Hello samba team ! I have some NFS4 exports managed by a Samba's Kerberos realm. All the standard user accesses work fine. I try now to setup an NFS4 root access to administer the share from another server (the two host are DC, one PDC and one SDC). But I have trouble understanding the kerberos/principals layer. ------------ Actually I do ------------- -> on the server I create an nfs principal and export it to the keytab $ samba-tool user add nfs-myserver --random-password $ samba-tool spn add nfs/myserver.samdom.com nfs-myserver $ samba-tool domain exportkeytab --principal=nfs/myserver.samdom.com /etc/krb5.keytab -> on the client I use the machine keytab. $ samba-tool domain exportkeytab --principal=MYCLIENT$ /etc/krb5.keytab With this setup all my domain users can write to the share. But when I try with the root account it use the machine keytab (that's normal, root is not a domain user but he have access to the keytab) : -> on the client as root $ touch /myshare/testfile -> on the server $ ls -al /srv/nfs4/myshare/testfile -rw-r--r-- SAMDOM\MYCLIENT$ SAMDOM\Domain Controllers .... /nfs4/myshare/tesfile But I need root access ! ---------- I have tried with a root/myclient service principal name ---------- -> on the client I create an root/myclient spn and export to keytab $ samba-tool user add root-myclient --random-password $ samba-tool spn add root/myclient.samdom.com root-myclient $ samba-tool domain exportkeytab --principal=root/myclient.samdom.com /etc/krb5.keytab But nothings change when I access the share. I tried to kinit this principal but it fail. However kinit with the machine principal works. $ kinit -k root/myclient.samdom.com kinit: Client 'root/myclient.samdom.com at SAMDOM.COM' not found in kerberos database while getting initial credentials $ kinit -k MYCLIENT$ ok --------- I tried creating a samba root user. --------- -> on the client I create a root user and export to keytab $ samba-tool user add root $ samba-tool domain exportkeytab --principal=root /etc/krb5.keytab Same problem but here "kinit -k root" works. $ kinit -k root ok ------ I tried to kinit anather samba user ------ -> on the client I kinit a valid user and write to the share $ kinit validuser $ touch /myshare/testfile2 Here the nfs4 connection is not made with the validuser's principal. Always with the machine's principal. ------- So ------- I don't understand why in can "kinit root" but not "kinit root/myclient.samdom.com". What's the difference between there principals ? I don't understand how the nfs4 client choose the principal used to make the connection to the nfs4 share. Why the root user can only use the machine's principal ? I don't know if the problem come from the creation of kerberos principals or come from the nfs4 client not choosing the correct principal... Can someone give me a tips ? Thanks ! Baptiste.
Hai, I had it the other way around. Only root acces. I have scripted my setup and tested on debian. Look here https://secure.bazuin.nl/scripts/these_are_experimental_scripts/ setup-nfsv4-kerberos.sh If you get the file, setup-nfsv4-kerberos.sh and compair it to your setup. If you can read the bash script maybe you see something you missed. When i write as "root" its root and not the machine account who owns the file. How is your exports file on the server configured? Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Prunk Dump > Verzonden: vrijdag 9 oktober 2015 8:59 > Aan: samba at lists.samba.org > Onderwerp: [Samba] kerberos nfs4's principals and root access > > Hello samba team ! > > I have some NFS4 exports managed by a Samba's Kerberos realm. All the > standard user accesses work fine. > > I try now to setup an NFS4 root access to administer the share from > another server (the two host are DC, one PDC and one SDC). But I have > trouble understanding the kerberos/principals layer. > > ------------ > Actually I do > ------------- > > -> on the server I create an nfs principal and export it to the keytab > $ samba-tool user add nfs-myserver --random-password > $ samba-tool spn add nfs/myserver.samdom.com nfs-myserver > $ samba-tool domain exportkeytab --principal=nfs/myserver.samdom.com > /etc/krb5.keytab > > -> on the client I use the machine keytab. > $ samba-tool domain exportkeytab --principal=MYCLIENT$ /etc/krb5.keytab > > With this setup all my domain users can write to the share. But when I > try with the root account it use the machine keytab (that's normal, > root is not a domain user but he have access to the keytab) : > > -> on the client as root > $ touch /myshare/testfile > > -> on the server > $ ls -al /srv/nfs4/myshare/testfile > -rw-r--r-- SAMDOM\MYCLIENT$ SAMDOM\Domain Controllers .... > /nfs4/myshare/tesfile > > But I need root access ! > > ---------- > I have tried with a root/myclient service principal name > ---------- > > -> on the client I create an root/myclient spn and export to keytab > $ samba-tool user add root-myclient --random-password > $ samba-tool spn add root/myclient.samdom.com root-myclient > $ samba-tool domain exportkeytab --principal=root/myclient.samdom.com > /etc/krb5.keytab > > But nothings change when I access the share. I tried to kinit this > principal but it fail. However kinit with the machine principal works. > > $ kinit -k root/myclient.samdom.com > kinit: Client 'root/myclient.samdom.com at SAMDOM.COM' not found in > kerberos database while getting initial credentials > > $ kinit -k MYCLIENT$ > ok > > --------- > I tried creating a samba root user. > --------- > > -> on the client I create a root user and export to keytab > $ samba-tool user add root > $ samba-tool domain exportkeytab --principal=root /etc/krb5.keytab > > Same problem but here "kinit -k root" works. > > $ kinit -k root > ok > > > ------ > I tried to kinit anather samba user > ------ > > -> on the client I kinit a valid user and write to the share > > $ kinit validuser > $ touch /myshare/testfile2 > > Here the nfs4 connection is not made with the validuser's principal. > Always with the machine's principal. > > > ------- > So > ------- > > I don't understand why in can "kinit root" but not "kinit > root/myclient.samdom.com". What's the difference between there > principals ? > > I don't understand how the nfs4 client choose the principal used to > make the connection to the nfs4 share. Why the root user can only use > the machine's principal ? > > I don't know if the problem come from the creation of kerberos > principals or come from the nfs4 client not choosing the correct > principal... > > Can someone give me a tips ? > > Thanks ! > > Baptiste. > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Thanks you very much Louis ! I have tried your setup and I can't mount the share neither from the server itself or the client. On /var/log/syslog I have : rpc.gssd : ERROR : no credentials found for connecting to server myserver This is because the machine principal is not present in the keytab : $ klist -k 1 nfs/myclient.samdom.com at SAMDOM.COM 1 nfs/myclient.samdom.com at SAMDOM.COM 1 nfs/myclient.samdom.com at SAMDOM.COM If I add the machine principal. I can mount the share but root user write as "machine" not as "root". Can you check your setup ? Do you have your machine credential in /etc/krb5.keytab ? (with klist -k) Do you do something related with kerberos when you login as root ? Do you have additional options in "/etc/idmap.conf" ? Can you give me the result of : $klist $klist -k When you are logged as root ? Thanks you again ! Baptiste. 2015-10-09 9:13 GMT+02:00 L.P.H. van Belle <belle at bazuin.nl>:> Hai, > > I had it the other way around. Only root acces. > > I have scripted my setup and tested on debian. > Look here > https://secure.bazuin.nl/scripts/these_are_experimental_scripts/ > setup-nfsv4-kerberos.sh > > If you get the file, setup-nfsv4-kerberos.sh and compair it to your setup. > If you can read the bash script maybe you see something you missed. > > When i write as "root" its root and not the machine account who owns the file. > > > How is your exports file on the server configured? > > Greetz, > > Louis > > > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Prunk Dump >> Verzonden: vrijdag 9 oktober 2015 8:59 >> Aan: samba at lists.samba.org >> Onderwerp: [Samba] kerberos nfs4's principals and root access >> >> Hello samba team ! >> >> I have some NFS4 exports managed by a Samba's Kerberos realm. All the >> standard user accesses work fine. >> >> I try now to setup an NFS4 root access to administer the share from >> another server (the two host are DC, one PDC and one SDC). But I have >> trouble understanding the kerberos/principals layer. >> >> ------------ >> Actually I do >> ------------- >> >> -> on the server I create an nfs principal and export it to the keytab >> $ samba-tool user add nfs-myserver --random-password >> $ samba-tool spn add nfs/myserver.samdom.com nfs-myserver >> $ samba-tool domain exportkeytab --principal=nfs/myserver.samdom.com >> /etc/krb5.keytab >> >> -> on the client I use the machine keytab. >> $ samba-tool domain exportkeytab --principal=MYCLIENT$ /etc/krb5.keytab >> >> With this setup all my domain users can write to the share. But when I >> try with the root account it use the machine keytab (that's normal, >> root is not a domain user but he have access to the keytab) : >> >> -> on the client as root >> $ touch /myshare/testfile >> >> -> on the server >> $ ls -al /srv/nfs4/myshare/testfile >> -rw-r--r-- SAMDOM\MYCLIENT$ SAMDOM\Domain Controllers .... >> /nfs4/myshare/tesfile >> >> But I need root access ! >> >> ---------- >> I have tried with a root/myclient service principal name >> ---------- >> >> -> on the client I create an root/myclient spn and export to keytab >> $ samba-tool user add root-myclient --random-password >> $ samba-tool spn add root/myclient.samdom.com root-myclient >> $ samba-tool domain exportkeytab --principal=root/myclient.samdom.com >> /etc/krb5.keytab >> >> But nothings change when I access the share. I tried to kinit this >> principal but it fail. However kinit with the machine principal works. >> >> $ kinit -k root/myclient.samdom.com >> kinit: Client 'root/myclient.samdom.com at SAMDOM.COM' not found in >> kerberos database while getting initial credentials >> >> $ kinit -k MYCLIENT$ >> ok >> >> --------- >> I tried creating a samba root user. >> --------- >> >> -> on the client I create a root user and export to keytab >> $ samba-tool user add root >> $ samba-tool domain exportkeytab --principal=root /etc/krb5.keytab >> >> Same problem but here "kinit -k root" works. >> >> $ kinit -k root >> ok >> >> >> ------ >> I tried to kinit anather samba user >> ------ >> >> -> on the client I kinit a valid user and write to the share >> >> $ kinit validuser >> $ touch /myshare/testfile2 >> >> Here the nfs4 connection is not made with the validuser's principal. >> Always with the machine's principal. >> >> >> ------- >> So >> ------- >> >> I don't understand why in can "kinit root" but not "kinit >> root/myclient.samdom.com". What's the difference between there >> principals ? >> >> I don't understand how the nfs4 client choose the principal used to >> make the connection to the nfs4 share. Why the root user can only use >> the machine's principal ? >> >> I don't know if the problem come from the creation of kerberos >> principals or come from the nfs4 client not choosing the correct >> principal... >> >> Can someone give me a tips ? >> >> Thanks ! >> >> Baptiste. >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Hai Baptiste, I re-checked my setup and your totaly correct. I can not enter the nfsV4 mounted directory as root. What i've added in idmap.conf Is this : Domain = your_DNS_domain.tld [Translation] Method = nsswitch And i found this link. http://serverfault.com/questions/526762/root-access-to-kerberized-nfsv4-host-on-ubuntu im testing this now. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Prunk Dump > Verzonden: vrijdag 9 oktober 2015 11:34 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] kerberos nfs4's principals and root access > > Thanks you very much Louis ! > > I have tried your setup and I can't mount the share neither from the > server itself or the client. > > On /var/log/syslog I have : > > rpc.gssd : ERROR : no credentials found for connecting to server myserver > > This is because the machine principal is not present in the keytab : > > $ klist -k > 1 nfs/myclient.samdom.com at SAMDOM.COM > 1 nfs/myclient.samdom.com at SAMDOM.COM > 1 nfs/myclient.samdom.com at SAMDOM.COM > > If I add the machine principal. I can mount the share but root user > write as "machine" not as "root". > > Can you check your setup ? Do you have your machine credential in > /etc/krb5.keytab ? (with klist -k) > > Do you do something related with kerberos when you login as root ? > > Do you have additional options in "/etc/idmap.conf" ? > > Can you give me the result of : > > $klist > $klist -k > > When you are logged as root ? > > Thanks you again ! > > Baptiste. > > > 2015-10-09 9:13 GMT+02:00 L.P.H. van Belle <belle at bazuin.nl>: > > Hai, > > > > I had it the other way around. Only root acces. > > > > I have scripted my setup and tested on debian. > > Look here > > https://secure.bazuin.nl/scripts/these_are_experimental_scripts/ > > setup-nfsv4-kerberos.sh > > > > If you get the file, setup-nfsv4-kerberos.sh and compair it to your > setup. > > If you can read the bash script maybe you see something you missed. > > > > When i write as "root" its root and not the machine account who owns the > file. > > > > > > How is your exports file on the server configured? > > > > Greetz, > > > > Louis > > > > > > > >> -----Oorspronkelijk bericht----- > >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Prunk Dump > >> Verzonden: vrijdag 9 oktober 2015 8:59 > >> Aan: samba at lists.samba.org > >> Onderwerp: [Samba] kerberos nfs4's principals and root access > >> > >> Hello samba team ! > >> > >> I have some NFS4 exports managed by a Samba's Kerberos realm. All the > >> standard user accesses work fine. > >> > >> I try now to setup an NFS4 root access to administer the share from > >> another server (the two host are DC, one PDC and one SDC). But I have > >> trouble understanding the kerberos/principals layer. > >> > >> ------------ > >> Actually I do > >> ------------- > >> > >> -> on the server I create an nfs principal and export it to the keytab > >> $ samba-tool user add nfs-myserver --random-password > >> $ samba-tool spn add nfs/myserver.samdom.com nfs-myserver > >> $ samba-tool domain exportkeytab --principal=nfs/myserver.samdom.com > >> /etc/krb5.keytab > >> > >> -> on the client I use the machine keytab. > >> $ samba-tool domain exportkeytab --principal=MYCLIENT$ /etc/krb5.keytab > >> > >> With this setup all my domain users can write to the share. But when I > >> try with the root account it use the machine keytab (that's normal, > >> root is not a domain user but he have access to the keytab) : > >> > >> -> on the client as root > >> $ touch /myshare/testfile > >> > >> -> on the server > >> $ ls -al /srv/nfs4/myshare/testfile > >> -rw-r--r-- SAMDOM\MYCLIENT$ SAMDOM\Domain Controllers .... > >> /nfs4/myshare/tesfile > >> > >> But I need root access ! > >> > >> ---------- > >> I have tried with a root/myclient service principal name > >> ---------- > >> > >> -> on the client I create an root/myclient spn and export to keytab > >> $ samba-tool user add root-myclient --random-password > >> $ samba-tool spn add root/myclient.samdom.com root-myclient > >> $ samba-tool domain exportkeytab --principal=root/myclient.samdom.com > >> /etc/krb5.keytab > >> > >> But nothings change when I access the share. I tried to kinit this > >> principal but it fail. However kinit with the machine principal works. > >> > >> $ kinit -k root/myclient.samdom.com > >> kinit: Client 'root/myclient.samdom.com at SAMDOM.COM' not found in > >> kerberos database while getting initial credentials > >> > >> $ kinit -k MYCLIENT$ > >> ok > >> > >> --------- > >> I tried creating a samba root user. > >> --------- > >> > >> -> on the client I create a root user and export to keytab > >> $ samba-tool user add root > >> $ samba-tool domain exportkeytab --principal=root /etc/krb5.keytab > >> > >> Same problem but here "kinit -k root" works. > >> > >> $ kinit -k root > >> ok > >> > >> > >> ------ > >> I tried to kinit anather samba user > >> ------ > >> > >> -> on the client I kinit a valid user and write to the share > >> > >> $ kinit validuser > >> $ touch /myshare/testfile2 > >> > >> Here the nfs4 connection is not made with the validuser's principal. > >> Always with the machine's principal. > >> > >> > >> ------- > >> So > >> ------- > >> > >> I don't understand why in can "kinit root" but not "kinit > >> root/myclient.samdom.com". What's the difference between there > >> principals ? > >> > >> I don't understand how the nfs4 client choose the principal used to > >> make the connection to the nfs4 share. Why the root user can only use > >> the machine's principal ? > >> > >> I don't know if the problem come from the creation of kerberos > >> principals or come from the nfs4 client not choosing the correct > >> principal... > >> > >> Can someone give me a tips ? > >> > >> Thanks ! > >> > >> Baptiste. > >> > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/options/samba > > > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
On 09/10/15 08:59, Prunk Dump wrote:> > -> on the server > $ ls -al /srv/nfs4/myshare/testfile > -rw-r--r-- SAMDOM\MYCLIENT$ SAMDOM\Domain Controllers .... > /nfs4/myshare/tesfile > > But I need root access !Kerberos only allows access to users in the realm. root is a local user HTH
You are right ! But it's possible to create a root kerberos principal like here : http://docs.oracle.com/cd/E19253-01/816-4557/fgohx/ But I can't get this work with a samba kerberos realm.... 2015-10-09 22:32 GMT+02:00 buhorojo <buhorojo.lcb at gmail.com>:> On 09/10/15 08:59, Prunk Dump wrote: >> >> >> -> on the server >> $ ls -al /srv/nfs4/myshare/testfile >> -rw-r--r-- SAMDOM\MYCLIENT$ SAMDOM\Domain Controllers .... >> /nfs4/myshare/tesfile >> >> But I need root access ! > > Kerberos only allows access to users in the realm. root is a local user > HTH > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba