SCHEMA in idmap.conf
Read : http://linux.die.net/man/5/idmapd.conf
Working on it now.
Greetz,
Louis
-----Oorspronkelijk bericht-----
Belle
Post by L.P.H. van Belle
Verzonden: vrijdag 9 oktober 2015 13:34
Onderwerp: Re: [Samba] kerberos nfs4's principals and root access
Ok, not working...
But found this...
( http://users.suse.com/~sjayaraman/nfs4_howto.txt )
4.5 A known issue using NFS with kerberos
_________________________________________
Even if "no_root_squash" option is used, while exporting a filesystem
at
Post by L.P.H. van Belle
the
server, root on the client gets a "Permission denied" error when
creating
Post by L.P.H. van Belle
files on the mount point.
This is because there is no proper mapping between root and the
GSSAuthName.
Note: Trying to set 777 permission is not correct as it is not
secure.
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Also,
any file created on the mountpoint will have "nobody" as owner.
There is a work around for this if both NFS server and client use
umich_ldap
methods to authenticate. If the idmapd on both server and client is
configured
to use umich_ldap modules then having GSSAuthName
parameter map to root user, on the ldap server will solve this
problem.
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Still reading, but should be solveable..
Greetz,
Louis
-----Oorspronkelijk bericht-----
Belle
Verzonden: vrijdag 9 oktober 2015 13:17
Onderwerp: Re: [Samba] kerberos nfs4's principals and root access
Hai Baptiste,
I re-checked my setup and your totaly correct.
I can not enter the nfsV4 mounted directory as root.
What i've added in idmap.conf
Domain = your_DNS_domain.tld
[Translation]
Method = nsswitch
And i found this link.
http://serverfault.com/questions/526762/root-access-to-kerberized-
nfsv4-
Post by L.P.H. van Belle
host-on-ubuntu
im testing this now.
Greetz,
Louis
-----Oorspronkelijk bericht-----
Verzonden: vrijdag 9 oktober 2015 11:34
Onderwerp: Re: [Samba] kerberos nfs4's principals and root access
Thanks you very much Louis !
I have tried your setup and I can't mount the share neither from
the
Post by L.P.H. van Belle
server itself or the client.
rpc.gssd : ERROR : no credentials found for connecting to server
myserver
This is because the machine principal is not present in the keytab
$ klist -k
If I add the machine principal. I can mount the share but root user
write as "machine" not as "root".
Can you check your setup ? Do you have your machine credential in
/etc/krb5.keytab ? (with klist -k)
Do you do something related with kerberos when you login as root ?
Do you have additional options in "/etc/idmap.conf" ?
$klist
$klist -k
When you are logged as root ?
Thanks you again !
Baptiste.
Post by L.P.H. van Belle
Hai,
I had it the other way around. Only root acces.
I have scripted my setup and tested on debian.
Look here
https://secure.bazuin.nl/scripts/these_are_experimental_scripts/
setup-nfsv4-kerberos.sh
If you get the file, setup-nfsv4-kerberos.sh and compair it to
your
Post by L.P.H. van Belle
setup.
Post by L.P.H. van Belle
If you can read the bash script maybe you see something you
missed.
Post by L.P.H. van Belle
Post by L.P.H. van Belle
When i write as "root" its root and not the machine account who
owns
Post by L.P.H. van Belle
the
file.
Post by L.P.H. van Belle
How is your exports file on the server configured?
Greetz,
Louis
-----Oorspronkelijk bericht-----
Dump
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Verzonden: vrijdag 9 oktober 2015 8:59
Onderwerp: [Samba] kerberos nfs4's principals and root access
Hello samba team !
I have some NFS4 exports managed by a Samba's Kerberos realm.
All
Post by L.P.H. van Belle
the
Post by L.P.H. van Belle
standard user accesses work fine.
I try now to setup an NFS4 root access to administer the share
from
Post by L.P.H. van Belle
Post by L.P.H. van Belle
another server (the two host are DC, one PDC and one SDC). But
I
Post by L.P.H. van Belle
have
Post by L.P.H. van Belle
trouble understanding the kerberos/principals layer.
------------
Actually I do
-------------
-> on the server I create an nfs principal and export it to the
keytab
Post by L.P.H. van Belle
$ samba-tool user add nfs-myserver --random-password
$ samba-tool spn add nfs/myserver.samdom.com nfs-myserver
$ samba-tool domain exportkeytab --
principal=nfs/myserver.samdom.com
Post by L.P.H. van Belle
/etc/krb5.keytab
-> on the client I use the machine keytab.
$ samba-tool domain exportkeytab --principal=MYCLIENT$
/etc/krb5.keytab
Post by L.P.H. van Belle
With this setup all my domain users can write to the share. But
when
I
Post by L.P.H. van Belle
try with the root account it use the machine keytab (that's
normal,
Post by L.P.H. van Belle
Post by L.P.H. van Belle
-> on the client as root
$ touch /myshare/testfile
-> on the server
$ ls -al /srv/nfs4/myshare/testfile
-rw-r--r-- SAMDOM\MYCLIENT$ SAMDOM\Domain Controllers
....
Post by L.P.H. van Belle
Post by L.P.H. van Belle
/nfs4/myshare/tesfile
But I need root access !
----------
I have tried with a root/myclient service principal name
----------
-> on the client I create an root/myclient spn and export to
keytab
Post by L.P.H. van Belle
Post by L.P.H. van Belle
$ samba-tool user add root-myclient --random-password
$ samba-tool spn add root/myclient.samdom.com root-myclient
$ samba-tool domain exportkeytab --
principal=root/myclient.samdom.com
Post by L.P.H. van Belle
/etc/krb5.keytab
But nothings change when I access the share. I tried to kinit
this
Post by L.P.H. van Belle
Post by L.P.H. van Belle
principal but it fail. However kinit with the machine principal
works.
Post by L.P.H. van Belle
$ kinit -k root/myclient.samdom.com
kerberos database while getting initial credentials
$ kinit -k MYCLIENT$
ok
---------
I tried creating a samba root user.
---------
-> on the client I create a root user and export to keytab
$ samba-tool user add root
$ samba-tool domain exportkeytab --principal=root
/etc/krb5.keytab
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Same problem but here "kinit -k root" works.
$ kinit -k root
ok
------
I tried to kinit anather samba user
------
-> on the client I kinit a valid user and write to the share
$ kinit validuser
$ touch /myshare/testfile2
Here the nfs4 connection is not made with the validuser's
principal.
Post by L.P.H. van Belle
Always with the machine's principal.
-------
So
-------
I don't understand why in can "kinit root" but not "kinit
root/myclient.samdom.com". What's the difference between there
principals ?
I don't understand how the nfs4 client choose the principal used
to
Post by L.P.H. van Belle
Post by L.P.H. van Belle
make the connection to the nfs4 share. Why the root user can
only
Post by L.P.H. van Belle
use
Post by L.P.H. van Belle
the machine's principal ?
I don't know if the problem come from the creation of kerberos
principals or come from the nfs4 client not choosing the correct
principal...
Can someone give me a tips ?
Thanks !
Baptiste.
--
To unsubscribe from this list go to the following URL and read
the
Post by L.P.H. van Belle
Post by L.P.H. van Belle
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read
the
Post by L.P.H. van Belle
Post by L.P.H. van Belle
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
Bruno MACADRE
-------------------------------------------------------------------
Ingénieur Systèmes et Réseau | Systems and Network Engineer
Département Informatique | Department of computer science
Responsable Info SER | SER IT Manager
Université de Rouen | University of Rouen
-------------------------------------------------------------------
Université de Rouen
Faculté des Sciences et Techniques - Madrillet
Avenue de l'Université
CS 70012
76801 St Etienne du Rouvray CEDEX
FRANCE
Tél : +33 (0)2-32-95-51-86
Mob : +33 (0)6-74-71-45-64
-------------------------------------------------------------------
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
Bruno MACADRE
-------------------------------------------------------------------
Ingénieur Systèmes et Réseau | Systems and Network Engineer
Département Informatique | Department of computer science
Responsable Info SER | SER IT Manager
Université de Rouen | University of Rouen
-------------------------------------------------------------------
Coordonnées / Contact :
Université de Rouen
Faculté des Sciences et Techniques - Madrillet
Avenue de l'Université
CS 70012
76801 St Etienne du Rouvray CEDEX
FRANCE

Tél : +33 (0)2-32-95-51-86
Mob : +33 (0)6-74-71-45-64
-------------------------------------------------------------------
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
buhorojo
2015-10-09 20:32:57 UTC
Permalink
Post by Prunk Dump
-> on the server
$ ls -al /srv/nfs4/myshare/testfile
-rw-r--r-- SAMDOM\MYCLIENT$ SAMDOM\Domain Controllers ....
/nfs4/myshare/tesfile
But I need root access !
Kerberos only allows access to users in the realm. root is a local user
HTH
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Prunk Dump
2015-10-10 07:48:15 UTC
Permalink
You are right !

But it's possible to create a root kerberos principal like here :

http://docs.oracle.com/cd/E19253-01/816-4557/fgohx/

But I can't get this work with a samba kerberos realm....
Post by buhorojo
Post by Prunk Dump
-> on the server
$ ls -al /srv/nfs4/myshare/testfile
-rw-r--r-- SAMDOM\MYCLIENT$ SAMDOM\Domain Controllers ....
/nfs4/myshare/tesfile
But I need root access !
Kerberos only allows access to users in the realm. root is a local user
HTH
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Prunk Dump
2015-10-10 10:11:37 UTC
Permalink
Hello,

The "static" idmap method works in my case.

So problem resolved. But not with the more elegant manner.

Thanks !

Baptiste.
Post by Prunk Dump
You are right !
http://docs.oracle.com/cd/E19253-01/816-4557/fgohx/
But I can't get this work with a samba kerberos realm....
Post by buhorojo
Post by Prunk Dump
-> on the server
$ ls -al /srv/nfs4/myshare/testfile
-rw-r--r-- SAMDOM\MYCLIENT$ SAMDOM\Domain Controllers ....
/nfs4/myshare/tesfile
But I need root access !
Kerberos only allows access to users in the realm. root is a local user
HTH
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Bruno MACADRÉ
2016-08-02 14:02:41 UTC
Permalink
** I truncate my initial mail below for size reason **

I've tried your tips but nothing better.... AD users can still accessing
share (ouf !!), but local users not more.

I can't find where it blocks....

Thanks for your help Louis,

Greetz,
Bruno
You keep 2 ranges.
One for the “local (linux) users”
idmap config *:backend = tdb
idmap config *:range = 11-9999
One for the “AD users”
idmap config YOURDOMAIN :backend = ad
idmap config YOURDOMAIN : range = 10000-99999
(source : https://wiki.samba.org/index.php/Idmap_config_ad )
But the idmap range modification apply only on server-side ?
Yes, correct only server side. and after changing it run net cache
flush and/or net imap flush
Greetings,
Louis
------------------------------------------------------------------------
*Verzonden:* dinsdag 2 augustus 2016 14:59
*Aan:* L.P.H. van Belle
*Onderwerp:* Re: FW: [Samba] kerberos nfs4's principals and root access
Ok, I understand !!
But the idmap range modification apply only on server-side ? Or must I
reflect this on clients (by changing WKS:range to 11-60000) ?
Regards,
Bruno
man smb.conf
· system keytab - use only the system keytab for ticket verification
· dedicated keytab - use a dedicated keytab for ticket verification
· secrets and keytab - use the secrets.tdb first, then the
system keytab
Add a windows group to www-data and set the needed rights in
/var/www/
I do that for my ssh groups. ( one local group for system
admins, one windows group for remote access)
When ad is down systems admins can login, but the windows clients
can not.
How it influance
## map id's outside to domain to tdb files.
idmap config *:backend = tdb
idmap config *:range = 11-9999
( NO 0-9999 ) or root mapping fails to work.
Here www-data gets mapped to tdb files ( secrets from above )
you need to change that range to www-data hits in tdb.
But I havent tried that, i just set a windows group right on the
/var/www/domain/SITE_Folders.
My website have the following layout.
/var/www/localhost ( set all know ips for localhost here. )
/var/www/hostname ( set all know ips for hostname here. )
/var/www/noaccess ( set no ip or hostname here just * like
debian default site ) (trap for script kiddies)
/var/www/domain1/SITE_Folder ( set only the know hostnames here )
/var/www/domain2/SITE_Folder ( set only the know hostnames here )
Layout like this works only good if you define ALL know ips and
names correct .
and i add acl_xattr:ignore system acl = yes to the share where i
share www-data
and only /var/www/domain1 get a windows group access list.
Greetz,
Louis
------------------------------------------------------------------------
*Verzonden:* dinsdag 2 augustus 2016 12:47
*Aan:* L.P.H. van Belle
*Onderwerp:* Re: FW: [Samba] kerberos nfs4's principals and root
access
Thanks for this, I will answer later on the list when mail will be
in it
I will try your advices but there's two things that I don't
- Why delete 'no_root_squash' on homes share is it why it's
default behaviour ?
- I don't understand the difference between 'system keytab' and
'secrets and keytab' method for kerberos and how it influes on
root access to NFS
- Login against Kerberos
- Receiving valid ticket
- Browsing NFS share (according to permissions) and accessing
their home perfectly.
My real problem resides in access to this share by client-local
users (mostly root and www-data in the future)
Thanks again, I will try this modifications and come back !
Greetz,
Bruno
A copy in advance, the mail is getting big so it takes time
before its in the samba list.
You mist a few small things, see below.
Greetz,
Louis
------------------------------------------------------------------------
*Verzonden:* dinsdag 2 augustus 2016 11:53
*Onderwerp:* RE: [Samba] kerberos nfs4's principals and root
access
Most looks ok,
Sometimes the nfs mount isnt mounted, i have that on 2 server
( out of 15 )
But that where the first 2 i tested with, a mount –a resolves
that, havent time to review it.
But if that happens.
For the server : add ,x-systemd.automount to fstab.
/home /nfs4export/homes none bind,x-systemd.automount 0 0
For the exports add crossmnt depending on your setup ( man
exports )
And adjust like below. Your current setting is not correct.
Try setting the server like below.
# NFSv4 Root (/exports)
/exports
192.168.0.0/24(ro,sync,fsid=0,no_subtree_check,crossmnt,sec=krb5)
# NFSv4 (/exports/users)
/exports/users 192.168.0.0/24(rw,sync,no_subtree_check,sec=krb5)
This is about the nouser/nogroup
root_squash: Map requests from uid/gid 0 to the anonymous uid/gid.
( Server ) /etc/samba/smb.conf
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
#and very important one. Must have !!!
# renew the kerberos ticket
winbind refresh tickets = yes
That covers it i think, try the suggestions above and reboot
both servers.
Login with a “NON” nfs user account and check if the mounts
are done.
If so, test with a nfs user AD account see if you can access
your own user dir.
If not, kinit username , cd ~ . does it work now.
Check if
/etc/systemd/system/nfs-common.service.d/remote-fs-pre.conf
exists with content
[Unit]
Before=remote-fs-pre.target
Wants=remote-fs-pre.target
Also, thats needed for mounts.
Greetz,
Louis
-----Oorspronkelijk bericht-----
Bruno MACADRÉ
Verzonden: dinsdag 2 augustus 2016 10:46
Onderwerp: Re: [Samba] kerberos nfs4's principals and root access
Hi Louis,
I read your script and changed my configuration accordingly,
but it
still does not work.
truncate ...
- Joining : Ok
- Adding SPN by : net ads keytab add nfs : Ok
- Mounting NFS share : Ok
- Authenticating users against Kerberos (with
libpam-krb5) : Ok
Keytab name: FILE:/etc/krb5.keytab
<FILE:///%5C%5C%5C%5Cetc%5Ckrb5.keytab>
KVNO Timestamp Principal
---- -------------------
------------------------------------------------------
For testing purpose a tstroot directory was created on
the share
with a 0777 mode on it. When I 'touch foo' in this directory
the owner
of foo was nobody and his group : nogroup...
rpc.idmapd
(server side) and nfsidmap (client side -- rpc.idmapd not
needed anymore
on client apparently) never use static method even if static was
specified (client side)...
...
rpc.gssd: libnfsidmap: using domain: domain
rpc.gssd: libnfsidmap: Realms list: 'DOMAIN'
rpc.gssd: libnfsidmap: processing 'Method' list
rpc.gssd: libnfsidmap: loaded plugin
/lib/x86_64-linux-gnu/libnfsidmap/static.so for method static
rpc.gssd: libnfsidmap: loaded plugin
/lib/x86_64-linux-gnu/libnfsidmap/nsswitch.so for method nsswitch
rpc.gssd: Expiration time is 600 seconds.
...
nfsidmap: nfsdcb: authbuf=gss/krb5 authtype=user
nfsidmap: nfs4_uid_to_name: calling nsswitch->uid_to_name
nfsidmap: nfs4_uid_to_name: nsswitch->uid_to_name returned 0
nfsidmap: nfs4_uid_to_name: final return value is 0
nfsidmap: nfsdcb: authbuf=gss/krb5 authtype=group
nfsidmap: nfs4_gid_to_name: calling nsswitch->gid_to_name
nfsidmap: nfs4_gid_to_name: nsswitch->gid_to_name returned 0
nfsidmap: nfs4_gid_to_name: final return value is 0
nfsidmap: Server : (group) id "65534" -> name
...
That's all for the moment.... sorry for this enormous
mail, but
it's so strange that i can't choose what show or not....
Greetz,
Bruno
Post by L.P.H. van Belle
Hai,
Here you go..
But all my settings are scripted.
https://github.com/thctlo/samba4
found here.
Read the script : samba-with-nfsv4.sh
Start it like ./ samba-with-nfsv4.sh (client or server)
Its tested and works on debian jessie.
I contains the nfs server settings and client settings.
Greetz,
Louis
-----Oorspronkelijk bericht-----
Bruno MACADRÉ
Post by L.P.H. van Belle
Verzonden: maandag 1 augustus 2016 17:16
Onderwerp: Re: [Samba] kerberos nfs4's principals and root
access
Post by L.P.H. van Belle
Hi,
Sorry for this necrobump.... But I'm still can't use
my local
root
Post by L.P.H. van Belle
user to browse content of my NFSv4/Krb5 share......
(others permission
Post by L.P.H. van Belle
are checked when root use this share)
- Must i have same idmap.conf on both client and
server ?
Post by L.P.H. van Belle
- Why rpc.idmapd only use 'nsswitch' method even if
'static' is
Post by L.P.H. van Belle
placed before it in 'Method' and 'GSS-Methods' list ?
- Must root user use kinit before exploring ?
And the most important question : Is there anybody
who sucess to
Post by L.P.H. van Belle
access (in a real root behaviour !!) to a nfsv4/krb5 share
in a
Post by L.P.H. van Belle
Samba4/Krb5/NFSv4 setup ?
Thanks by advance,
Best regards,
Bruno
PS: I sent this morning a mail about access to this share
from local
Post by L.P.H. van Belle
user (www-data), but I think that granting access to root
may be a good
Post by L.P.H. van Belle
start point !!
Post by L.P.H. van Belle
Hai Batiste,
Ok, thanks for these, i'll test that also.
And the "why" is a bit more explained here.
http://www.citi.umich.edu/projects/nfsv4/crossrealm/libnfsidmap_config.htm
Post by L.P.H. van Belle
l
Post by L.P.H. van Belle
and per example,
http://www.citi.umich.edu/projects/nfsv4/crossrealm/ldap_server_setup.html
Post by L.P.H. van Belle
Post by L.P.H. van Belle
First my work here, but this is a good one which i also
need to adjust
Post by L.P.H. van Belle
in my scripts, so thank you for asking this on the samba
list ;-)
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Gr,
Louis
-----Oorspronkelijk bericht-----
Prunk Dump
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Verzonden: vrijdag 9 oktober 2015 14:11
Onderwerp: Re: [Samba] kerberos nfs4's principals and
root access
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Thanks Louis ! Very interesting !
Maybe the simplest method is to set a static translation.
1) Enabling the no_root_squash option in /etc/exports
2) Set the translation in /etc/idmapd.conf
------------------------
/etc/idmap.conf
------------------------
...
[Translation]
Method = static,nsswitch
[Static]
------------------------
But I don't understand why, with samba, we can't
authenticate as
Post by L.P.H. van Belle
Post by L.P.H. van Belle
client with nfs/myclient.samdom.com or
root/myclient.samdom.com. It
Post by L.P.H. van Belle
Post by L.P.H. van Belle
seem that it is because we can't kinit them. But I don't
understand
Post by L.P.H. van Belle
Post by L.P.H. van Belle
why...
Thanks again !
Baptiste.
2015-10-09 13:39 GMT+02:00 L.P.H. van Belle
Post by L.P.H. van Belle
Ok, now its clear to me.
We need to set UMICH_SCHEMA in idmap.conf
Read : http://linux.die.net/man/5/idmapd.conf
Working on it now.
Greetz,
Louis
-----Oorspronkelijk bericht-----
Namens L.P.H. van
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Belle
Post by L.P.H. van Belle
Verzonden: vrijdag 9 oktober 2015 13:34
Onderwerp: Re: [Samba] kerberos nfs4's principals and
root access
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Ok, not working...
But found this...
( http://users.suse.com/~sjayaraman/nfs4_howto.txt
<http://users.suse.com/%7Esjayaraman/nfs4_howto.txt> )
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by L.P.H. van Belle
4.5 A known issue using NFS with kerberos
_________________________________________
Even if "no_root_squash" option is used, while exporting a
filesystem
Post by L.P.H. van Belle
Post by L.P.H. van Belle
at
Post by L.P.H. van Belle
the
server, root on the client gets a "Permission denied"
error when
Post by L.P.H. van Belle
Post by L.P.H. van Belle
creating
Post by L.P.H. van Belle
files on the mount point.
This is because there is no proper mapping between
root and the
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by L.P.H. van Belle
GSSAuthName.
Note: Trying to set 777 permission is not correct as
it is not
Post by L.P.H. van Belle
secure.
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Also,
any file created on the mountpoint will have "nobody"
as owner.
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by L.P.H. van Belle
There is a work around for this if both NFS server and
client use
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by L.P.H. van Belle
umich_ldap
methods to authenticate. If the idmapd on both server
and client is
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by L.P.H. van Belle
configured
to use umich_ldap modules then having GSSAuthName
parameter map to root user, on the ldap server will
solve this
Post by L.P.H. van Belle
problem.
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Still reading, but should be solveable..
Greetz,
Louis
-----Oorspronkelijk bericht-----
Namens L.P.H.
van
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Belle
Verzonden: vrijdag 9 oktober 2015 13:17
Onderwerp: Re: [Samba] kerberos nfs4's principals and
root access
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Hai Baptiste,
I re-checked my setup and your totaly correct.
I can not enter the nfsV4 mounted directory as root.
What i've added in idmap.conf
Domain = your_DNS_domain.tld
[Translation]
Method = nsswitch
And i found this link.
http://serverfault.com/questions/526762/root-access-to-kerberized-
Post by L.P.H. van Belle
Post by L.P.H. van Belle
nfsv4-
Post by L.P.H. van Belle
host-on-ubuntu
im testing this now.
Greetz,
Louis
-----Oorspronkelijk bericht-----
Namens Prunk
Dump
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Verzonden: vrijdag 9 oktober 2015 11:34
Onderwerp: Re: [Samba] kerberos nfs4's principals
and root access
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Thanks you very much Louis !
I have tried your setup and I can't mount the share
neither from
Post by L.P.H. van Belle
Post by L.P.H. van Belle
the
Post by L.P.H. van Belle
server itself or the client.
rpc.gssd : ERROR : no credentials found for
connecting to server
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by L.P.H. van Belle
myserver
This is because the machine principal is not present
in the
keytab
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by L.P.H. van Belle
$ klist -k
If I add the machine principal. I can mount the
share but root
user
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by L.P.H. van Belle
write as "machine" not as "root".
Can you check your setup ? Do you have your machine
credential in
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by L.P.H. van Belle
/etc/krb5.keytab ? (with klist -k)
Do you do something related with kerberos when you
login as root
?
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Do you have additional options in "/etc/idmap.conf" ?
$klist
$klist -k
When you are logged as root ?
Thanks you again !
Baptiste.
2015-10-09 9:13 GMT+02:00 L.P.H. van Belle
Post by L.P.H. van Belle
Hai,
I had it the other way around. Only root acces.
I have scripted my setup and tested on debian.
Look here
https://secure.bazuin.nl/scripts/these_are_experimental_scripts/
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by L.P.H. van Belle
setup-nfsv4-kerberos.sh
If you get the file, setup-nfsv4-kerberos.sh and
compair it to
Post by L.P.H. van Belle
Post by L.P.H. van Belle
your
Post by L.P.H. van Belle
setup.
Post by L.P.H. van Belle
If you can read the bash script maybe you see
something you
Post by L.P.H. van Belle
Post by L.P.H. van Belle
missed.
Post by L.P.H. van Belle
Post by L.P.H. van Belle
When i write as "root" its root and not the machine
account who
Post by L.P.H. van Belle
Post by L.P.H. van Belle
owns
Post by L.P.H. van Belle
the
file.
Post by L.P.H. van Belle
How is your exports file on the server configured?
Greetz,
Louis
-----Oorspronkelijk bericht-----
Namens Prunk
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Dump
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Verzonden: vrijdag 9 oktober 2015 8:59
Onderwerp: [Samba] kerberos nfs4's principals and
root access
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Hello samba team !
I have some NFS4 exports managed by a Samba's
Kerberos realm.
Post by L.P.H. van Belle
Post by L.P.H. van Belle
All
Post by L.P.H. van Belle
the
Post by L.P.H. van Belle
standard user accesses work fine.
I try now to setup an NFS4 root access to
administer the share
Post by L.P.H. van Belle
Post by L.P.H. van Belle
from
Post by L.P.H. van Belle
Post by L.P.H. van Belle
another server (the two host are DC, one PDC and
one SDC). But
Post by L.P.H. van Belle
Post by L.P.H. van Belle
I
Post by L.P.H. van Belle
have
Post by L.P.H. van Belle
trouble understanding the kerberos/principals layer.
------------
Actually I do
-------------
-> on the server I create an nfs principal and
export it to the
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by L.P.H. van Belle
keytab
Post by L.P.H. van Belle
$ samba-tool user add nfs-myserver --random-password
$ samba-tool spn add nfs/myserver.samdom.com
nfs-myserver
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by L.P.H. van Belle
$ samba-tool domain exportkeytab --
principal=nfs/myserver.samdom.com
Post by L.P.H. van Belle
/etc/krb5.keytab
-> on the client I use the machine keytab.
$ samba-tool domain exportkeytab --principal=MYCLIENT$
/etc/krb5.keytab
Post by L.P.H. van Belle
With this setup all my domain users can write to
the share. But
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by L.P.H. van Belle
when
I
Post by L.P.H. van Belle
try with the root account it use the machine
keytab (that's
Post by L.P.H. van Belle
Post by L.P.H. van Belle
normal,
Post by L.P.H. van Belle
Post by L.P.H. van Belle
root is not a domain user but he have access to
-> on the client as root
$ touch /myshare/testfile
-> on the server
$ ls -al /srv/nfs4/myshare/testfile
-rw-r--r-- SAMDOM\MYCLIENT$ SAMDOM\Domain
Controllers
Post by L.P.H. van Belle
Post by L.P.H. van Belle
....
Post by L.P.H. van Belle
Post by L.P.H. van Belle
/nfs4/myshare/tesfile
But I need root access !
----------
I have tried with a root/myclient service
principal name
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by L.P.H. van Belle
----------
-> on the client I create an root/myclient spn and
export to
Post by L.P.H. van Belle
Post by L.P.H. van Belle
keytab
Post by L.P.H. van Belle
Post by L.P.H. van Belle
$ samba-tool user add root-myclient --random-password
$ samba-tool spn add root/myclient.samdom.com
root-myclient
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by L.P.H. van Belle
$ samba-tool domain exportkeytab --
principal=root/myclient.samdom.com
Post by L.P.H. van Belle
/etc/krb5.keytab
But nothings change when I access the share. I
tried to kinit
Post by L.P.H. van Belle
Post by L.P.H. van Belle
this
Post by L.P.H. van Belle
Post by L.P.H. van Belle
principal but it fail. However kinit with the
machine principal
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by L.P.H. van Belle
works.
Post by L.P.H. van Belle
$ kinit -k root/myclient.samdom.com
in
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by L.P.H. van Belle
kerberos database while getting initial credentials
$ kinit -k MYCLIENT$
ok
---------
I tried creating a samba root user.
---------
-> on the client I create a root user and export
to keytab
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by L.P.H. van Belle
$ samba-tool user add root
$ samba-tool domain exportkeytab --principal=root
/etc/krb5.keytab
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Same problem but here "kinit -k root" works.
$ kinit -k root
ok
------
I tried to kinit anather samba user
------
-> on the client I kinit a valid user and write to
the share
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by L.P.H. van Belle
$ kinit validuser
$ touch /myshare/testfile2
Here the nfs4 connection is not made with the
validuser's
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by L.P.H. van Belle
principal.
Post by L.P.H. van Belle
Always with the machine's principal.
-------
So
-------
I don't understand why in can "kinit root" but not
"kinit
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by L.P.H. van Belle
root/myclient.samdom.com". What's the difference
between there
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by L.P.H. van Belle
principals ?
I don't understand how the nfs4 client choose the
principal
used
Post by L.P.H. van Belle
Post by L.P.H. van Belle
to
Post by L.P.H. van Belle
Post by L.P.H. van Belle
make the connection to the nfs4 share. Why the
root user can
Post by L.P.H. van Belle
Post by L.P.H. van Belle
only
Post by L.P.H. van Belle
use
Post by L.P.H. van Belle
the machine's principal ?
I don't know if the problem come from the creation
of kerberos
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by L.P.H. van Belle
principals or come from the nfs4 client not
choosing the
correct
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by L.P.H. van Belle
principal...
Can someone give me a tips ?
Thanks !
Baptiste.
--
To unsubscribe from this list go to the following
URL and read
Post by L.P.H. van Belle
Post by L.P.H. van Belle
the
https://lists.samba.org/mailman/options/samba
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by L.P.H. van Belle
--
To unsubscribe from this list go to the following
URL and read
Post by L.P.H. van Belle
Post by L.P.H. van Belle
the
https://lists.samba.org/mailman/options/samba
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by L.P.H. van Belle
--
To unsubscribe from this list go to the following
URL and read
the
https://lists.samba.org/mailman/options/samba
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by L.P.H. van Belle
--
To unsubscribe from this list go to the following URL
and read the
https://lists.samba.org/mailman/options/samba
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by L.P.H. van Belle
--
To unsubscribe from this list go to the following URL
and read the
https://lists.samba.org/mailman/options/samba
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by L.P.H. van Belle
--
To unsubscribe from this list go to the following URL
and read the
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by L.P.H. van Belle
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL
and read the
Post by L.P.H. van Belle
Post by L.P.H. van Belle
instructions: https://lists.samba.org/mailman/options/samba
--
Bruno MACADRE
-------------------------------------------------------------------
Post by L.P.H. van Belle
Ingénieur Systèmes et Réseau | Systems and Network Engineer
Département Informatique | Department of computer
science
Post by L.P.H. van Belle
Responsable Info SER | SER IT Manager
Université de Rouen | University of Rouen
-------------------------------------------------------------------
Post by L.P.H. van Belle
Université de Rouen
Faculté des Sciences et Techniques - Madrillet
Avenue de l'Université
CS 70012
76801 St Etienne du Rouvray CEDEX
FRANCE
Tél : +33 (0)2-32-95-51-86
Mob : +33 (0)6-74-71-45-64
-------------------------------------------------------------------
Post by L.P.H. van Belle
--
To unsubscribe from this list go to the following URL and
read the
Post by L.P.H. van Belle
instructions: https://lists.samba.org/mailman/options/samba
--
Bruno MACADRE
-------------------------------------------------------------------
Ingénieur Systèmes et Réseau | Systems and Network Engineer
Département Informatique | Department of computer science
Responsable Info SER | SER IT Manager
Université de Rouen | University of Rouen
-------------------------------------------------------------------
Université de Rouen
Faculté des Sciences et Techniques - Madrillet
Avenue de l'Université
CS 70012
76801 St Etienne du Rouvray CEDEX
FRANCE
Tél : +33 (0)2-32-95-51-86
Mob : +33 (0)6-74-71-45-64
-------------------------------------------------------------------
--
To unsubscribe from this list go to the following URL and
read the
instructions: https://lists.samba.org/mailman/options/samba
--
Bruno MACADRE
-------------------------------------------------------------------
Ingénieur Systèmes et Réseau | Systems and Network Engineer
Département Informatique | Department of computer science
Responsable Info SER | SER IT Manager
Université de Rouen | University of Rouen
-------------------------------------------------------------------
Université de Rouen
Faculté des Sciences et Techniques - Madrillet
Avenue de l'Université
CS 70012
76801 St Etienne du Rouvray CEDEX
FRANCE
Tél : +33 (0)2-32-95-51-86
Mob : +33 (0)6-74-71-45-64
-------------------------------------------------------------------
--
Bruno MACADRE
-------------------------------------------------------------------
Ingénieur Systèmes et Réseau | Systems and Network Engineer
Département Informatique | Department of computer science
Responsable Info SER | SER IT Manager
Université de Rouen | University of Rouen
-------------------------------------------------------------------
Université de Rouen
Faculté des Sciences et Techniques - Madrillet
Avenue de l'Université
CS 70012
76801 St Etienne du Rouvray CEDEX
FRANCE
Tél : +33 (0)2-32-95-51-86
Mob : +33 (0)6-74-71-45-64
-------------------------------------------------------------------
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Bruno MACADRÉ
2016-08-02 15:05:37 UTC
Permalink
It's ok

So, if I create a httpuser and an httpgroup in my AD and use these at
owner and group for my apache2 daemon, this one could access to userdirs
(while permissions granting it) ? But I need to cron 'kinit' to keep
valid ticket... ?

My local root user always can't access to the share, but my other
problem seems to be resolved.

Thanks
On Tue, 2 Aug 2016 16:02:41 +0200
Post by Bruno MACADRÉ
** I truncate my initial mail below for size reason **
I've tried your tips but nothing better.... AD users can still
accessing share (ouf !!), but local users not more.
I can't find where it blocks....
Thanks for your help Louis,
Greetz,
Bruno
You keep 2 ranges.
One for the “local (linux) users”
idmap config *:backend = tdb
idmap config *:range = 11-9999
Please don't use 'range = 11-9999', it will not do what you think it
will do. the '*' range is used for the 'BUILTIN' users & groups etc, so
if you have system users or groups that use an ID in the range
11-1000, they will conflict with the Windows well known SIDs.
You can have local Unix users & groups, you can have AD domain users &
groups, you can make an AD domain user or group into a Unix user or
group by adding RFC2307 attributes, but what you cannot do, is to have
the same user or group name in both /etc/passwd or /etc/group and AD
i.e. www-data can exist in /etc/passwd but it cannot be in AD at the
same time.
To use kerberos, you need an SPN or UPN, this (as far as a Samba AD DC
is concerned) needs to be stored in AD, so if the user isn't in AD, it
cannot use kerberos.
Rowland
--
Bruno MACADRE
-------------------------------------------------------------------
Ingénieur Systèmes et Réseau | Systems and Network Engineer
Département Informatique | Department of computer science
Responsable Info SER | SER IT Manager
Université de Rouen | University of Rouen
-------------------------------------------------------------------
Coordonnées / Contact :
Université de Rouen
Faculté des Sciences et Techniques - Madrillet
Avenue de l'Université
CS 70012
76801 St Etienne du Rouvray CEDEX
FRANCE

Tél : +33 (0)2-32-95-51-86
Mob : +33 (0)6-74-71-45-64
-------------------------------------------------------------------
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Bruno Macadré
2016-08-03 06:20:19 UTC
Permalink
Hi Rowland,

I've already read this article, but I never find how to indicate to
apache to read this file... After some research, I think I need to
install mod_auth_krb5 to specify at least how to find this keytab (even
if I don't need Apache authentication against Kerberos).

I will try this today and comme back to say if it works !

In fact i'm stuck between my two problems (root acces to Kerberised NFS
share / www-data access to userdir into a Kerberised NFS share),
contrary to what I thought It's the root acces the more difficult to
resolve...

Thanks Rowland,
Greetz,
Bruno
On Tue, 2 Aug 2016 17:05:37 +0200
Post by Bruno MACADRÉ
It's ok
So, if I create a httpuser and an httpgroup in my AD and use these at
owner and group for my apache2 daemon, this one could access to
userdirs (while permissions granting it) ? But I need to cron 'kinit'
to keep valid ticket... ?
My local root user always can't access to the share, but my other
problem seems to be resolved.
OK, I went and re-read your first post and I think you are going about
http://blog.sumostyle.net/2009/01/nfs4-krb5-and-apache-userdir/
samba-tool user create --random-password httpuser
samba-tool spn add HTTP/servername.your.realm.tld httpuser
Where 'servername' is the short hostname of your machine running Apache
and 'your.realm.tld' is (obviously) your dns/realm name
samba-tool domain exportkeytab /root/httpd.keytab
copy the keytab to the machine running Apache and allow www-data to
read the keytab.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
L.P.H. van Belle
2016-08-03 06:57:07 UTC
Permalink
You need for the apache keytab something like
Alias /webmail /usr/share/webmail
#
<Directory /usr/share/ webmail >
AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate On
KrbMethodK5Passwd Off
KrbServiceName HTTP
KrbAuthRealms EXAMPLE.COM
Krb5KeyTab /etc/httpd/conf/keytab
require valid-user
</Directory>
chmod 400 /etc/httpd/conf/keytab
chown www-data:www-data /etc/httpd/conf/keytab
Post by Bruno Macadré
In fact i'm stuck between my two problems (root acces to Kerberised NFS
share / www-data access to userdir into a Kerberised NFS share),
contrary to what I thought It's the root acces the more difficult to
resolve...
This is because of your layout for your website.
Now, your "abuseing" the user homedir, and normaly thats a private dir for only the user.
For the root access, you can kinit adminsitrator in a root script, i dont know what you exact want.
But echo "passwd" | kinit Administrator simpel resolve you problem.

And for the users/website data.

When you set a layout like this.
/var/www/domain/site/
Add on domain for example an AD Group with write rights.
Like "Domain website Admins" give these full control.
And something like "Site Admins" for a website, inherit the one before.

No hassle with keytabs, changing owner/group.
Besited if you want to do that, look at mod_ruid, which allows to run an apache vhost as user.

But its what you want.

Greetz,

Louis
Post by Bruno Macadré
-----Oorspronkelijk bericht-----
Verzonden: woensdag 3 augustus 2016 8:20
Onderwerp: Re: [Samba] FW: kerberos nfs4's principals and root access
Hi Rowland,
I've already read this article, but I never find how to indicate to
apache to read this file... After some research, I think I need to
install mod_auth_krb5 to specify at least how to find this keytab (even
if I don't need Apache authentication against Kerberos).
I will try this today and comme back to say if it works !
In fact i'm stuck between my two problems (root acces to Kerberised NFS
share / www-data access to userdir into a Kerberised NFS share),
contrary to what I thought It's the root acces the more difficult to
resolve...
Thanks Rowland,
Greetz,
Bruno
On Tue, 2 Aug 2016 17:05:37 +0200
Post by Bruno MACADRÉ
It's ok
So, if I create a httpuser and an httpgroup in my AD and use these at
owner and group for my apache2 daemon, this one could access to
userdirs (while permissions granting it) ? But I need to cron 'kinit'
to keep valid ticket... ?
My local root user always can't access to the share, but my other
problem seems to be resolved.
OK, I went and re-read your first post and I think you are going about
http://blog.sumostyle.net/2009/01/nfs4-krb5-and-apache-userdir/
samba-tool user create --random-password httpuser
samba-tool spn add HTTP/servername.your.realm.tld httpuser
Where 'servername' is the short hostname of your machine running Apache
and 'your.realm.tld' is (obviously) your dns/realm name
samba-tool domain exportkeytab /root/httpd.keytab
copy the keytab to the machine running Apache and allow www-data to
read the keytab.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Bruno MACADRÉ
2016-08-03 07:16:03 UTC
Permalink
Thanks Louis,

I'll reply in your answer
Post by L.P.H. van Belle
You need for the apache keytab something like
Alias /webmail /usr/share/webmail
#
<Directory /usr/share/ webmail >
AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate On
KrbMethodK5Passwd Off
KrbServiceName HTTP
KrbAuthRealms EXAMPLE.COM
Krb5KeyTab /etc/httpd/conf/keytab
require valid-user
</Directory>
chmod 400 /etc/httpd/conf/keytab
chown www-data:www-data /etc/httpd/conf/keytab
That's exactly what I thought. I'll try this soon.
Post by L.P.H. van Belle
Post by Bruno Macadré
In fact i'm stuck between my two problems (root acces to Kerberised NFS
share / www-data access to userdir into a Kerberised NFS share),
contrary to what I thought It's the root acces the more difficult to
resolve...
This is because of your layout for your website.
Now, your "abuseing" the user homedir, and normaly thats a private dir for only the user.
For the root access, you can kinit adminsitrator in a root script, i dont know what you exact want.
But echo "passwd" | kinit Administrator simpel resolve you problem.
There's no "abuse" of the homedir. The principle of Apache' userdir is
to give users the ability to create web pages in their homedirand to
test them with Apache in an unprivileged manner and withoutlosing the
private side of their homedir.
Post by L.P.H. van Belle
And for the users/website data.
When you set a layout like this.
/var/www/domain/site/
Add on domain for example an AD Group with write rights.
Like "Domain website Admins" give these full control.
And something like "Site Admins" for a website, inherit the one before.
No hassle with keytabs, changing owner/group.
Besited if you want to do that, look at mod_ruid, which allows to run an apache vhost as user.
But its what you want.
Thanks again,
Greetz,
Bruno
Post by L.P.H. van Belle
Greetz,
Louis
Post by Bruno Macadré
-----Oorspronkelijk bericht-----
Verzonden: woensdag 3 augustus 2016 8:20
Onderwerp: Re: [Samba] FW: kerberos nfs4's principals and root access
Hi Rowland,
I've already read this article, but I never find how to indicate to
apache to read this file... After some research, I think I need to
install mod_auth_krb5 to specify at least how to find this keytab (even
if I don't need Apache authentication against Kerberos).
I will try this today and comme back to say if it works !
In fact i'm stuck between my two problems (root acces to Kerberised NFS
share / www-data access to userdir into a Kerberised NFS share),
contrary to what I thought It's the root acces the more difficult to
resolve...
Thanks Rowland,
Greetz,
Bruno
On Tue, 2 Aug 2016 17:05:37 +0200
Post by Bruno MACADRÉ
It's ok
So, if I create a httpuser and an httpgroup in my AD and use these at
owner and group for my apache2 daemon, this one could access to
userdirs (while permissions granting it) ? But I need to cron 'kinit'
to keep valid ticket... ?
My local root user always can't access to the share, but my other
problem seems to be resolved.
OK, I went and re-read your first post and I think you are going about
http://blog.sumostyle.net/2009/01/nfs4-krb5-and-apache-userdir/
samba-tool user create --random-password httpuser
samba-tool spn add HTTP/servername.your.realm.tld httpuser
Where 'servername' is the short hostname of your machine running Apache
and 'your.realm.tld' is (obviously) your dns/realm name
samba-tool domain exportkeytab /root/httpd.keytab
copy the keytab to the machine running Apache and allow www-data to
read the keytab.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
Bruno MACADRE
-------------------------------------------------------------------
Ingénieur Systèmes et Réseau | Systems and Network Engineer
Département Informatique | Department of computer science
Responsable Info SER | SER IT Manager
Université de Rouen | University of Rouen
-------------------------------------------------------------------
Coordonnées / Contact :
Université de Rouen
Faculté des Sciences et Techniques - Madrillet
Avenue de l'Université
CS 70012
76801 St Etienne du Rouvray CEDEX
FRANCE

Tél : +33 (0)2-32-95-51-86
Mob : +33 (0)6-74-71-45-64
-------------------------------------------------------------------
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
L.P.H. van Belle
2016-08-03 07:35:59 UTC
Permalink
Ah ok, you are using "public_html" from a default setup.
Now i understand what you exact want.

If you have the apache keytab created.

Create a cron job and run :
kinit -t /path/to/keytab as the www user.

Dont forget het disable the password change in the AD user for
the "apache Service user" account.
You probely also need to export some kerberos variables like : KRB5CCNAME


Greetz,

Louis
-----Oorspronkelijk bericht-----
Verzonden: woensdag 3 augustus 2016 9:16
Onderwerp: Re: [Samba] FW: kerberos nfs4's principals and root access
Thanks Louis,
I'll reply in your answer
Post by L.P.H. van Belle
You need for the apache keytab something like
Alias /webmail /usr/share/webmail
#
<Directory /usr/share/ webmail >
AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate On
KrbMethodK5Passwd Off
KrbServiceName HTTP
KrbAuthRealms EXAMPLE.COM
Krb5KeyTab /etc/httpd/conf/keytab
require valid-user
</Directory>
chmod 400 /etc/httpd/conf/keytab
chown www-data:www-data /etc/httpd/conf/keytab
That's exactly what I thought. I'll try this soon.
Post by L.P.H. van Belle
Post by Bruno Macadré
In fact i'm stuck between my two problems (root acces to Kerberised NFS
share / www-data access to userdir into a Kerberised NFS share),
contrary to what I thought It's the root acces the more difficult to
resolve...
This is because of your layout for your website.
Now, your "abuseing" the user homedir, and normaly thats a private dir
for only the user.
Post by L.P.H. van Belle
For the root access, you can kinit adminsitrator in a root script, i
dont know what you exact want.
Post by L.P.H. van Belle
But echo "passwd" | kinit Administrator simpel resolve you problem.
There's no "abuse" of the homedir. The principle of Apache' userdir is
to give users the ability to create web pages in their homedirand to
test them with Apache in an unprivileged manner and withoutlosing the
private side of their homedir.
Post by L.P.H. van Belle
And for the users/website data.
When you set a layout like this.
/var/www/domain/site/
Add on domain for example an AD Group with write rights.
Like "Domain website Admins" give these full control.
And something like "Site Admins" for a website, inherit the one before.
No hassle with keytabs, changing owner/group.
Besited if you want to do that, look at mod_ruid, which allows to run an
apache vhost as user.
Post by L.P.H. van Belle
But its what you want.
Thanks again,
Greetz,
Bruno
Post by L.P.H. van Belle
Greetz,
Louis
Post by Bruno Macadré
-----Oorspronkelijk bericht-----
Verzonden: woensdag 3 augustus 2016 8:20
Onderwerp: Re: [Samba] FW: kerberos nfs4's principals and root access
Hi Rowland,
I've already read this article, but I never find how to indicate to
apache to read this file... After some research, I think I need to
install mod_auth_krb5 to specify at least how to find this keytab (even
if I don't need Apache authentication against Kerberos).
I will try this today and comme back to say if it works !
In fact i'm stuck between my two problems (root acces to Kerberised NFS
share / www-data access to userdir into a Kerberised NFS share),
contrary to what I thought It's the root acces the more difficult to
resolve...
Thanks Rowland,
Greetz,
Bruno
On Tue, 2 Aug 2016 17:05:37 +0200
Post by Bruno MACADRÉ
It's ok
So, if I create a httpuser and an httpgroup in my AD and use these at
owner and group for my apache2 daemon, this one could access to
userdirs (while permissions granting it) ? But I need to cron 'kinit'
to keep valid ticket... ?
My local root user always can't access to the share, but my other
problem seems to be resolved.
OK, I went and re-read your first post and I think you are going about
http://blog.sumostyle.net/2009/01/nfs4-krb5-and-apache-userdir/
samba-tool user create --random-password httpuser
samba-tool spn add HTTP/servername.your.realm.tld httpuser
Where 'servername' is the short hostname of your machine running
Apache
Post by L.P.H. van Belle
Post by Bruno Macadré
and 'your.realm.tld' is (obviously) your dns/realm name
samba-tool domain exportkeytab /root/httpd.keytab
copy the keytab to the machine running Apache and allow www-data to
read the keytab.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
Bruno MACADRE
-------------------------------------------------------------------
Ingénieur Systèmes et Réseau | Systems and Network Engineer
Département Informatique | Department of computer science
Responsable Info SER | SER IT Manager
Université de Rouen | University of Rouen
-------------------------------------------------------------------
Université de Rouen
Faculté des Sciences et Techniques - Madrillet
Avenue de l'Université
CS 70012
76801 St Etienne du Rouvray CEDEX
FRANCE
Tél : +33 (0)2-32-95-51-86
Mob : +33 (0)6-74-71-45-64
-------------------------------------------------------------------
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Bruno MACADRÉ
2016-08-03 08:21:51 UTC
Permalink
Yes, in fact this correspond to another mail I post in this list :
"kerberized nfs4 homedir and local account access (www-data)" but, over
the mail, my two requests (root access and www-data access) are crossed
and merged....

I've tried the kinit -kt as the www-data user but it still doesn't work
(keytab contains no suitable keys for host/***@DOMAIN ...)

I think i'm not so far of a good solution but I don't have enough time
to continue (I've to respect some deadlines), so, I have to give up for
now (may be I'll retry later in the year).

Anyway thank you Rowland and Louis for trying to help me !! I'll come
back asap !

Best regards,
Bruno.
Post by L.P.H. van Belle
Ah ok, you are using "public_html" from a default setup.
Now i understand what you exact want.
If you have the apache keytab created.
kinit -t /path/to/keytab as the www user.
Dont forget het disable the password change in the AD user for
the "apache Service user" account.
You probely also need to export some kerberos variables like : KRB5CCNAME
Greetz,
Louis
-----Oorspronkelijk bericht-----
Verzonden: woensdag 3 augustus 2016 9:16
Onderwerp: Re: [Samba] FW: kerberos nfs4's principals and root access
Thanks Louis,
I'll reply in your answer
Post by L.P.H. van Belle
You need for the apache keytab something like
Alias /webmail /usr/share/webmail
#
<Directory /usr/share/ webmail >
AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate On
KrbMethodK5Passwd Off
KrbServiceName HTTP
KrbAuthRealms EXAMPLE.COM
Krb5KeyTab /etc/httpd/conf/keytab
require valid-user
</Directory>
chmod 400 /etc/httpd/conf/keytab
chown www-data:www-data /etc/httpd/conf/keytab
That's exactly what I thought. I'll try this soon.
Post by L.P.H. van Belle
Post by Bruno Macadré
In fact i'm stuck between my two problems (root acces to Kerberised NFS
share / www-data access to userdir into a Kerberised NFS share),
contrary to what I thought It's the root acces the more difficult to
resolve...
This is because of your layout for your website.
Now, your "abuseing" the user homedir, and normaly thats a private dir
for only the user.
Post by L.P.H. van Belle
For the root access, you can kinit adminsitrator in a root script, i
dont know what you exact want.
Post by L.P.H. van Belle
But echo "passwd" | kinit Administrator simpel resolve you problem.
There's no "abuse" of the homedir. The principle of Apache' userdir is
to give users the ability to create web pages in their homedirand to
test them with Apache in an unprivileged manner and withoutlosing the
private side of their homedir.
Post by L.P.H. van Belle
And for the users/website data.
When you set a layout like this.
/var/www/domain/site/
Add on domain for example an AD Group with write rights.
Like "Domain website Admins" give these full control.
And something like "Site Admins" for a website, inherit the one before.
No hassle with keytabs, changing owner/group.
Besited if you want to do that, look at mod_ruid, which allows to run an
apache vhost as user.
Post by L.P.H. van Belle
But its what you want.
Thanks again,
Greetz,
Bruno
Post by L.P.H. van Belle
Greetz,
Louis
Post by Bruno Macadré
-----Oorspronkelijk bericht-----
Verzonden: woensdag 3 augustus 2016 8:20
Onderwerp: Re: [Samba] FW: kerberos nfs4's principals and root access
Hi Rowland,
I've already read this article, but I never find how to indicate to
apache to read this file... After some research, I think I need to
install mod_auth_krb5 to specify at least how to find this keytab (even
if I don't need Apache authentication against Kerberos).
I will try this today and comme back to say if it works !
In fact i'm stuck between my two problems (root acces to Kerberised NFS
share / www-data access to userdir into a Kerberised NFS share),
contrary to what I thought It's the root acces the more difficult to
resolve...
Thanks Rowland,
Greetz,
Bruno
On Tue, 2 Aug 2016 17:05:37 +0200
Post by Bruno MACADRÉ
It's ok
So, if I create a httpuser and an httpgroup in my AD and use these at
owner and group for my apache2 daemon, this one could access to
userdirs (while permissions granting it) ? But I need to cron 'kinit'
to keep valid ticket... ?
My local root user always can't access to the share, but my other
problem seems to be resolved.
OK, I went and re-read your first post and I think you are going about
http://blog.sumostyle.net/2009/01/nfs4-krb5-and-apache-userdir/
samba-tool user create --random-password httpuser
samba-tool spn add HTTP/servername.your.realm.tld httpuser
Where 'servername' is the short hostname of your machine running
Apache
Post by L.P.H. van Belle
Post by Bruno Macadré
and 'your.realm.tld' is (obviously) your dns/realm name
samba-tool domain exportkeytab /root/httpd.keytab
copy the keytab to the machine running Apache and allow www-data to
read the keytab.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
Bruno MACADRE
-------------------------------------------------------------------
Ingénieur Systèmes et Réseau | Systems and Network Engineer
Département Informatique | Department of computer science
Responsable Info SER | SER IT Manager
Université de Rouen | University of Rouen
-------------------------------------------------------------------
Université de Rouen
Faculté des Sciences et Techniques - Madrillet
Avenue de l'Université
CS 70012
76801 St Etienne du Rouvray CEDEX
FRANCE
Tél : +33 (0)2-32-95-51-86
Mob : +33 (0)6-74-71-45-64
-------------------------------------------------------------------
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
Bruno MACADRE
-------------------------------------------------------------------
Ingénieur Systèmes et Réseau | Systems and Network Engineer
Département Informatique | Department of computer science
Responsable Info SER | SER IT Manager
Université de Rouen | University of Rouen
-------------------------------------------------------------------
Coordonnées / Contact :
Université de Rouen
Faculté des Sciences et Techniques - Madrillet
Avenue de l'Université
CS 70012
76801 St Etienne du Rouvray CEDEX
FRANCE

Tél : +33 (0)2-32-95-51-86
Mob : +33 (0)6-74-71-45-64
-------------------------------------------------------------------
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
L.P.H. van Belle
2016-08-03 09:37:29 UTC
Permalink
If not done, add the server to the AD.

Add the host and nfs to the COMPUTERNAME($) account.
And use winbind to refresh the keytab.

Stop samba,
remove the keytab, create the new with the new SPN's in it,
start samba.

And Use the second keytab for apache with only http as upn in it.


Greetz,

Louis
-----Oorspronkelijk bericht-----
Verzonden: woensdag 3 augustus 2016 10:22
Onderwerp: Re: [Samba] FW: kerberos nfs4's principals and root access
"kerberized nfs4 homedir and local account access (www-data)" but, over
the mail, my two requests (root access and www-data access) are crossed
and merged....
I've tried the kinit -kt as the www-data user but it still doesn't work
I think i'm not so far of a good solution but I don't have enough time
to continue (I've to respect some deadlines), so, I have to give up for
now (may be I'll retry later in the year).
Anyway thank you Rowland and Louis for trying to help me !! I'll come
back asap !
Best regards,
Bruno.
Post by L.P.H. van Belle
Ah ok, you are using "public_html" from a default setup.
Now i understand what you exact want.
If you have the apache keytab created.
kinit -t /path/to/keytab as the www user.
Dont forget het disable the password change in the AD user for
the "apache Service user" account.
KRB5CCNAME
Post by L.P.H. van Belle
Greetz,
Louis
-----Oorspronkelijk bericht-----
Verzonden: woensdag 3 augustus 2016 9:16
Onderwerp: Re: [Samba] FW: kerberos nfs4's principals and root access
Thanks Louis,
I'll reply in your answer
Post by L.P.H. van Belle
You need for the apache keytab something like
Alias /webmail /usr/share/webmail
#
<Directory /usr/share/ webmail >
AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate On
KrbMethodK5Passwd Off
KrbServiceName HTTP
KrbAuthRealms EXAMPLE.COM
Krb5KeyTab /etc/httpd/conf/keytab
require valid-user
</Directory>
chmod 400 /etc/httpd/conf/keytab
chown www-data:www-data /etc/httpd/conf/keytab
That's exactly what I thought. I'll try this soon.
Post by L.P.H. van Belle
Post by Bruno Macadré
In fact i'm stuck between my two problems (root acces to Kerberised
NFS
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by Bruno Macadré
share / www-data access to userdir into a Kerberised NFS share),
contrary to what I thought It's the root acces the more difficult to
resolve...
This is because of your layout for your website.
Now, your "abuseing" the user homedir, and normaly thats a private dir
for only the user.
Post by L.P.H. van Belle
For the root access, you can kinit adminsitrator in a root script, i
dont know what you exact want.
Post by L.P.H. van Belle
But echo "passwd" | kinit Administrator simpel resolve you problem.
There's no "abuse" of the homedir. The principle of Apache' userdir is
to give users the ability to create web pages in their homedirand to
test them with Apache in an unprivileged manner and withoutlosing the
private side of their homedir.
Post by L.P.H. van Belle
And for the users/website data.
When you set a layout like this.
/var/www/domain/site/
Add on domain for example an AD Group with write rights.
Like "Domain website Admins" give these full control.
And something like "Site Admins" for a website, inherit the one
before.
Post by L.P.H. van Belle
Post by L.P.H. van Belle
No hassle with keytabs, changing owner/group.
Besited if you want to do that, look at mod_ruid, which allows to run
an
Post by L.P.H. van Belle
apache vhost as user.
Post by L.P.H. van Belle
But its what you want.
Thanks again,
Greetz,
Bruno
Post by L.P.H. van Belle
Greetz,
Louis
Post by Bruno Macadré
-----Oorspronkelijk bericht-----
Macadré
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by Bruno Macadré
Verzonden: woensdag 3 augustus 2016 8:20
Onderwerp: Re: [Samba] FW: kerberos nfs4's principals and root access
Hi Rowland,
I've already read this article, but I never find how to indicate to
apache to read this file... After some research, I think I need to
install mod_auth_krb5 to specify at least how to find this keytab
(even
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by Bruno Macadré
if I don't need Apache authentication against Kerberos).
I will try this today and comme back to say if it works !
In fact i'm stuck between my two problems (root acces to Kerberised
NFS
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by Bruno Macadré
share / www-data access to userdir into a Kerberised NFS share),
contrary to what I thought It's the root acces the more difficult to
resolve...
Thanks Rowland,
Greetz,
Bruno
On Tue, 2 Aug 2016 17:05:37 +0200
Post by Bruno MACADRÉ
It's ok
So, if I create a httpuser and an httpgroup in my AD and use these
at
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by Bruno Macadré
Post by Bruno MACADRÉ
owner and group for my apache2 daemon, this one could access to
userdirs (while permissions granting it) ? But I need to cron
'kinit'
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by Bruno Macadré
Post by Bruno MACADRÉ
to keep valid ticket... ?
My local root user always can't access to the share, but my other
problem seems to be resolved.
OK, I went and re-read your first post and I think you are going
about
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by Bruno Macadré
http://blog.sumostyle.net/2009/01/nfs4-krb5-and-apache-userdir/
samba-tool user create --random-password httpuser
samba-tool spn add HTTP/servername.your.realm.tld httpuser
Where 'servername' is the short hostname of your machine running
Apache
Post by L.P.H. van Belle
Post by Bruno Macadré
and 'your.realm.tld' is (obviously) your dns/realm name
samba-tool domain exportkeytab /root/httpd.keytab
copy the keytab to the machine running Apache and allow www-data to
read the keytab.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
Bruno MACADRE
-------------------------------------------------------------------
Ingénieur Systèmes et Réseau | Systems and Network Engineer
Département Informatique | Department of computer science
Responsable Info SER | SER IT Manager
Université de Rouen | University of Rouen
-------------------------------------------------------------------
Université de Rouen
Faculté des Sciences et Techniques - Madrillet
Avenue de l'Université
CS 70012
76801 St Etienne du Rouvray CEDEX
FRANCE
Tél : +33 (0)2-32-95-51-86
Mob : +33 (0)6-74-71-45-64
-------------------------------------------------------------------
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
Bruno MACADRE
-------------------------------------------------------------------
Ingénieur Systèmes et Réseau | Systems and Network Engineer
Département Informatique | Department of computer science
Responsable Info SER | SER IT Manager
Université de Rouen | University of Rouen
-------------------------------------------------------------------
Université de Rouen
Faculté des Sciences et Techniques - Madrillet
Avenue de l'Université
CS 70012
76801 St Etienne du Rouvray CEDEX
FRANCE
Tél : +33 (0)2-32-95-51-86
Mob : +33 (0)6-74-71-45-64
-------------------------------------------------------------------
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Bruno MACADRÉ
2016-08-03 13:35:55 UTC
Permalink
host is already in AD... I don't know where it blocks but thanks for
trying !

I will retry this later (when I'll have more time)

Greete,
Bruno.
Post by L.P.H. van Belle
If not done, add the server to the AD.
Add the host and nfs to the COMPUTERNAME($) account.
And use winbind to refresh the keytab.
Stop samba,
remove the keytab, create the new with the new SPN's in it,
start samba.
And Use the second keytab for apache with only http as upn in it.
Greetz,
Louis
-----Oorspronkelijk bericht-----
Verzonden: woensdag 3 augustus 2016 10:22
Onderwerp: Re: [Samba] FW: kerberos nfs4's principals and root access
"kerberized nfs4 homedir and local account access (www-data)" but, over
the mail, my two requests (root access and www-data access) are crossed
and merged....
I've tried the kinit -kt as the www-data user but it still doesn't work
I think i'm not so far of a good solution but I don't have enough time
to continue (I've to respect some deadlines), so, I have to give up for
now (may be I'll retry later in the year).
Anyway thank you Rowland and Louis for trying to help me !! I'll come
back asap !
Best regards,
Bruno.
Post by L.P.H. van Belle
Ah ok, you are using "public_html" from a default setup.
Now i understand what you exact want.
If you have the apache keytab created.
kinit -t /path/to/keytab as the www user.
Dont forget het disable the password change in the AD user for
the "apache Service user" account.
KRB5CCNAME
Post by L.P.H. van Belle
Greetz,
Louis
-----Oorspronkelijk bericht-----
Verzonden: woensdag 3 augustus 2016 9:16
Onderwerp: Re: [Samba] FW: kerberos nfs4's principals and root access
Thanks Louis,
I'll reply in your answer
Post by L.P.H. van Belle
You need for the apache keytab something like
Alias /webmail /usr/share/webmail
#
<Directory /usr/share/ webmail >
AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate On
KrbMethodK5Passwd Off
KrbServiceName HTTP
KrbAuthRealms EXAMPLE.COM
Krb5KeyTab /etc/httpd/conf/keytab
require valid-user
</Directory>
chmod 400 /etc/httpd/conf/keytab
chown www-data:www-data /etc/httpd/conf/keytab
That's exactly what I thought. I'll try this soon.
Post by L.P.H. van Belle
Post by Bruno Macadré
In fact i'm stuck between my two problems (root acces to Kerberised
NFS
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by Bruno Macadré
share / www-data access to userdir into a Kerberised NFS share),
contrary to what I thought It's the root acces the more difficult to
resolve...
This is because of your layout for your website.
Now, your "abuseing" the user homedir, and normaly thats a private dir
for only the user.
Post by L.P.H. van Belle
For the root access, you can kinit adminsitrator in a root script, i
dont know what you exact want.
Post by L.P.H. van Belle
But echo "passwd" | kinit Administrator simpel resolve you problem.
There's no "abuse" of the homedir. The principle of Apache' userdir is
to give users the ability to create web pages in their homedirand to
test them with Apache in an unprivileged manner and withoutlosing the
private side of their homedir.
Post by L.P.H. van Belle
And for the users/website data.
When you set a layout like this.
/var/www/domain/site/
Add on domain for example an AD Group with write rights.
Like "Domain website Admins" give these full control.
And something like "Site Admins" for a website, inherit the one
before.
Post by L.P.H. van Belle
Post by L.P.H. van Belle
No hassle with keytabs, changing owner/group.
Besited if you want to do that, look at mod_ruid, which allows to run
an
Post by L.P.H. van Belle
apache vhost as user.
Post by L.P.H. van Belle
But its what you want.
Thanks again,
Greetz,
Bruno
Post by L.P.H. van Belle
Greetz,
Louis
Post by Bruno Macadré
-----Oorspronkelijk bericht-----
Macadré
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by Bruno Macadré
Verzonden: woensdag 3 augustus 2016 8:20
Onderwerp: Re: [Samba] FW: kerberos nfs4's principals and root access
Hi Rowland,
I've already read this article, but I never find how to indicate to
apache to read this file... After some research, I think I need to
install mod_auth_krb5 to specify at least how to find this keytab
(even
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by Bruno Macadré
if I don't need Apache authentication against Kerberos).
I will try this today and comme back to say if it works !
In fact i'm stuck between my two problems (root acces to Kerberised
NFS
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by Bruno Macadré
share / www-data access to userdir into a Kerberised NFS share),
contrary to what I thought It's the root acces the more difficult to
resolve...
Thanks Rowland,
Greetz,
Bruno
On Tue, 2 Aug 2016 17:05:37 +0200
Post by Bruno MACADRÉ
It's ok
So, if I create a httpuser and an httpgroup in my AD and use these
at
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by Bruno Macadré
Post by Bruno MACADRÉ
owner and group for my apache2 daemon, this one could access to
userdirs (while permissions granting it) ? But I need to cron
'kinit'
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by Bruno Macadré
Post by Bruno MACADRÉ
to keep valid ticket... ?
My local root user always can't access to the share, but my other
problem seems to be resolved.
OK, I went and re-read your first post and I think you are going
about
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by Bruno Macadré
http://blog.sumostyle.net/2009/01/nfs4-krb5-and-apache-userdir/
samba-tool user create --random-password httpuser
samba-tool spn add HTTP/servername.your.realm.tld httpuser
Where 'servername' is the short hostname of your machine running
Apache
Post by L.P.H. van Belle
Post by Bruno Macadré
and 'your.realm.tld' is (obviously) your dns/realm name
samba-tool domain exportkeytab /root/httpd.keytab
copy the keytab to the machine running Apache and allow www-data to
read the keytab.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
Bruno MACADRE
-------------------------------------------------------------------
Ingénieur Systèmes et Réseau | Systems and Network Engineer
Département Informatique | Department of computer science
Responsable Info SER | SER IT Manager
Université de Rouen | University of Rouen
-------------------------------------------------------------------
Université de Rouen
Faculté des Sciences et Techniques - Madrillet
Avenue de l'Université
CS 70012
76801 St Etienne du Rouvray CEDEX
FRANCE
Tél : +33 (0)2-32-95-51-86
Mob : +33 (0)6-74-71-45-64
-------------------------------------------------------------------
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
Bruno MACADRE
-------------------------------------------------------------------
Ingénieur Systèmes et Réseau | Systems and Network Engineer
Département Informatique | Department of computer science
Responsable Info SER | SER IT Manager
Université de Rouen | University of Rouen
-------------------------------------------------------------------
Université de Rouen
Faculté des Sciences et Techniques - Madrillet
Avenue de l'Université
CS 70012
76801 St Etienne du Rouvray CEDEX
FRANCE
Tél : +33 (0)2-32-95-51-86
Mob : +33 (0)6-74-71-45-64
-------------------------------------------------------------------
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
Bruno MACADRE
-------------------------------------------------------------------
Ingénieur Systèmes et Réseau | Systems and Network Engineer
Département Informatique | Department of computer science
Responsable Info SER | SER IT Manager
Université de Rouen | University of Rouen
-------------------------------------------------------------------
Coordonnées / Contact :
Université de Rouen
Faculté des Sciences et Techniques - Madrillet
Avenue de l'Université
CS 70012
76801 St Etienne du Rouvray CEDEX
FRANCE

Tél : +33 (0)2-32-95-51-86
Mob : +33 (0)6-74-71-45-64
-------------------------------------------------------------------
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Loading...