Hai Baptiste, I re-checked my setup and your totaly correct. I can not enter the nfsV4 mounted directory as root. What i've added in idmap.conf Is this : Domain = your_DNS_domain.tld [Translation] Method = nsswitch And i found this link. http://serverfault.com/questions/526762/root-access-to-kerberized-nfsv4-host-on-ubuntu im testing this now. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Prunk Dump > Verzonden: vrijdag 9 oktober 2015 11:34 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] kerberos nfs4's principals and root access > > Thanks you very much Louis ! > > I have tried your setup and I can't mount the share neither from the > server itself or the client. > > On /var/log/syslog I have : > > rpc.gssd : ERROR : no credentials found for connecting to server myserver > > This is because the machine principal is not present in the keytab : > > $ klist -k > 1 nfs/myclient.samdom.com at SAMDOM.COM > 1 nfs/myclient.samdom.com at SAMDOM.COM > 1 nfs/myclient.samdom.com at SAMDOM.COM > > If I add the machine principal. I can mount the share but root user > write as "machine" not as "root". > > Can you check your setup ? Do you have your machine credential in > /etc/krb5.keytab ? (with klist -k) > > Do you do something related with kerberos when you login as root ? > > Do you have additional options in "/etc/idmap.conf" ? > > Can you give me the result of : > > $klist > $klist -k > > When you are logged as root ? > > Thanks you again ! > > Baptiste. > > > 2015-10-09 9:13 GMT+02:00 L.P.H. van Belle <belle at bazuin.nl>: > > Hai, > > > > I had it the other way around. Only root acces. > > > > I have scripted my setup and tested on debian. > > Look here > > https://secure.bazuin.nl/scripts/these_are_experimental_scripts/ > > setup-nfsv4-kerberos.sh > > > > If you get the file, setup-nfsv4-kerberos.sh and compair it to your > setup. > > If you can read the bash script maybe you see something you missed. > > > > When i write as "root" its root and not the machine account who owns the > file. > > > > > > How is your exports file on the server configured? > > > > Greetz, > > > > Louis > > > > > > > >> -----Oorspronkelijk bericht----- > >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Prunk Dump > >> Verzonden: vrijdag 9 oktober 2015 8:59 > >> Aan: samba at lists.samba.org > >> Onderwerp: [Samba] kerberos nfs4's principals and root access > >> > >> Hello samba team ! > >> > >> I have some NFS4 exports managed by a Samba's Kerberos realm. All the > >> standard user accesses work fine. > >> > >> I try now to setup an NFS4 root access to administer the share from > >> another server (the two host are DC, one PDC and one SDC). But I have > >> trouble understanding the kerberos/principals layer. > >> > >> ------------ > >> Actually I do > >> ------------- > >> > >> -> on the server I create an nfs principal and export it to the keytab > >> $ samba-tool user add nfs-myserver --random-password > >> $ samba-tool spn add nfs/myserver.samdom.com nfs-myserver > >> $ samba-tool domain exportkeytab --principal=nfs/myserver.samdom.com > >> /etc/krb5.keytab > >> > >> -> on the client I use the machine keytab. > >> $ samba-tool domain exportkeytab --principal=MYCLIENT$ /etc/krb5.keytab > >> > >> With this setup all my domain users can write to the share. But when I > >> try with the root account it use the machine keytab (that's normal, > >> root is not a domain user but he have access to the keytab) : > >> > >> -> on the client as root > >> $ touch /myshare/testfile > >> > >> -> on the server > >> $ ls -al /srv/nfs4/myshare/testfile > >> -rw-r--r-- SAMDOM\MYCLIENT$ SAMDOM\Domain Controllers .... > >> /nfs4/myshare/tesfile > >> > >> But I need root access ! > >> > >> ---------- > >> I have tried with a root/myclient service principal name > >> ---------- > >> > >> -> on the client I create an root/myclient spn and export to keytab > >> $ samba-tool user add root-myclient --random-password > >> $ samba-tool spn add root/myclient.samdom.com root-myclient > >> $ samba-tool domain exportkeytab --principal=root/myclient.samdom.com > >> /etc/krb5.keytab > >> > >> But nothings change when I access the share. I tried to kinit this > >> principal but it fail. However kinit with the machine principal works. > >> > >> $ kinit -k root/myclient.samdom.com > >> kinit: Client 'root/myclient.samdom.com at SAMDOM.COM' not found in > >> kerberos database while getting initial credentials > >> > >> $ kinit -k MYCLIENT$ > >> ok > >> > >> --------- > >> I tried creating a samba root user. > >> --------- > >> > >> -> on the client I create a root user and export to keytab > >> $ samba-tool user add root > >> $ samba-tool domain exportkeytab --principal=root /etc/krb5.keytab > >> > >> Same problem but here "kinit -k root" works. > >> > >> $ kinit -k root > >> ok > >> > >> > >> ------ > >> I tried to kinit anather samba user > >> ------ > >> > >> -> on the client I kinit a valid user and write to the share > >> > >> $ kinit validuser > >> $ touch /myshare/testfile2 > >> > >> Here the nfs4 connection is not made with the validuser's principal. > >> Always with the machine's principal. > >> > >> > >> ------- > >> So > >> ------- > >> > >> I don't understand why in can "kinit root" but not "kinit > >> root/myclient.samdom.com". What's the difference between there > >> principals ? > >> > >> I don't understand how the nfs4 client choose the principal used to > >> make the connection to the nfs4 share. Why the root user can only use > >> the machine's principal ? > >> > >> I don't know if the problem come from the creation of kerberos > >> principals or come from the nfs4 client not choosing the correct > >> principal... > >> > >> Can someone give me a tips ? > >> > >> Thanks ! > >> > >> Baptiste. > >> > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/options/samba > > > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Ok, now its clear to me. We need to set UMICH_SCHEMA in idmap.conf Read : http://linux.die.net/man/5/idmapd.conf Working on it now. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens L.P.H. van Belle > Verzonden: vrijdag 9 oktober 2015 13:34 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] kerberos nfs4's principals and root access > > Ok, not working... > > But found this... > > ( http://users.suse.com/~sjayaraman/nfs4_howto.txt ) > > 4.5 A known issue using NFS with kerberos > _________________________________________ > > Even if "no_root_squash" option is used, while exporting a filesystem at > the > server, root on the client gets a "Permission denied" error when creating > files on the mount point. > > This is because there is no proper mapping between root and the > GSSAuthName. > > Note: Trying to set 777 permission is not correct as it is not secure. > Also, > any file created on the mountpoint will have "nobody" as owner. > > There is a work around for this if both NFS server and client use > umich_ldap > methods to authenticate. If the idmapd on both server and client is > configured > to use umich_ldap modules then having GSSAuthName (<nfs/hostname at realm>) > parameter map to root user, on the ldap server will solve this problem. > > > Still reading, but should be solveable.. > > Greetz, > > Louis > > > > -----Oorspronkelijk bericht----- > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens L.P.H. van > Belle > > Verzonden: vrijdag 9 oktober 2015 13:17 > > Aan: samba at lists.samba.org > > Onderwerp: Re: [Samba] kerberos nfs4's principals and root access > > > > Hai Baptiste, > > > > I re-checked my setup and your totaly correct. > > I can not enter the nfsV4 mounted directory as root. > > > > What i've added in idmap.conf > > Is this : > > Domain = your_DNS_domain.tld > > > > [Translation] > > > > Method = nsswitch > > > > And i found this link. > > > > http://serverfault.com/questions/526762/root-access-to-kerberized-nfsv4- > > host-on-ubuntu > > > > im testing this now. > > > > Greetz, > > > > Louis > > > > > > > > > -----Oorspronkelijk bericht----- > > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Prunk Dump > > > Verzonden: vrijdag 9 oktober 2015 11:34 > > > Aan: samba at lists.samba.org > > > Onderwerp: Re: [Samba] kerberos nfs4's principals and root access > > > > > > Thanks you very much Louis ! > > > > > > I have tried your setup and I can't mount the share neither from the > > > server itself or the client. > > > > > > On /var/log/syslog I have : > > > > > > rpc.gssd : ERROR : no credentials found for connecting to server > > myserver > > > > > > This is because the machine principal is not present in the keytab : > > > > > > $ klist -k > > > 1 nfs/myclient.samdom.com at SAMDOM.COM > > > 1 nfs/myclient.samdom.com at SAMDOM.COM > > > 1 nfs/myclient.samdom.com at SAMDOM.COM > > > > > > If I add the machine principal. I can mount the share but root user > > > write as "machine" not as "root". > > > > > > Can you check your setup ? Do you have your machine credential in > > > /etc/krb5.keytab ? (with klist -k) > > > > > > Do you do something related with kerberos when you login as root ? > > > > > > Do you have additional options in "/etc/idmap.conf" ? > > > > > > Can you give me the result of : > > > > > > $klist > > > $klist -k > > > > > > When you are logged as root ? > > > > > > Thanks you again ! > > > > > > Baptiste. > > > > > > > > > 2015-10-09 9:13 GMT+02:00 L.P.H. van Belle <belle at bazuin.nl>: > > > > Hai, > > > > > > > > I had it the other way around. Only root acces. > > > > > > > > I have scripted my setup and tested on debian. > > > > Look here > > > > https://secure.bazuin.nl/scripts/these_are_experimental_scripts/ > > > > setup-nfsv4-kerberos.sh > > > > > > > > If you get the file, setup-nfsv4-kerberos.sh and compair it to your > > > setup. > > > > If you can read the bash script maybe you see something you missed. > > > > > > > > When i write as "root" its root and not the machine account who owns > > the > > > file. > > > > > > > > > > > > How is your exports file on the server configured? > > > > > > > > Greetz, > > > > > > > > Louis > > > > > > > > > > > > > > > >> -----Oorspronkelijk bericht----- > > > >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Prunk Dump > > > >> Verzonden: vrijdag 9 oktober 2015 8:59 > > > >> Aan: samba at lists.samba.org > > > >> Onderwerp: [Samba] kerberos nfs4's principals and root access > > > >> > > > >> Hello samba team ! > > > >> > > > >> I have some NFS4 exports managed by a Samba's Kerberos realm. All > the > > > >> standard user accesses work fine. > > > >> > > > >> I try now to setup an NFS4 root access to administer the share from > > > >> another server (the two host are DC, one PDC and one SDC). But I > > have > > > >> trouble understanding the kerberos/principals layer. > > > >> > > > >> ------------ > > > >> Actually I do > > > >> ------------- > > > >> > > > >> -> on the server I create an nfs principal and export it to the > > keytab > > > >> $ samba-tool user add nfs-myserver --random-password > > > >> $ samba-tool spn add nfs/myserver.samdom.com nfs-myserver > > > >> $ samba-tool domain exportkeytab -- > principal=nfs/myserver.samdom.com > > > >> /etc/krb5.keytab > > > >> > > > >> -> on the client I use the machine keytab. > > > >> $ samba-tool domain exportkeytab --principal=MYCLIENT$ > > /etc/krb5.keytab > > > >> > > > >> With this setup all my domain users can write to the share. But > when > > I > > > >> try with the root account it use the machine keytab (that's normal, > > > >> root is not a domain user but he have access to the keytab) : > > > >> > > > >> -> on the client as root > > > >> $ touch /myshare/testfile > > > >> > > > >> -> on the server > > > >> $ ls -al /srv/nfs4/myshare/testfile > > > >> -rw-r--r-- SAMDOM\MYCLIENT$ SAMDOM\Domain Controllers .... > > > >> /nfs4/myshare/tesfile > > > >> > > > >> But I need root access ! > > > >> > > > >> ---------- > > > >> I have tried with a root/myclient service principal name > > > >> ---------- > > > >> > > > >> -> on the client I create an root/myclient spn and export to keytab > > > >> $ samba-tool user add root-myclient --random-password > > > >> $ samba-tool spn add root/myclient.samdom.com root-myclient > > > >> $ samba-tool domain exportkeytab -- > principal=root/myclient.samdom.com > > > >> /etc/krb5.keytab > > > >> > > > >> But nothings change when I access the share. I tried to kinit this > > > >> principal but it fail. However kinit with the machine principal > > works. > > > >> > > > >> $ kinit -k root/myclient.samdom.com > > > >> kinit: Client 'root/myclient.samdom.com at SAMDOM.COM' not found in > > > >> kerberos database while getting initial credentials > > > >> > > > >> $ kinit -k MYCLIENT$ > > > >> ok > > > >> > > > >> --------- > > > >> I tried creating a samba root user. > > > >> --------- > > > >> > > > >> -> on the client I create a root user and export to keytab > > > >> $ samba-tool user add root > > > >> $ samba-tool domain exportkeytab --principal=root /etc/krb5.keytab > > > >> > > > >> Same problem but here "kinit -k root" works. > > > >> > > > >> $ kinit -k root > > > >> ok > > > >> > > > >> > > > >> ------ > > > >> I tried to kinit anather samba user > > > >> ------ > > > >> > > > >> -> on the client I kinit a valid user and write to the share > > > >> > > > >> $ kinit validuser > > > >> $ touch /myshare/testfile2 > > > >> > > > >> Here the nfs4 connection is not made with the validuser's > principal. > > > >> Always with the machine's principal. > > > >> > > > >> > > > >> ------- > > > >> So > > > >> ------- > > > >> > > > >> I don't understand why in can "kinit root" but not "kinit > > > >> root/myclient.samdom.com". What's the difference between there > > > >> principals ? > > > >> > > > >> I don't understand how the nfs4 client choose the principal used to > > > >> make the connection to the nfs4 share. Why the root user can only > use > > > >> the machine's principal ? > > > >> > > > >> I don't know if the problem come from the creation of kerberos > > > >> principals or come from the nfs4 client not choosing the correct > > > >> principal... > > > >> > > > >> Can someone give me a tips ? > > > >> > > > >> Thanks ! > > > >> > > > >> Baptiste. > > > >> > > > >> -- > > > >> To unsubscribe from this list go to the following URL and read the > > > >> instructions: https://lists.samba.org/mailman/options/samba > > > > > > > > > > > > > > > > -- > > > > To unsubscribe from this list go to the following URL and read the > > > > instructions: https://lists.samba.org/mailman/options/samba > > > > > > -- > > > To unsubscribe from this list go to the following URL and read the > > > instructions: https://lists.samba.org/mailman/options/samba > > > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Thanks Louis ! Very interesting ! Maybe the simplest method is to set a static translation. 1) Enabling the no_root_squash option in /etc/exports 2) Set the translation in /etc/idmapd.conf ------------------------ /etc/idmap.conf ------------------------ ... [Translation] Method = static,nsswitch [Static] MYCLIENT$@SAMDOM.COM = root ------------------------ But I don't understand why, with samba, we can't authenticate as client with nfs/myclient.samdom.com or root/myclient.samdom.com. It seem that it is because we can't kinit them. But I don't understand why... Thanks again ! Baptiste. 2015-10-09 13:39 GMT+02:00 L.P.H. van Belle <belle at bazuin.nl>:> Ok, now its clear to me. > > We need to set UMICH_SCHEMA in idmap.conf > Read : http://linux.die.net/man/5/idmapd.conf > > Working on it now. > > Greetz, > > Louis > > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens L.P.H. van Belle >> Verzonden: vrijdag 9 oktober 2015 13:34 >> Aan: samba at lists.samba.org >> Onderwerp: Re: [Samba] kerberos nfs4's principals and root access >> >> Ok, not working... >> >> But found this... >> >> ( http://users.suse.com/~sjayaraman/nfs4_howto.txt ) >> >> 4.5 A known issue using NFS with kerberos >> _________________________________________ >> >> Even if "no_root_squash" option is used, while exporting a filesystem at >> the >> server, root on the client gets a "Permission denied" error when creating >> files on the mount point. >> >> This is because there is no proper mapping between root and the >> GSSAuthName. >> >> Note: Trying to set 777 permission is not correct as it is not secure. >> Also, >> any file created on the mountpoint will have "nobody" as owner. >> >> There is a work around for this if both NFS server and client use >> umich_ldap >> methods to authenticate. If the idmapd on both server and client is >> configured >> to use umich_ldap modules then having GSSAuthName (<nfs/hostname at realm>) >> parameter map to root user, on the ldap server will solve this problem. >> >> >> Still reading, but should be solveable.. >> >> Greetz, >> >> Louis >> >> >> > -----Oorspronkelijk bericht----- >> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens L.P.H. van >> Belle >> > Verzonden: vrijdag 9 oktober 2015 13:17 >> > Aan: samba at lists.samba.org >> > Onderwerp: Re: [Samba] kerberos nfs4's principals and root access >> > >> > Hai Baptiste, >> > >> > I re-checked my setup and your totaly correct. >> > I can not enter the nfsV4 mounted directory as root. >> > >> > What i've added in idmap.conf >> > Is this : >> > Domain = your_DNS_domain.tld >> > >> > [Translation] >> > >> > Method = nsswitch >> > >> > And i found this link. >> > >> > http://serverfault.com/questions/526762/root-access-to-kerberized-nfsv4- >> > host-on-ubuntu >> > >> > im testing this now. >> > >> > Greetz, >> > >> > Louis >> > >> > >> > >> > > -----Oorspronkelijk bericht----- >> > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Prunk Dump >> > > Verzonden: vrijdag 9 oktober 2015 11:34 >> > > Aan: samba at lists.samba.org >> > > Onderwerp: Re: [Samba] kerberos nfs4's principals and root access >> > > >> > > Thanks you very much Louis ! >> > > >> > > I have tried your setup and I can't mount the share neither from the >> > > server itself or the client. >> > > >> > > On /var/log/syslog I have : >> > > >> > > rpc.gssd : ERROR : no credentials found for connecting to server >> > myserver >> > > >> > > This is because the machine principal is not present in the keytab : >> > > >> > > $ klist -k >> > > 1 nfs/myclient.samdom.com at SAMDOM.COM >> > > 1 nfs/myclient.samdom.com at SAMDOM.COM >> > > 1 nfs/myclient.samdom.com at SAMDOM.COM >> > > >> > > If I add the machine principal. I can mount the share but root user >> > > write as "machine" not as "root". >> > > >> > > Can you check your setup ? Do you have your machine credential in >> > > /etc/krb5.keytab ? (with klist -k) >> > > >> > > Do you do something related with kerberos when you login as root ? >> > > >> > > Do you have additional options in "/etc/idmap.conf" ? >> > > >> > > Can you give me the result of : >> > > >> > > $klist >> > > $klist -k >> > > >> > > When you are logged as root ? >> > > >> > > Thanks you again ! >> > > >> > > Baptiste. >> > > >> > > >> > > 2015-10-09 9:13 GMT+02:00 L.P.H. van Belle <belle at bazuin.nl>: >> > > > Hai, >> > > > >> > > > I had it the other way around. Only root acces. >> > > > >> > > > I have scripted my setup and tested on debian. >> > > > Look here >> > > > https://secure.bazuin.nl/scripts/these_are_experimental_scripts/ >> > > > setup-nfsv4-kerberos.sh >> > > > >> > > > If you get the file, setup-nfsv4-kerberos.sh and compair it to your >> > > setup. >> > > > If you can read the bash script maybe you see something you missed. >> > > > >> > > > When i write as "root" its root and not the machine account who owns >> > the >> > > file. >> > > > >> > > > >> > > > How is your exports file on the server configured? >> > > > >> > > > Greetz, >> > > > >> > > > Louis >> > > > >> > > > >> > > > >> > > >> -----Oorspronkelijk bericht----- >> > > >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Prunk Dump >> > > >> Verzonden: vrijdag 9 oktober 2015 8:59 >> > > >> Aan: samba at lists.samba.org >> > > >> Onderwerp: [Samba] kerberos nfs4's principals and root access >> > > >> >> > > >> Hello samba team ! >> > > >> >> > > >> I have some NFS4 exports managed by a Samba's Kerberos realm. All >> the >> > > >> standard user accesses work fine. >> > > >> >> > > >> I try now to setup an NFS4 root access to administer the share from >> > > >> another server (the two host are DC, one PDC and one SDC). But I >> > have >> > > >> trouble understanding the kerberos/principals layer. >> > > >> >> > > >> ------------ >> > > >> Actually I do >> > > >> ------------- >> > > >> >> > > >> -> on the server I create an nfs principal and export it to the >> > keytab >> > > >> $ samba-tool user add nfs-myserver --random-password >> > > >> $ samba-tool spn add nfs/myserver.samdom.com nfs-myserver >> > > >> $ samba-tool domain exportkeytab -- >> principal=nfs/myserver.samdom.com >> > > >> /etc/krb5.keytab >> > > >> >> > > >> -> on the client I use the machine keytab. >> > > >> $ samba-tool domain exportkeytab --principal=MYCLIENT$ >> > /etc/krb5.keytab >> > > >> >> > > >> With this setup all my domain users can write to the share. But >> when >> > I >> > > >> try with the root account it use the machine keytab (that's normal, >> > > >> root is not a domain user but he have access to the keytab) : >> > > >> >> > > >> -> on the client as root >> > > >> $ touch /myshare/testfile >> > > >> >> > > >> -> on the server >> > > >> $ ls -al /srv/nfs4/myshare/testfile >> > > >> -rw-r--r-- SAMDOM\MYCLIENT$ SAMDOM\Domain Controllers .... >> > > >> /nfs4/myshare/tesfile >> > > >> >> > > >> But I need root access ! >> > > >> >> > > >> ---------- >> > > >> I have tried with a root/myclient service principal name >> > > >> ---------- >> > > >> >> > > >> -> on the client I create an root/myclient spn and export to keytab >> > > >> $ samba-tool user add root-myclient --random-password >> > > >> $ samba-tool spn add root/myclient.samdom.com root-myclient >> > > >> $ samba-tool domain exportkeytab -- >> principal=root/myclient.samdom.com >> > > >> /etc/krb5.keytab >> > > >> >> > > >> But nothings change when I access the share. I tried to kinit this >> > > >> principal but it fail. However kinit with the machine principal >> > works. >> > > >> >> > > >> $ kinit -k root/myclient.samdom.com >> > > >> kinit: Client 'root/myclient.samdom.com at SAMDOM.COM' not found in >> > > >> kerberos database while getting initial credentials >> > > >> >> > > >> $ kinit -k MYCLIENT$ >> > > >> ok >> > > >> >> > > >> --------- >> > > >> I tried creating a samba root user. >> > > >> --------- >> > > >> >> > > >> -> on the client I create a root user and export to keytab >> > > >> $ samba-tool user add root >> > > >> $ samba-tool domain exportkeytab --principal=root /etc/krb5.keytab >> > > >> >> > > >> Same problem but here "kinit -k root" works. >> > > >> >> > > >> $ kinit -k root >> > > >> ok >> > > >> >> > > >> >> > > >> ------ >> > > >> I tried to kinit anather samba user >> > > >> ------ >> > > >> >> > > >> -> on the client I kinit a valid user and write to the share >> > > >> >> > > >> $ kinit validuser >> > > >> $ touch /myshare/testfile2 >> > > >> >> > > >> Here the nfs4 connection is not made with the validuser's >> principal. >> > > >> Always with the machine's principal. >> > > >> >> > > >> >> > > >> ------- >> > > >> So >> > > >> ------- >> > > >> >> > > >> I don't understand why in can "kinit root" but not "kinit >> > > >> root/myclient.samdom.com". What's the difference between there >> > > >> principals ? >> > > >> >> > > >> I don't understand how the nfs4 client choose the principal used to >> > > >> make the connection to the nfs4 share. Why the root user can only >> use >> > > >> the machine's principal ? >> > > >> >> > > >> I don't know if the problem come from the creation of kerberos >> > > >> principals or come from the nfs4 client not choosing the correct >> > > >> principal... >> > > >> >> > > >> Can someone give me a tips ? >> > > >> >> > > >> Thanks ! >> > > >> >> > > >> Baptiste. >> > > >> >> > > >> -- >> > > >> To unsubscribe from this list go to the following URL and read the >> > > >> instructions: https://lists.samba.org/mailman/options/samba >> > > > >> > > > >> > > > >> > > > -- >> > > > To unsubscribe from this list go to the following URL and read the >> > > > instructions: https://lists.samba.org/mailman/options/samba >> > > >> > > -- >> > > To unsubscribe from this list go to the following URL and read the >> > > instructions: https://lists.samba.org/mailman/options/samba >> > >> > >> > >> > -- >> > To unsubscribe from this list go to the following URL and read the >> > instructions: https://lists.samba.org/mailman/options/samba >> >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Hai Batiste, Ok, thanks for these, i'll test that also. And the "why" is a bit more explained here. http://www.citi.umich.edu/projects/nfsv4/crossrealm/libnfsidmap_config.html and per example, http://www.citi.umich.edu/projects/nfsv4/crossrealm/ldap_server_setup.html First my work here, but this is a good one which i also need to adjust in my scripts, so thank you for asking this on the samba list ;-) Gr, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Prunk Dump > Verzonden: vrijdag 9 oktober 2015 14:11 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] kerberos nfs4's principals and root access > > Thanks Louis ! Very interesting ! > > Maybe the simplest method is to set a static translation. > > 1) Enabling the no_root_squash option in /etc/exports > > 2) Set the translation in /etc/idmapd.conf > > ------------------------ > /etc/idmap.conf > ------------------------ > > ... > [Translation] > > Method = static,nsswitch > > [Static] > > MYCLIENT$@SAMDOM.COM = root > > ------------------------ > > But I don't understand why, with samba, we can't authenticate as > client with nfs/myclient.samdom.com or root/myclient.samdom.com. It > seem that it is because we can't kinit them. But I don't understand > why... > > Thanks again ! > > Baptiste. > > > 2015-10-09 13:39 GMT+02:00 L.P.H. van Belle <belle at bazuin.nl>: > > Ok, now its clear to me. > > > > We need to set UMICH_SCHEMA in idmap.conf > > Read : http://linux.die.net/man/5/idmapd.conf > > > > Working on it now. > > > > Greetz, > > > > Louis > > > > > >> -----Oorspronkelijk bericht----- > >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens L.P.H. van > Belle > >> Verzonden: vrijdag 9 oktober 2015 13:34 > >> Aan: samba at lists.samba.org > >> Onderwerp: Re: [Samba] kerberos nfs4's principals and root access > >> > >> Ok, not working... > >> > >> But found this... > >> > >> ( http://users.suse.com/~sjayaraman/nfs4_howto.txt ) > >> > >> 4.5 A known issue using NFS with kerberos > >> _________________________________________ > >> > >> Even if "no_root_squash" option is used, while exporting a filesystem > at > >> the > >> server, root on the client gets a "Permission denied" error when > creating > >> files on the mount point. > >> > >> This is because there is no proper mapping between root and the > >> GSSAuthName. > >> > >> Note: Trying to set 777 permission is not correct as it is not secure. > >> Also, > >> any file created on the mountpoint will have "nobody" as owner. > >> > >> There is a work around for this if both NFS server and client use > >> umich_ldap > >> methods to authenticate. If the idmapd on both server and client is > >> configured > >> to use umich_ldap modules then having GSSAuthName > (<nfs/hostname at realm>) > >> parameter map to root user, on the ldap server will solve this problem. > >> > >> > >> Still reading, but should be solveable.. > >> > >> Greetz, > >> > >> Louis > >> > >> > >> > -----Oorspronkelijk bericht----- > >> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens L.P.H. van > >> Belle > >> > Verzonden: vrijdag 9 oktober 2015 13:17 > >> > Aan: samba at lists.samba.org > >> > Onderwerp: Re: [Samba] kerberos nfs4's principals and root access > >> > > >> > Hai Baptiste, > >> > > >> > I re-checked my setup and your totaly correct. > >> > I can not enter the nfsV4 mounted directory as root. > >> > > >> > What i've added in idmap.conf > >> > Is this : > >> > Domain = your_DNS_domain.tld > >> > > >> > [Translation] > >> > > >> > Method = nsswitch > >> > > >> > And i found this link. > >> > > >> > http://serverfault.com/questions/526762/root-access-to-kerberized- > nfsv4- > >> > host-on-ubuntu > >> > > >> > im testing this now. > >> > > >> > Greetz, > >> > > >> > Louis > >> > > >> > > >> > > >> > > -----Oorspronkelijk bericht----- > >> > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Prunk Dump > >> > > Verzonden: vrijdag 9 oktober 2015 11:34 > >> > > Aan: samba at lists.samba.org > >> > > Onderwerp: Re: [Samba] kerberos nfs4's principals and root access > >> > > > >> > > Thanks you very much Louis ! > >> > > > >> > > I have tried your setup and I can't mount the share neither from > the > >> > > server itself or the client. > >> > > > >> > > On /var/log/syslog I have : > >> > > > >> > > rpc.gssd : ERROR : no credentials found for connecting to server > >> > myserver > >> > > > >> > > This is because the machine principal is not present in the keytab > : > >> > > > >> > > $ klist -k > >> > > 1 nfs/myclient.samdom.com at SAMDOM.COM > >> > > 1 nfs/myclient.samdom.com at SAMDOM.COM > >> > > 1 nfs/myclient.samdom.com at SAMDOM.COM > >> > > > >> > > If I add the machine principal. I can mount the share but root user > >> > > write as "machine" not as "root". > >> > > > >> > > Can you check your setup ? Do you have your machine credential in > >> > > /etc/krb5.keytab ? (with klist -k) > >> > > > >> > > Do you do something related with kerberos when you login as root ? > >> > > > >> > > Do you have additional options in "/etc/idmap.conf" ? > >> > > > >> > > Can you give me the result of : > >> > > > >> > > $klist > >> > > $klist -k > >> > > > >> > > When you are logged as root ? > >> > > > >> > > Thanks you again ! > >> > > > >> > > Baptiste. > >> > > > >> > > > >> > > 2015-10-09 9:13 GMT+02:00 L.P.H. van Belle <belle at bazuin.nl>: > >> > > > Hai, > >> > > > > >> > > > I had it the other way around. Only root acces. > >> > > > > >> > > > I have scripted my setup and tested on debian. > >> > > > Look here > >> > > > https://secure.bazuin.nl/scripts/these_are_experimental_scripts/ > >> > > > setup-nfsv4-kerberos.sh > >> > > > > >> > > > If you get the file, setup-nfsv4-kerberos.sh and compair it to > your > >> > > setup. > >> > > > If you can read the bash script maybe you see something you > missed. > >> > > > > >> > > > When i write as "root" its root and not the machine account who > owns > >> > the > >> > > file. > >> > > > > >> > > > > >> > > > How is your exports file on the server configured? > >> > > > > >> > > > Greetz, > >> > > > > >> > > > Louis > >> > > > > >> > > > > >> > > > > >> > > >> -----Oorspronkelijk bericht----- > >> > > >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Prunk > Dump > >> > > >> Verzonden: vrijdag 9 oktober 2015 8:59 > >> > > >> Aan: samba at lists.samba.org > >> > > >> Onderwerp: [Samba] kerberos nfs4's principals and root access > >> > > >> > >> > > >> Hello samba team ! > >> > > >> > >> > > >> I have some NFS4 exports managed by a Samba's Kerberos realm. > All > >> the > >> > > >> standard user accesses work fine. > >> > > >> > >> > > >> I try now to setup an NFS4 root access to administer the share > from > >> > > >> another server (the two host are DC, one PDC and one SDC). But > I > >> > have > >> > > >> trouble understanding the kerberos/principals layer. > >> > > >> > >> > > >> ------------ > >> > > >> Actually I do > >> > > >> ------------- > >> > > >> > >> > > >> -> on the server I create an nfs principal and export it to the > >> > keytab > >> > > >> $ samba-tool user add nfs-myserver --random-password > >> > > >> $ samba-tool spn add nfs/myserver.samdom.com nfs-myserver > >> > > >> $ samba-tool domain exportkeytab -- > >> principal=nfs/myserver.samdom.com > >> > > >> /etc/krb5.keytab > >> > > >> > >> > > >> -> on the client I use the machine keytab. > >> > > >> $ samba-tool domain exportkeytab --principal=MYCLIENT$ > >> > /etc/krb5.keytab > >> > > >> > >> > > >> With this setup all my domain users can write to the share. But > >> when > >> > I > >> > > >> try with the root account it use the machine keytab (that's > normal, > >> > > >> root is not a domain user but he have access to the keytab) : > >> > > >> > >> > > >> -> on the client as root > >> > > >> $ touch /myshare/testfile > >> > > >> > >> > > >> -> on the server > >> > > >> $ ls -al /srv/nfs4/myshare/testfile > >> > > >> -rw-r--r-- SAMDOM\MYCLIENT$ SAMDOM\Domain Controllers > .... > >> > > >> /nfs4/myshare/tesfile > >> > > >> > >> > > >> But I need root access ! > >> > > >> > >> > > >> ---------- > >> > > >> I have tried with a root/myclient service principal name > >> > > >> ---------- > >> > > >> > >> > > >> -> on the client I create an root/myclient spn and export to > keytab > >> > > >> $ samba-tool user add root-myclient --random-password > >> > > >> $ samba-tool spn add root/myclient.samdom.com root-myclient > >> > > >> $ samba-tool domain exportkeytab -- > >> principal=root/myclient.samdom.com > >> > > >> /etc/krb5.keytab > >> > > >> > >> > > >> But nothings change when I access the share. I tried to kinit > this > >> > > >> principal but it fail. However kinit with the machine principal > >> > works. > >> > > >> > >> > > >> $ kinit -k root/myclient.samdom.com > >> > > >> kinit: Client 'root/myclient.samdom.com at SAMDOM.COM' not found in > >> > > >> kerberos database while getting initial credentials > >> > > >> > >> > > >> $ kinit -k MYCLIENT$ > >> > > >> ok > >> > > >> > >> > > >> --------- > >> > > >> I tried creating a samba root user. > >> > > >> --------- > >> > > >> > >> > > >> -> on the client I create a root user and export to keytab > >> > > >> $ samba-tool user add root > >> > > >> $ samba-tool domain exportkeytab --principal=root > /etc/krb5.keytab > >> > > >> > >> > > >> Same problem but here "kinit -k root" works. > >> > > >> > >> > > >> $ kinit -k root > >> > > >> ok > >> > > >> > >> > > >> > >> > > >> ------ > >> > > >> I tried to kinit anather samba user > >> > > >> ------ > >> > > >> > >> > > >> -> on the client I kinit a valid user and write to the share > >> > > >> > >> > > >> $ kinit validuser > >> > > >> $ touch /myshare/testfile2 > >> > > >> > >> > > >> Here the nfs4 connection is not made with the validuser's > >> principal. > >> > > >> Always with the machine's principal. > >> > > >> > >> > > >> > >> > > >> ------- > >> > > >> So > >> > > >> ------- > >> > > >> > >> > > >> I don't understand why in can "kinit root" but not "kinit > >> > > >> root/myclient.samdom.com". What's the difference between there > >> > > >> principals ? > >> > > >> > >> > > >> I don't understand how the nfs4 client choose the principal used > to > >> > > >> make the connection to the nfs4 share. Why the root user can > only > >> use > >> > > >> the machine's principal ? > >> > > >> > >> > > >> I don't know if the problem come from the creation of kerberos > >> > > >> principals or come from the nfs4 client not choosing the correct > >> > > >> principal... > >> > > >> > >> > > >> Can someone give me a tips ? > >> > > >> > >> > > >> Thanks ! > >> > > >> > >> > > >> Baptiste. > >> > > >> > >> > > >> -- > >> > > >> To unsubscribe from this list go to the following URL and read > the > >> > > >> instructions: https://lists.samba.org/mailman/options/samba > >> > > > > >> > > > > >> > > > > >> > > > -- > >> > > > To unsubscribe from this list go to the following URL and read > the > >> > > > instructions: https://lists.samba.org/mailman/options/samba > >> > > > >> > > -- > >> > > To unsubscribe from this list go to the following URL and read the > >> > > instructions: https://lists.samba.org/mailman/options/samba > >> > > >> > > >> > > >> > -- > >> > To unsubscribe from this list go to the following URL and read the > >> > instructions: https://lists.samba.org/mailman/options/samba > >> > >> > >> > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/options/samba > > > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba