Bruno MACADRÉ
2016-Aug-02 14:02 UTC
[Samba] FW: kerberos nfs4's principals and root access
** I truncate my initial mail below for size reason ** I've tried your tips but nothing better.... AD users can still accessing share (ouf !!), but local users not more. I can't find where it blocks.... Thanks for your help Louis, Greetz, Bruno Le 02/08/2016 à 15:33, L.P.H. van Belle a écrit :> > You keep 2 ranges. > > One for the “local (linux) users” > > idmap config *:backend = tdb > > idmap config *:range = 11-9999 > > One for the “AD users” > > idmap config YOURDOMAIN :backend = ad > > idmap config YOURDOMAIN : range = 10000-99999 > > (source : https://wiki.samba.org/index.php/Idmap_config_ad ) > > >But the idmap range modification apply only on server-side ? > > Yes, correct only server side. and after changing it run net cache > flush and/or net imap flush > > Greetings, > > Louis > > ------------------------------------------------------------------------ > > *Van:*Bruno MACADRÉ [mailto:bruno.macadre at univ-rouen.fr] > *Verzonden:* dinsdag 2 augustus 2016 14:59 > *Aan:* L.P.H. van Belle > *Onderwerp:* Re: FW: [Samba] kerberos nfs4's principals and root access > > Ok, I understand !! > > But the idmap range modification apply only on server-side ? Or must I > reflect this on clients (by changing WKS:range to 11-60000) ? > > Regards, > Bruno > > Le 02/08/2016 à 13:24, L.P.H. van Belle a écrit : > > man smb.conf > > · system keytab - use only the system keytab for ticket verification > > · dedicated keytab - use a dedicated keytab for ticket verification > > · secrets and keytab - use the secrets.tdb first, then the > system keytab > > Add a windows group to www-data and set the needed rights in > /var/www/ > > I do that for my ssh groups. ( one local group for system > admins, one windows group for remote access) > > When ad is down systems admins can login, but the windows clients > can not. > > How it influance > > ## map id's outside to domain to tdb files. > > idmap config *:backend = tdb > > idmap config *:range = 11-9999 > > ( NO 0-9999 ) or root mapping fails to work. > > Here www-data gets mapped to tdb files ( secrets from above ) > > you need to change that range to www-data hits in tdb. > > But I havent tried that, i just set a windows group right on the > /var/www/domain/SITE_Folders. > > My website have the following layout. > > /var/www/localhost ( set all know ips for localhost here. ) > > /var/www/hostname ( set all know ips for hostname here. ) > > /var/www/noaccess ( set no ip or hostname here just * like > debian default site ) (trap for script kiddies) > > /var/www/domain1/SITE_Folder ( set only the know hostnames here ) > > /var/www/domain2/SITE_Folder ( set only the know hostnames here ) > > Layout like this works only good if you define ALL know ips and > names correct . > > and i add acl_xattr:ignore system acl = yes to the share where i > share www-data > > and only /var/www/domain1 get a windows group access list. > > Greetz, > > Louis > > ------------------------------------------------------------------------ > > *Van:*Bruno MACADRÉ [mailto:bruno.macadre at univ-rouen.fr] > *Verzonden:* dinsdag 2 augustus 2016 12:47 > *Aan:* L.P.H. van Belle > *Onderwerp:* Re: FW: [Samba] kerberos nfs4's principals and root > access > > Thanks for this, I will answer later on the list when mail will be > in it > > I will try your advices but there's two things that I don't > understand : > > - Why delete 'no_root_squash' on homes share is it why it's > default behaviour ? > - I don't understand the difference between 'system keytab' and > 'secrets and keytab' method for kerberos and how it influes on > root access to NFS > > Actually my set up works fine for all AD users : > - Login against Kerberos > - Receiving valid ticket > - Browsing NFS share (according to permissions) and accessing > their home perfectly. > > My real problem resides in access to this share by client-local > users (mostly root and www-data in the future) > > Thanks again, I will try this modifications and come back ! > > Greetz, > Bruno > > > Le 02/08/2016 à 12:05, L.P.H. van Belle a écrit : > > A copy in advance, the mail is getting big so it takes time > before its in the samba list. > > You mist a few small things, see below. > > Greetz, > > Louis > > ------------------------------------------------------------------------ > > *Van:*L.P.H. van Belle [mailto:belle at bazuin.nl] > *Verzonden:* dinsdag 2 augustus 2016 11:53 > *Aan:* 'samba at lists.samba.org <mailto:samba at lists.samba.org>' > *Onderwerp:* RE: [Samba] kerberos nfs4's principals and root > access > > Most looks ok, > > Sometimes the nfs mount isnt mounted, i have that on 2 server > ( out of 15 ) > > But that where the first 2 i tested with, a mount –a resolves > that, havent time to review it. > > But if that happens. > > For the server : add ,x-systemd.automount to fstab. > > /home /nfs4export/homes none bind,x-systemd.automount 0 0 > > For the exports add crossmnt depending on your setup ( man > exports ) > > And adjust like below. Your current setting is not correct. > > Try setting the server like below. > > # NFSv4 Root (/exports) > > /exports > 192.168.0.0/24(ro,sync,fsid=0,no_subtree_check,crossmnt,sec=krb5) > > # NFSv4 (/exports/users) > > /exports/users 192.168.0.0/24(rw,sync,no_subtree_check,sec=krb5) > > This is about the nouser/nogroup > > root_squash: Map requests from uid/gid 0 to the anonymous uid/gid. > > ( Server ) /etc/samba/smb.conf > > Add/change : > > dedicated keytab file = /etc/krb5.keytab > > kerberos method = secrets and keytab > > #and very important one. Must have !!! > > # renew the kerberos ticket > > winbind refresh tickets = yes > > That covers it i think, try the suggestions above and reboot > both servers. > > Login with a “NON” nfs user account and check if the mounts > are done. > > If so, test with a nfs user AD account see if you can access > your own user dir. > > If not, kinit username , cd ~ . does it work now. > > Check if > > /etc/systemd/system/nfs-common.service.d/remote-fs-pre.conf > > exists with content > > [Unit] > > Before=remote-fs-pre.target > > Wants=remote-fs-pre.target > > Also, thats needed for mounts. > > Greetz, > > Louis > > > -----Oorspronkelijk bericht----- > > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Bruno MACADRÉ > > > Verzonden: dinsdag 2 augustus 2016 10:46 > > > Aan: samba at lists.samba.org <mailto:samba at lists.samba.org> > > > Onderwerp: Re: [Samba] kerberos nfs4's principals and root access > > > > > > Hi Louis, > > > > > > I read your script and changed my configuration accordingly, > but it > > > still does not work. > > > >truncate ...> > > - Joining : Ok > > > - Adding SPN by : net ads keytab add nfs : Ok > > > - Mounting NFS share : Ok > > > - Authenticating users against Kerberos (with > libpam-krb5) : Ok > > > > > > > > > klist of Client1 (klist -kt) : > > > > > > Keytab name: FILE:/etc/krb5.keytab > <FILE:///%5C%5C%5C%5Cetc%5Ckrb5.keytab> > > > KVNO Timestamp Principal > > > ---- ------------------- > > > ------------------------------------------------------ > > > 4 01/08/2016 10:31:59 host/client1.domain at DOMAIN > > > 4 01/08/2016 10:31:59 host/client1.domain at DOMAIN > > > 4 01/08/2016 10:31:59 host/client1.domain at DOMAIN > > > 4 01/08/2016 10:31:59 host/client1.domain at DOMAIN > > > 4 01/08/2016 10:31:59 host/client1.domain at DOMAIN > > > 4 01/08/2016 10:31:59 host/client1 at DOMAIN > > > 4 01/08/2016 10:31:59 host/client1 at DOMAIN > > > 4 01/08/2016 10:31:59 host/client1 at DOMAIN > > > 4 01/08/2016 10:31:59 host/client1 at DOMAIN > > > 4 01/08/2016 10:31:59 host/client1 at DOMAIN > > > 4 01/08/2016 10:31:59 nfs/client1.domain at DOMAIN > > > 4 01/08/2016 10:31:59 nfs/client1.domain at DOMAIN > > > 4 01/08/2016 10:31:59 nfs/client1.domain at DOMAIN > > > 4 01/08/2016 10:31:59 nfs/client1.domain at DOMAIN > > > 4 01/08/2016 10:31:59 nfs/client1.domain at DOMAIN > > > 4 01/08/2016 10:31:59 nfs/client1 at DOMAIN > > > 4 01/08/2016 10:31:59 nfs/client1 at DOMAIN > > > 4 01/08/2016 10:31:59 nfs/client1 at DOMAIN > > > 4 01/08/2016 10:31:59 nfs/client1 at DOMAIN > > > 4 01/08/2016 10:31:59 nfs/client1 at DOMAIN > > > 4 01/08/2016 10:31:59 root/client1.domain at DOMAIN > > > 4 01/08/2016 10:31:59 root/client1.domain at DOMAIN > > > 4 01/08/2016 10:31:59 root/client1.domain at DOMAIN > > > 4 01/08/2016 10:31:59 root/client1.domain at DOMAIN > > > 4 01/08/2016 10:31:59 root/client1 at DOMAIN > > > 4 01/08/2016 10:31:59 root/client1 at DOMAIN > > > 4 01/08/2016 10:31:59 root/client1 at DOMAIN > > > 4 01/08/2016 10:31:59 root/client1 at DOMAIN > > > 4 01/08/2016 10:31:59 root/client1 at DOMAIN > > > 4 01/08/2016 10:31:59 CLIENT1$@DOMAIN > > > 4 01/08/2016 10:31:59 CLIENT1$@DOMAIN > > > 4 01/08/2016 10:31:59 CLIENT1$@DOMAIN > > > 4 01/08/2016 10:31:59 CLIENT1$@DOMAIN > > > 4 01/08/2016 10:31:59 CLIENT1$@DOMAIN > > > > > > > > > Testing root access on NFS share : > > > > > > For testing purpose a tstroot directory was created on > the share > > > with a 0777 mode on it. When I 'touch foo' in this directory > the owner > > > of foo was nobody and his group : nogroup... > > > > > > When I see logs, something sounds strange for me : > rpc.idmapd > > > (server side) and nfsidmap (client side -- rpc.idmapd not > needed anymore > > > on client apparently) never use static method even if static was > > > specified (client side)... > > > > > > Parts of syslog : > > > ... > > > rpc.gssd: libnfsidmap: using domain: domain > > > rpc.gssd: libnfsidmap: Realms list: 'DOMAIN' > > > rpc.gssd: libnfsidmap: processing 'Method' list > > > rpc.gssd: libnfsidmap: loaded plugin > > > /lib/x86_64-linux-gnu/libnfsidmap/static.so for method static > > > rpc.gssd: libnfsidmap: loaded plugin > > > /lib/x86_64-linux-gnu/libnfsidmap/nsswitch.so for method nsswitch > > > rpc.gssd: Expiration time is 600 seconds. > > > ... > > > nfsidmap: nfsdcb: authbuf=gss/krb5 authtype=user > > > nfsidmap: nfs4_uid_to_name: calling nsswitch->uid_to_name > > > nfsidmap: nfs4_uid_to_name: nsswitch->uid_to_name returned 0 > > > nfsidmap: nfs4_uid_to_name: final return value is 0 > > > nfsidmap: Server : (user) id "65534" -> name "nobody at domain" > > > nfsidmap: nfsdcb: authbuf=gss/krb5 authtype=group > > > nfsidmap: nfs4_gid_to_name: calling nsswitch->gid_to_name > > > nfsidmap: nfs4_gid_to_name: nsswitch->gid_to_name returned 0 > > > nfsidmap: nfs4_gid_to_name: final return value is 0 > > > nfsidmap: Server : (group) id "65534" -> name > "nogroup at domain" > > > ... > > > > > > That's all for the moment.... sorry for this enormous > mail, but > > > it's so strange that i can't choose what show or not.... > > > > > > Greetz, > > > Bruno > > > > > > Le 02/08/2016 à 08:11, L.P.H. van Belle a écrit : > > > > Hai, > > > > > > > > Here you go.. > > > > > > > > But all my settings are scripted. > > > > https://github.com/thctlo/samba4 > > > > found here. > > > > > > > > Read the script : samba-with-nfsv4.sh > > > > Start it like ./ samba-with-nfsv4.sh (client or server) > > > > > > > > Its tested and works on debian jessie. > > > > I contains the nfs server settings and client settings. > > > > > > > > Greetz, > > > > > > > > Louis > > > > > > > > > > > > > > > >> -----Oorspronkelijk bericht----- > > > >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Bruno MACADRÉ > > > >> Verzonden: maandag 1 augustus 2016 17:16 > > > >> Aan: samba at lists.samba.org <mailto:samba at lists.samba.org> > > > >> Onderwerp: Re: [Samba] kerberos nfs4's principals and root > access > > > >> > > > >> Hi, > > > >> > > > >> Sorry for this necrobump.... But I'm still can't use > my local > > > root > > > >> user to browse content of my NFSv4/Krb5 share...... > (others permission > > > >> are checked when root use this share) > > > >> > > > >> So a lot of questions appeared during my tests : > > > >> > > > >> - Must i have same idmap.conf on both client and > server ? > > > >> - Why rpc.idmapd only use 'nsswitch' method even if > 'static' is > > > >> placed before it in 'Method' and 'GSS-Methods' list ? > > > >> - Must root user use kinit before exploring ? > > > >> > > > >> And the most important question : Is there anybody > who sucess to > > > >> access (in a real root behaviour !!) to a nfsv4/krb5 share > in a > > > >> Samba4/Krb5/NFSv4 setup ? > > > >> > > > >> Thanks by advance, > > > >> Best regards, > > > >> Bruno > > > >> > > > >> PS: I sent this morning a mail about access to this share > from local > > > >> user (www-data), but I think that granting access to root > may be a good > > > >> start point !! > > > >> > > > >> Le 09/10/2015 à 15:42, L.P.H. van Belle a écrit : > > > >>> Hai Batiste, > > > >>> > > > >>> Ok, thanks for these, i'll test that also. > > > >>> > > > >>> And the "why" is a bit more explained here. > > > >>> > > > >> > > > http://www.citi.umich.edu/projects/nfsv4/crossrealm/libnfsidmap_config.htm > > > >> l > > > >>> and per example, > > > >>> > > > >> > > > http://www.citi.umich.edu/projects/nfsv4/crossrealm/ldap_server_setup.html > > > >>> First my work here, but this is a good one which i also > need to adjust > > > >> in my scripts, so thank you for asking this on the samba > list ;-) > > > >>> Gr, > > > >>> > > > >>> Louis > > > >>> > > > >>>> -----Oorspronkelijk bericht----- > > > >>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Prunk Dump > > > >>>> Verzonden: vrijdag 9 oktober 2015 14:11 > > > >>>> Aan: samba at lists.samba.org <mailto:samba at lists.samba.org> > > > >>>> Onderwerp: Re: [Samba] kerberos nfs4's principals and > root access > > > >>>> > > > >>>> Thanks Louis ! Very interesting ! > > > >>>> > > > >>>> Maybe the simplest method is to set a static translation. > > > >>>> > > > >>>> 1) Enabling the no_root_squash option in /etc/exports > > > >>>> > > > >>>> 2) Set the translation in /etc/idmapd.conf > > > >>>> > > > >>>> ------------------------ > > > >>>> /etc/idmap.conf > > > >>>> ------------------------ > > > >>>> > > > >>>> ... > > > >>>> [Translation] > > > >>>> > > > >>>> Method = static,nsswitch > > > >>>> > > > >>>> [Static] > > > >>>> > > > >>>> MYCLIENT$@SAMDOM.COM <mailto:MYCLIENT$@SAMDOM.COM> = root > > > >>>> > > > >>>> ------------------------ > > > >>>> > > > >>>> But I don't understand why, with samba, we can't > authenticate as > > > >>>> client with nfs/myclient.samdom.com or > root/myclient.samdom.com. It > > > >>>> seem that it is because we can't kinit them. But I don't > understand > > > >>>> why... > > > >>>> > > > >>>> Thanks again ! > > > >>>> > > > >>>> Baptiste. > > > >>>> > > > >>>> > > > >>>> 2015-10-09 13:39 GMT+02:00 L.P.H. van Belle > <belle at bazuin.nl> <mailto:belle at bazuin.nl>: > > > >>>>> Ok, now its clear to me. > > > >>>>> > > > >>>>> We need to set UMICH_SCHEMA in idmap.conf > > > >>>>> Read : http://linux.die.net/man/5/idmapd.conf > > > >>>>> > > > >>>>> Working on it now. > > > >>>>> > > > >>>>> Greetz, > > > >>>>> > > > >>>>> Louis > > > >>>>> > > > >>>>> > > > >>>>>> -----Oorspronkelijk bericht----- > > > >>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] > Namens L.P.H. van > > > >>>> Belle > > > >>>>>> Verzonden: vrijdag 9 oktober 2015 13:34 > > > >>>>>> Aan: samba at lists.samba.org <mailto:samba at lists.samba.org> > > > >>>>>> Onderwerp: Re: [Samba] kerberos nfs4's principals and > root access > > > >>>>>> > > > >>>>>> Ok, not working... > > > >>>>>> > > > >>>>>> But found this... > > > >>>>>> > > > >>>>>> ( http://users.suse.com/~sjayaraman/nfs4_howto.txt > <http://users.suse.com/%7Esjayaraman/nfs4_howto.txt> ) > > > >>>>>> > > > >>>>>> 4.5 A known issue using NFS with kerberos > > > >>>>>> _________________________________________ > > > >>>>>> > > > >>>>>> Even if "no_root_squash" option is used, while exporting a > > > filesystem > > > >>>> at > > > >>>>>> the > > > >>>>>> server, root on the client gets a "Permission denied" > error when > > > >>>> creating > > > >>>>>> files on the mount point. > > > >>>>>> > > > >>>>>> This is because there is no proper mapping between > root and the > > > >>>>>> GSSAuthName. > > > >>>>>> > > > >>>>>> Note: Trying to set 777 permission is not correct as > it is not > > > >> secure. > > > >>>>>> Also, > > > >>>>>> any file created on the mountpoint will have "nobody" > as owner. > > > >>>>>> > > > >>>>>> There is a work around for this if both NFS server and > client use > > > >>>>>> umich_ldap > > > >>>>>> methods to authenticate. If the idmapd on both server > and client is > > > >>>>>> configured > > > >>>>>> to use umich_ldap modules then having GSSAuthName > > > >>>> (<nfs/hostname at realm>) > > > >>>>>> parameter map to root user, on the ldap server will > solve this > > > >> problem. > > > >>>>>> > > > >>>>>> Still reading, but should be solveable.. > > > >>>>>> > > > >>>>>> Greetz, > > > >>>>>> > > > >>>>>> Louis > > > >>>>>> > > > >>>>>> > > > >>>>>>> -----Oorspronkelijk bericht----- > > > >>>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] > Namens L.P.H. > > > van > > > >>>>>> Belle > > > >>>>>>> Verzonden: vrijdag 9 oktober 2015 13:17 > > > >>>>>>> Aan: samba at lists.samba.org <mailto:samba at lists.samba.org> > > > >>>>>>> Onderwerp: Re: [Samba] kerberos nfs4's principals and > root access > > > >>>>>>> > > > >>>>>>> Hai Baptiste, > > > >>>>>>> > > > >>>>>>> I re-checked my setup and your totaly correct. > > > >>>>>>> I can not enter the nfsV4 mounted directory as root. > > > >>>>>>> > > > >>>>>>> What i've added in idmap.conf > > > >>>>>>> Is this : > > > >>>>>>> Domain = your_DNS_domain.tld > > > >>>>>>> > > > >>>>>>> [Translation] > > > >>>>>>> > > > >>>>>>> Method = nsswitch > > > >>>>>>> > > > >>>>>>> And i found this link. > > > >>>>>>> > > > >>>>>>> > http://serverfault.com/questions/526762/root-access-to-kerberized- > > > >>>> nfsv4- > > > >>>>>>> host-on-ubuntu > > > >>>>>>> > > > >>>>>>> im testing this now. > > > >>>>>>> > > > >>>>>>> Greetz, > > > >>>>>>> > > > >>>>>>> Louis > > > >>>>>>> > > > >>>>>>> > > > >>>>>>> > > > >>>>>>>> -----Oorspronkelijk bericht----- > > > >>>>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] > Namens Prunk > > > Dump > > > >>>>>>>> Verzonden: vrijdag 9 oktober 2015 11:34 > > > >>>>>>>> Aan: samba at lists.samba.org > <mailto:samba at lists.samba.org> > > > >>>>>>>> Onderwerp: Re: [Samba] kerberos nfs4's principals > and root access > > > >>>>>>>> > > > >>>>>>>> Thanks you very much Louis ! > > > >>>>>>>> > > > >>>>>>>> I have tried your setup and I can't mount the share > neither from > > > >>>> the > > > >>>>>>>> server itself or the client. > > > >>>>>>>> > > > >>>>>>>> On /var/log/syslog I have : > > > >>>>>>>> > > > >>>>>>>> rpc.gssd : ERROR : no credentials found for > connecting to server > > > >>>>>>> myserver > > > >>>>>>>> This is because the machine principal is not present > in the > > > keytab > > > >>>> : > > > >>>>>>>> $ klist -k > > > >>>>>>>> 1 nfs/myclient.samdom.com at SAMDOM.COM > <mailto:nfs/myclient.samdom.com at SAMDOM.COM> > > > >>>>>>>> 1 nfs/myclient.samdom.com at SAMDOM.COM > <mailto:nfs/myclient.samdom.com at SAMDOM.COM> > > > >>>>>>>> 1 nfs/myclient.samdom.com at SAMDOM.COM > <mailto:nfs/myclient.samdom.com at SAMDOM.COM> > > > >>>>>>>> > > > >>>>>>>> If I add the machine principal. I can mount the > share but root > > > user > > > >>>>>>>> write as "machine" not as "root". > > > >>>>>>>> > > > >>>>>>>> Can you check your setup ? Do you have your machine > credential in > > > >>>>>>>> /etc/krb5.keytab ? (with klist -k) > > > >>>>>>>> > > > >>>>>>>> Do you do something related with kerberos when you > login as root > > > ? > > > >>>>>>>> > > > >>>>>>>> Do you have additional options in "/etc/idmap.conf" ? > > > >>>>>>>> > > > >>>>>>>> Can you give me the result of : > > > >>>>>>>> > > > >>>>>>>> $klist > > > >>>>>>>> $klist -k > > > >>>>>>>> > > > >>>>>>>> When you are logged as root ? > > > >>>>>>>> > > > >>>>>>>> Thanks you again ! > > > >>>>>>>> > > > >>>>>>>> Baptiste. > > > >>>>>>>> > > > >>>>>>>> > > > >>>>>>>> 2015-10-09 9:13 GMT+02:00 L.P.H. van Belle > <belle at bazuin.nl> <mailto:belle at bazuin.nl>: > > > >>>>>>>>> Hai, > > > >>>>>>>>> > > > >>>>>>>>> I had it the other way around. Only root acces. > > > >>>>>>>>> > > > >>>>>>>>> I have scripted my setup and tested on debian. > > > >>>>>>>>> Look here > > > >>>>>>>>> > https://secure.bazuin.nl/scripts/these_are_experimental_scripts/ > > > >>>>>>>>> setup-nfsv4-kerberos.sh > > > >>>>>>>>> > > > >>>>>>>>> If you get the file, setup-nfsv4-kerberos.sh and > compair it to > > > >>>> your > > > >>>>>>>> setup. > > > >>>>>>>>> If you can read the bash script maybe you see > something you > > > >>>> missed. > > > >>>>>>>>> When i write as "root" its root and not the machine > account who > > > >>>> owns > > > >>>>>>> the > > > >>>>>>>> file. > > > >>>>>>>>> How is your exports file on the server configured? > > > >>>>>>>>> > > > >>>>>>>>> Greetz, > > > >>>>>>>>> > > > >>>>>>>>> Louis > > > >>>>>>>>> > > > >>>>>>>>> > > > >>>>>>>>> > > > >>>>>>>>>> -----Oorspronkelijk bericht----- > > > >>>>>>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] > Namens Prunk > > > >>>> Dump > > > >>>>>>>>>> Verzonden: vrijdag 9 oktober 2015 8:59 > > > >>>>>>>>>> Aan: samba at lists.samba.org > <mailto:samba at lists.samba.org> > > > >>>>>>>>>> Onderwerp: [Samba] kerberos nfs4's principals and > root access > > > >>>>>>>>>> > > > >>>>>>>>>> Hello samba team ! > > > >>>>>>>>>> > > > >>>>>>>>>> I have some NFS4 exports managed by a Samba's > Kerberos realm. > > > >>>> All > > > >>>>>> the > > > >>>>>>>>>> standard user accesses work fine. > > > >>>>>>>>>> > > > >>>>>>>>>> I try now to setup an NFS4 root access to > administer the share > > > >>>> from > > > >>>>>>>>>> another server (the two host are DC, one PDC and > one SDC). But > > > >>>> I > > > >>>>>>> have > > > >>>>>>>>>> trouble understanding the kerberos/principals layer. > > > >>>>>>>>>> > > > >>>>>>>>>> ------------ > > > >>>>>>>>>> Actually I do > > > >>>>>>>>>> ------------- > > > >>>>>>>>>> > > > >>>>>>>>>> -> on the server I create an nfs principal and > export it to the > > > >>>>>>> keytab > > > >>>>>>>>>> $ samba-tool user add nfs-myserver --random-password > > > >>>>>>>>>> $ samba-tool spn add nfs/myserver.samdom.com > nfs-myserver > > > >>>>>>>>>> $ samba-tool domain exportkeytab -- > > > >>>>>> principal=nfs/myserver.samdom.com > > > >>>>>>>>>> /etc/krb5.keytab > > > >>>>>>>>>> > > > >>>>>>>>>> -> on the client I use the machine keytab. > > > >>>>>>>>>> $ samba-tool domain exportkeytab --principal=MYCLIENT$ > > > >>>>>>> /etc/krb5.keytab > > > >>>>>>>>>> With this setup all my domain users can write to > the share. But > > > >>>>>> when > > > >>>>>>> I > > > >>>>>>>>>> try with the root account it use the machine > keytab (that's > > > >>>> normal, > > > >>>>>>>>>> root is not a domain user but he have access to > the keytab) : > > > >>>>>>>>>> > > > >>>>>>>>>> -> on the client as root > > > >>>>>>>>>> $ touch /myshare/testfile > > > >>>>>>>>>> > > > >>>>>>>>>> -> on the server > > > >>>>>>>>>> $ ls -al /srv/nfs4/myshare/testfile > > > >>>>>>>>>> -rw-r--r-- SAMDOM\MYCLIENT$ SAMDOM\Domain > Controllers > > > >>>> .... > > > >>>>>>>>>> /nfs4/myshare/tesfile > > > >>>>>>>>>> > > > >>>>>>>>>> But I need root access ! > > > >>>>>>>>>> > > > >>>>>>>>>> ---------- > > > >>>>>>>>>> I have tried with a root/myclient service > principal name > > > >>>>>>>>>> ---------- > > > >>>>>>>>>> > > > >>>>>>>>>> -> on the client I create an root/myclient spn and > export to > > > >>>> keytab > > > >>>>>>>>>> $ samba-tool user add root-myclient --random-password > > > >>>>>>>>>> $ samba-tool spn add root/myclient.samdom.com > root-myclient > > > >>>>>>>>>> $ samba-tool domain exportkeytab -- > > > >>>>>> principal=root/myclient.samdom.com > > > >>>>>>>>>> /etc/krb5.keytab > > > >>>>>>>>>> > > > >>>>>>>>>> But nothings change when I access the share. I > tried to kinit > > > >>>> this > > > >>>>>>>>>> principal but it fail. However kinit with the > machine principal > > > >>>>>>> works. > > > >>>>>>>>>> $ kinit -k root/myclient.samdom.com > > > >>>>>>>>>> kinit: Client 'root/myclient.samdom.com at SAMDOM.COM > <mailto:root/myclient.samdom.com at SAMDOM.COM>' not found > > > in > > > >>>>>>>>>> kerberos database while getting initial credentials > > > >>>>>>>>>> > > > >>>>>>>>>> $ kinit -k MYCLIENT$ > > > >>>>>>>>>> ok > > > >>>>>>>>>> > > > >>>>>>>>>> --------- > > > >>>>>>>>>> I tried creating a samba root user. > > > >>>>>>>>>> --------- > > > >>>>>>>>>> > > > >>>>>>>>>> -> on the client I create a root user and export > to keytab > > > >>>>>>>>>> $ samba-tool user add root > > > >>>>>>>>>> $ samba-tool domain exportkeytab --principal=root > > > >>>> /etc/krb5.keytab > > > >>>>>>>>>> Same problem but here "kinit -k root" works. > > > >>>>>>>>>> > > > >>>>>>>>>> $ kinit -k root > > > >>>>>>>>>> ok > > > >>>>>>>>>> > > > >>>>>>>>>> > > > >>>>>>>>>> ------ > > > >>>>>>>>>> I tried to kinit anather samba user > > > >>>>>>>>>> ------ > > > >>>>>>>>>> > > > >>>>>>>>>> -> on the client I kinit a valid user and write to > the share > > > >>>>>>>>>> > > > >>>>>>>>>> $ kinit validuser > > > >>>>>>>>>> $ touch /myshare/testfile2 > > > >>>>>>>>>> > > > >>>>>>>>>> Here the nfs4 connection is not made with the > validuser's > > > >>>>>> principal. > > > >>>>>>>>>> Always with the machine's principal. > > > >>>>>>>>>> > > > >>>>>>>>>> > > > >>>>>>>>>> ------- > > > >>>>>>>>>> So > > > >>>>>>>>>> ------- > > > >>>>>>>>>> > > > >>>>>>>>>> I don't understand why in can "kinit root" but not > "kinit > > > >>>>>>>>>> root/myclient.samdom.com". What's the difference > between there > > > >>>>>>>>>> principals ? > > > >>>>>>>>>> > > > >>>>>>>>>> I don't understand how the nfs4 client choose the > principal > > > used > > > >>>> to > > > >>>>>>>>>> make the connection to the nfs4 share. Why the > root user can > > > >>>> only > > > >>>>>> use > > > >>>>>>>>>> the machine's principal ? > > > >>>>>>>>>> > > > >>>>>>>>>> I don't know if the problem come from the creation > of kerberos > > > >>>>>>>>>> principals or come from the nfs4 client not > choosing the > > > correct > > > >>>>>>>>>> principal... > > > >>>>>>>>>> > > > >>>>>>>>>> Can someone give me a tips ? > > > >>>>>>>>>> > > > >>>>>>>>>> Thanks ! > > > >>>>>>>>>> > > > >>>>>>>>>> Baptiste. > > > >>>>>>>>>> > > > >>>>>>>>>> -- > > > >>>>>>>>>> To unsubscribe from this list go to the following > URL and read > > > >>>> the > > > >>>>>>>>>> instructions: > https://lists.samba.org/mailman/options/samba > > > >>>>>>>>> > > > >>>>>>>>> -- > > > >>>>>>>>> To unsubscribe from this list go to the following > URL and read > > > >>>> the > > > >>>>>>>>> instructions: > https://lists.samba.org/mailman/options/samba > > > >>>>>>>> -- > > > >>>>>>>> To unsubscribe from this list go to the following > URL and read > > > the > > > >>>>>>>> instructions: > https://lists.samba.org/mailman/options/samba > > > >>>>>>> > > > >>>>>>> -- > > > >>>>>>> To unsubscribe from this list go to the following URL > and read the > > > >>>>>>> instructions: > https://lists.samba.org/mailman/options/samba > > > >>>>>> > > > >>>>>> -- > > > >>>>>> To unsubscribe from this list go to the following URL > and read the > > > >>>>>> instructions: > https://lists.samba.org/mailman/options/samba > > > >>>>> > > > >>>>> -- > > > >>>>> To unsubscribe from this list go to the following URL > and read the > > > >>>>> instructions: https://lists.samba.org/mailman/options/samba > > > >>>> -- > > > >>>> To unsubscribe from this list go to the following URL > and read the > > > >>>> instructions: https://lists.samba.org/mailman/options/samba > > > >>> > > > >> -- > > > >> > > > >> Bruno MACADRE > > > >> > ------------------------------------------------------------------- > > > >> Ingénieur Systèmes et Réseau | Systems and Network Engineer > > > >> Département Informatique | Department of computer > science > > > >> Responsable Info SER | SER IT Manager > > > >> Université de Rouen | University of Rouen > > > >> > ------------------------------------------------------------------- > > > >> Coordonnées / Contact : > > > >> Université de Rouen > > > >> Faculté des Sciences et Techniques - Madrillet > > > >> Avenue de l'Université > > > >> CS 70012 > > > >> 76801 St Etienne du Rouvray CEDEX > > > >> FRANCE > > > >> > > > >> Tél : +33 (0)2-32-95-51-86 > > > >> Mob : +33 (0)6-74-71-45-64 > > > >> > ------------------------------------------------------------------- > > > >> > > > >> > > > >> -- > > > >> To unsubscribe from this list go to the following URL and > read the > > > >> instructions: https://lists.samba.org/mailman/options/samba > > > > > > > > > > > > > > -- > > > > > > Bruno MACADRE > > > ------------------------------------------------------------------- > > > Ingénieur Systèmes et Réseau | Systems and Network Engineer > > > Département Informatique | Department of computer science > > > Responsable Info SER | SER IT Manager > > > Université de Rouen | University of Rouen > > > ------------------------------------------------------------------- > > > Coordonnées / Contact : > > > Université de Rouen > > > Faculté des Sciences et Techniques - Madrillet > > > Avenue de l'Université > > > CS 70012 > > > 76801 St Etienne du Rouvray CEDEX > > > FRANCE > > > > > > Tél : +33 (0)2-32-95-51-86 > > > Mob : +33 (0)6-74-71-45-64 > > > ------------------------------------------------------------------- > > > > > > > > > -- > > > To unsubscribe from this list go to the following URL and > read the > > > instructions: https://lists.samba.org/mailman/options/samba > > > > > -- > > Bruno MACADRE > > ------------------------------------------------------------------- > > Ingénieur Systèmes et Réseau | Systems and Network Engineer > > Département Informatique | Department of computer science > > Responsable Info SER | SER IT Manager > > Université de Rouen | University of Rouen > > ------------------------------------------------------------------- > > Coordonnées / Contact : > > Université de Rouen > > Faculté des Sciences et Techniques - Madrillet > > Avenue de l'Université > > CS 70012 > > 76801 St Etienne du Rouvray CEDEX > > FRANCE > > Tél : +33 (0)2-32-95-51-86 > > Mob : +33 (0)6-74-71-45-64 > > ------------------------------------------------------------------- > > > > -- > Bruno MACADRE > ------------------------------------------------------------------- > Ingénieur Systèmes et Réseau | Systems and Network Engineer > Département Informatique | Department of computer science > Responsable Info SER | SER IT Manager > Université de Rouen | University of Rouen > ------------------------------------------------------------------- > Coordonnées / Contact : > Université de Rouen > Faculté des Sciences et Techniques - Madrillet > Avenue de l'Université > CS 70012 > 76801 St Etienne du Rouvray CEDEX > FRANCE > Tél : +33 (0)2-32-95-51-86 > Mob : +33 (0)6-74-71-45-64 > -------------------------------------------------------------------
Rowland Penny
2016-Aug-02 14:37 UTC
[Samba] FW: kerberos nfs4's principals and root access
On Tue, 2 Aug 2016 16:02:41 +0200 Bruno MACADRÉ <bruno.macadre at univ-rouen.fr> wrote:> ** I truncate my initial mail below for size reason ** > > I've tried your tips but nothing better.... AD users can still > accessing share (ouf !!), but local users not more. > > I can't find where it blocks.... > > Thanks for your help Louis, > > Greetz, > Bruno > > Le 02/08/2016 à 15:33, L.P.H. van Belle a écrit : > > > > You keep 2 ranges. > > > > One for the “local (linux) users” > > > > idmap config *:backend = tdb > > > > idmap config *:range = 11-9999Please don't use 'range = 11-9999', it will not do what you think it will do. the '*' range is used for the 'BUILTIN' users & groups etc, so if you have system users or groups that use an ID in the range 11-1000, they will conflict with the Windows well known SIDs. You can have local Unix users & groups, you can have AD domain users & groups, you can make an AD domain user or group into a Unix user or group by adding RFC2307 attributes, but what you cannot do, is to have the same user or group name in both /etc/passwd or /etc/group and AD i.e. www-data can exist in /etc/passwd but it cannot be in AD at the same time. To use kerberos, you need an SPN or UPN, this (as far as a Samba AD DC is concerned) needs to be stored in AD, so if the user isn't in AD, it cannot use kerberos. Rowland
Bruno MACADRÉ
2016-Aug-02 15:05 UTC
[Samba] FW: kerberos nfs4's principals and root access
It's ok So, if I create a httpuser and an httpgroup in my AD and use these at owner and group for my apache2 daemon, this one could access to userdirs (while permissions granting it) ? But I need to cron 'kinit' to keep valid ticket... ? My local root user always can't access to the share, but my other problem seems to be resolved. Thanks Le 02/08/2016 à 16:37, Rowland Penny a écrit :> On Tue, 2 Aug 2016 16:02:41 +0200 > Bruno MACADRÉ <bruno.macadre at univ-rouen.fr> wrote: > >> ** I truncate my initial mail below for size reason ** >> >> I've tried your tips but nothing better.... AD users can still >> accessing share (ouf !!), but local users not more. >> >> I can't find where it blocks.... >> >> Thanks for your help Louis, >> >> Greetz, >> Bruno >> >> Le 02/08/2016 à 15:33, L.P.H. van Belle a écrit : >>> You keep 2 ranges. >>> >>> One for the “local (linux) users” >>> >>> idmap config *:backend = tdb >>> >>> idmap config *:range = 11-9999 > Please don't use 'range = 11-9999', it will not do what you think it > will do. the '*' range is used for the 'BUILTIN' users & groups etc, so > if you have system users or groups that use an ID in the range > 11-1000, they will conflict with the Windows well known SIDs. > > You can have local Unix users & groups, you can have AD domain users & > groups, you can make an AD domain user or group into a Unix user or > group by adding RFC2307 attributes, but what you cannot do, is to have > the same user or group name in both /etc/passwd or /etc/group and AD > i.e. www-data can exist in /etc/passwd but it cannot be in AD at the > same time. > > To use kerberos, you need an SPN or UPN, this (as far as a Samba AD DC > is concerned) needs to be stored in AD, so if the user isn't in AD, it > cannot use kerberos. > > Rowland > >-- Bruno MACADRE ------------------------------------------------------------------- Ingénieur Systèmes et Réseau | Systems and Network Engineer Département Informatique | Department of computer science Responsable Info SER | SER IT Manager Université de Rouen | University of Rouen ------------------------------------------------------------------- Coordonnées / Contact : Université de Rouen Faculté des Sciences et Techniques - Madrillet Avenue de l'Université CS 70012 76801 St Etienne du Rouvray CEDEX FRANCE Tél : +33 (0)2-32-95-51-86 Mob : +33 (0)6-74-71-45-64 -------------------------------------------------------------------