Bruno MACADRÉ
2016-08-01 09:57:32 UTC
Hi,
I'm stuck since one week on how to give access on a kerberized nfs4
share to client-side local account (more precisely www-data account)...
My client setup and step-by-step configuration :
- Installed OS : XUbuntu 16.04 x64
1. Installing Samba4 from repos
2. Configuring Samba :
My client-side smb.conf :
[global]
netbios name = TEMPOINST
workgroup = WKG
security = ADS
realm = DOMAIN
encrypt passwords = yes
log level = 3
log file = /var/log/samba/log.%m
idmap config *:backend = tdb
idmap config *:range = 70000-80000
idmap config DPTINFO:backend = ad
idmap config DPTINFO:schema = rfc2307
idmap config DPTINFO:range = 10000-60000
winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
kerberos method = system keytab
Here, DOMAIN represents the host's FQDN
3. Joining client by : "ads net join createupn=TEMPOINST\$@DOMAIN -U
Administrator"
4. Installing Winbind and configuring accordingly nsswitch.conf (all
wbinfo and getent are working fine)
5. Installing kerberos client and pam module to authenticate users
against Kerberos
6. Configuring kerberos client
My client side krb5.conf
[libdefaults]
default_realm = DOMAIN
dns_lookup_realm = false
dns_lookup_kdc = true
[domain_realm]
.domain = DOMAIN
domain = DOMAIN
[appdefaults]
pam = {
forwardable = true
minimum_uid = 10000
ignore_k5login = true
ticket_lifetime = 1d0h0m
debug = false
ccache = FILE:/tmp/krb5cc_%u
}
7. Generating krb5.keytab file by : "net ads keytab create"
8. Mounting nfs4 share with sec=krb5 option
All work fine, a domain user can log on the computer and receive a
kerberos ticket at login. The user can use the share, permissions are
fine too and UID,GID mapping is OK too.
But, for educational purpose I need to install on each client a
localhost-only apache server (with php support) which use userdir module
to access to the 'public_html' directory into the homedir of each user.
The problem is that local www-data user can acces the NFS share (like
root user too).
I've tried the following :
1. Adding SPN : net ads keytab add HTTP
2. Modifying server-side idmapd.conf :
[General]
Verbosity = 5
Pipefs-Directory = /run/rpc_pipefs
Domain = domain
Local-Realms = DOMAIN
[Mapping]
Nobody-User = nobody
Nobody-Group = nogroup
[Translation]
GSS-Methods = static,nsswitch
[Static]
TEMPOINST$@DOMAIN = root
HTTP/***@DOMAIN = www-data
But client-side www-data user can't access NFS share.... and the static
for root doesn't work too 'cause "kinit TEMPOINST$" need an unknown
password.....
All ideas would be appreciated !
Thanks by advance,
Regards,
Bruno
--
Bruno MACADRE
-------------------------------------------------------------------
Ingénieur Systèmes et Réseau | Systems and Network Engineer
Département Informatique | Department of computer science
Responsable Info SER | SER IT Manager
Université de Rouen | University of Rouen
-------------------------------------------------------------------
Coordonnées / Contact :
Université de Rouen
Faculté des Sciences et Techniques - Madrillet
Avenue de l'Université
CS 70012
76801 St Etienne du Rouvray CEDEX
FRANCE
Tél : +33 (0)2-32-95-51-86
Mob : +33 (0)6-74-71-45-64
-------------------------------------------------------------------
--
Bruno MACADRE
-------------------------------------------------------------------
Ingénieur Systèmes et Réseau | Systems and Network Engineer
Département Informatique | Department of computer science
Responsable Info SER | SER IT Manager
Université de Rouen | University of Rouen
-------------------------------------------------------------------
Coordonnées / Contact :
Université de Rouen
Faculté des Sciences et Techniques - Madrillet
Avenue de l'Université
CS 70012
76801 St Etienne du Rouvray CEDEX
FRANCE
Tél : +33 (0)2-32-95-51-86
Mob : +33 (0)6-74-71-45-64
-------------------------------------------------------------------
I'm stuck since one week on how to give access on a kerberized nfs4
share to client-side local account (more precisely www-data account)...
My client setup and step-by-step configuration :
- Installed OS : XUbuntu 16.04 x64
1. Installing Samba4 from repos
2. Configuring Samba :
My client-side smb.conf :
[global]
netbios name = TEMPOINST
workgroup = WKG
security = ADS
realm = DOMAIN
encrypt passwords = yes
log level = 3
log file = /var/log/samba/log.%m
idmap config *:backend = tdb
idmap config *:range = 70000-80000
idmap config DPTINFO:backend = ad
idmap config DPTINFO:schema = rfc2307
idmap config DPTINFO:range = 10000-60000
winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
kerberos method = system keytab
Here, DOMAIN represents the host's FQDN
3. Joining client by : "ads net join createupn=TEMPOINST\$@DOMAIN -U
Administrator"
4. Installing Winbind and configuring accordingly nsswitch.conf (all
wbinfo and getent are working fine)
5. Installing kerberos client and pam module to authenticate users
against Kerberos
6. Configuring kerberos client
My client side krb5.conf
[libdefaults]
default_realm = DOMAIN
dns_lookup_realm = false
dns_lookup_kdc = true
[domain_realm]
.domain = DOMAIN
domain = DOMAIN
[appdefaults]
pam = {
forwardable = true
minimum_uid = 10000
ignore_k5login = true
ticket_lifetime = 1d0h0m
debug = false
ccache = FILE:/tmp/krb5cc_%u
}
7. Generating krb5.keytab file by : "net ads keytab create"
8. Mounting nfs4 share with sec=krb5 option
All work fine, a domain user can log on the computer and receive a
kerberos ticket at login. The user can use the share, permissions are
fine too and UID,GID mapping is OK too.
But, for educational purpose I need to install on each client a
localhost-only apache server (with php support) which use userdir module
to access to the 'public_html' directory into the homedir of each user.
The problem is that local www-data user can acces the NFS share (like
root user too).
I've tried the following :
1. Adding SPN : net ads keytab add HTTP
2. Modifying server-side idmapd.conf :
[General]
Verbosity = 5
Pipefs-Directory = /run/rpc_pipefs
Domain = domain
Local-Realms = DOMAIN
[Mapping]
Nobody-User = nobody
Nobody-Group = nogroup
[Translation]
GSS-Methods = static,nsswitch
[Static]
TEMPOINST$@DOMAIN = root
HTTP/***@DOMAIN = www-data
But client-side www-data user can't access NFS share.... and the static
for root doesn't work too 'cause "kinit TEMPOINST$" need an unknown
password.....
All ideas would be appreciated !
Thanks by advance,
Regards,
Bruno
--
Bruno MACADRE
-------------------------------------------------------------------
Ingénieur Systèmes et Réseau | Systems and Network Engineer
Département Informatique | Department of computer science
Responsable Info SER | SER IT Manager
Université de Rouen | University of Rouen
-------------------------------------------------------------------
Coordonnées / Contact :
Université de Rouen
Faculté des Sciences et Techniques - Madrillet
Avenue de l'Université
CS 70012
76801 St Etienne du Rouvray CEDEX
FRANCE
Tél : +33 (0)2-32-95-51-86
Mob : +33 (0)6-74-71-45-64
-------------------------------------------------------------------
--
Bruno MACADRE
-------------------------------------------------------------------
Ingénieur Systèmes et Réseau | Systems and Network Engineer
Département Informatique | Department of computer science
Responsable Info SER | SER IT Manager
Université de Rouen | University of Rouen
-------------------------------------------------------------------
Coordonnées / Contact :
Université de Rouen
Faculté des Sciences et Techniques - Madrillet
Avenue de l'Université
CS 70012
76801 St Etienne du Rouvray CEDEX
FRANCE
Tél : +33 (0)2-32-95-51-86
Mob : +33 (0)6-74-71-45-64
-------------------------------------------------------------------
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba