samba - Feb 2018 - Using Samba AD for NFSV4 Kerberos servers and clients

Thanks Luc,

First, can I just use the small /etc/krb5.conf suggested in Samba AD 
docs or do I need something more substantial on the server & client for 
Kerberos NFS to work?

[libdefaults]
         default_realm = SUBDOMAIN.DOMAIN.COM
         dns_lookup_realm = false
         dns_lookup_kdc = true

I understand a /etc/krb5.keytab file has to be created on both server & 
client. Most of the existing docs show commands to do this using a real 
KDC, not Samba AD. If I try to use the kadmin tool, there's a message 
about the krb5.conf being incomplete. I am able to use klist and ktutil

How do I generate the keytab file with the correct credentials?

nfs/server at subdomain.domain.com

nfs/client at subdomain.domain.com

Are these created manually by adding some account in ADUC and then use 
"samba-tool domain exportkeytab" to export the krb5.keytab file

https://wiki.samba.org/index.php/Generating_Keytabs

-Ken



On 02/04/2018 06:29 PM, Luc Lalonde wrote:
> Hey Ken,
>
> We’re using AD as a Kerberos server for NFSv4 in our Linux labs to
automount the students home directories.
>
> I can answer specific questions if you’ve got some.
>
> Cheers, Luc.
>
>
> Luc Lalonde, analyste
> -----------------------------
> Département de génie informatique:
> École polytechnique de MTL
> (514) 340-4711 x5049
> Luc.Lalonde at polymtl.ca
> -----------------------------
>
>> On Feb 4, 2018, at 16:30, Ken McDonald via samba <samba at
lists.samba.org> wrote:
>>
>> Is it possible to use Samba AD for Kerberos KDC with NFV4 servers and
then have clients connect to them?
>>
>> I have Ubuntu Server for the server and Linux Mint for clients. So far,
I've got a lot setup according to these instructions
>>
>> https://help.ubuntu.com/community/NFSv4Howto
>>
>> And seem to have adapted the keytab entries from using this Samba AD
info
>>
>> https://wiki.samba.org/index.php/Generating_Keytabs
>>
>> But I'm kind of stuck getting the actual mount to work on a client
side. I'll admit to never using Kerberos with NFS before and my Samba AD
knowledge is also fairly new (but I do have working Samba AD for Windows and
Linux client logins, group, POSIX & Win ACls). I can't seem to find good
information or howto on implementing NFSKerberos + SambaAD
>>
>> Before I post actual questions and logs, is this configuration even
possible?
>>
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>

I found one of my problems was that on the client, in the /etc/krb5.conf 
file, the domain name was in lower case. The one on the server was upper 
case. Upper case'ing the client one fixed my nfs4 mount issue, but now I 
have another one.

The nfs4 krb5 export mounts on the remote client, but doesn't seem to 
recognize permissions. The mount directory is shown as owned by root and 
the group is 4294967294

If I mount the export using nfs4 without krb5 it works as expected and 
the mount directory is owned by root and the group is from Samba AD as 
DOMAIN\group

I suppose this has something to do with id mapping and a special 
requirement for nfs4 krb5. I have winbindd running, which of course is 
why my perms are working non-krb5.

Help?


On 02/04/2018 08:23 PM, Ken McDonald via samba wrote:
> Thanks Luc,
>
> First, can I just use the small /etc/krb5.conf suggested in Samba AD 
> docs or do I need something more substantial on the server & client 
> for Kerberos NFS to work?
>
> [libdefaults]
>         default_realm = SUBDOMAIN.DOMAIN.COM
>         dns_lookup_realm = false
>         dns_lookup_kdc = true
>
> I understand a /etc/krb5.keytab file has to be created on both server 
> & client. Most of the existing docs show commands to do this using a 
> real KDC, not Samba AD. If I try to use the kadmin tool, there's a 
> message about the krb5.conf being incomplete. I am able to use klist 
> and ktutil
>
> How do I generate the keytab file with the correct credentials?
>
> nfs/server at subdomain.domain.com
>
> nfs/client at subdomain.domain.com
>
> Are these created manually by adding some account in ADUC and then use 
> "samba-tool domain exportkeytab" to export the krb5.keytab file
>
> https://wiki.samba.org/index.php/Generating_Keytabs
>
> -Ken
>
>
>
> On 02/04/2018 06:29 PM, Luc Lalonde wrote:
>> Hey Ken,
>>
>> We’re using AD as a Kerberos server for NFSv4 in our Linux labs to 
>> automount the students home directories.
>>
>> I can answer specific questions if you’ve got some.
>>
>> Cheers, Luc.
>>
>>
>> Luc Lalonde, analyste
>> -----------------------------
>> Département de génie informatique:
>> École polytechnique de MTL
>> (514) 340-4711 x5049
>> Luc.Lalonde at polymtl.ca
>> -----------------------------
>>
>>> On Feb 4, 2018, at 16:30, Ken McDonald via samba 
>>> <samba at lists.samba.org> wrote:
>>>
>>> Is it possible to use Samba AD for Kerberos KDC with NFV4 servers 
>>> and then have clients connect to them?
>>>
>>> I have Ubuntu Server for the server and Linux Mint for clients. So 
>>> far, I've got a lot setup according to these instructions
>>>
>>> https://help.ubuntu.com/community/NFSv4Howto
>>>
>>> And seem to have adapted the keytab entries from using this Samba
AD
>>> info
>>>
>>> https://wiki.samba.org/index.php/Generating_Keytabs
>>>
>>> But I'm kind of stuck getting the actual mount to work on a
client
>>> side. I'll admit to never using Kerberos with NFS before and my
>>> Samba AD knowledge is also fairly new (but I do have working Samba 
>>> AD for Windows and Linux client logins, group, POSIX & Win
ACls). I
>>> can't seem to find good information or howto on implementing 
>>> NFSKerberos + SambaAD
>>>
>>> Before I post actual questions and logs, is this configuration even
>>> possible?
>>>
>>>
>>> -- 
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>>
>
>

Hai, 

NfsV4 and samba works fine but there is a big BUT and you have found it already.
> The nfs4 krb5 export mounts on the remote client, but doesn't seem to 
> recognize permissions. The mount directory is shown as owned by root and
the group is 4294967294
Yes, the nfsv4 acls and system acl over kerberos doent match anymore. 
This is a know problem and i dont know when it wil be fixed. 

I use atm this for for the NFS Server.

# Test all sec variable.
/exports        
192.168.0.0/24(rw,sync,fsid=0,no_subtree_check,crossmnt,sec=sys:krb5:krb5i:krb5p)
/exports/users  
192.168.0.0/24(rw,sync,no_subtree_check,sec=sys:krb5:krb5i:krb5p)

This gives the option to test all sec= settings.
Now if you use sys, ( not kerberos ) all right work ok and you should have a
100% match.

I've tried with one of the latest libnfsidmap files and builded it for
debian stretch.
http://apt.van-belle.nl/current-packages-in-stretch-experimental-apt.txt
>  stretch-experimental|main|amd64: libnfsidmap2 0.27-0.1~deb9 
Since changlogs indicate that it should be fixed with 0.27 but its not, 
well at least i did not get the correct acls also with kerberos mounts. 
Irritation is, it did work for some time in Debian Jessie about 6-12 months ago,
then it stopped there also.

See also my message to debian:
https://lists.debian.org/debian-kernel/2017/11/msg00079.html 


Now about the keytab nfs generation. ( use sys for now that works fine.)
>From : https://wiki.samba.org/index.php/Generating_Keytabs  
samba-tool spn add host/hostname.dom.tld "NETBIOSNAME\$"
samba-tool spn add host/hostname.dom.tld at REALM "NETBIOSNAME\$" 
< i dont use this one, imo only when you use muliple REALMS.
samba-tool domain exportkeytab --principal=nfs/hostname.dom.tld
~/nfs-hostname.keytab
Copy ~/nfs-hostname.keytab to the correct server. 

ktutil
rkt /etc/krb5.keytab
rkt ~/nfs-hostname.keytab
list   ... Aka check it. 
wkt /etc/krb5.keytab.NEW

stop samba/winbind
cp /etc/krb5.keytab{,.backup}
cp /etc/krb5.keytab.NEW /etc/krb5.keytab
Start samba/winbind

Give it a try


Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ken 
> McDonald via samba
> Verzonden: maandag 5 februari 2018 6:14
> Aan: samba
> Onderwerp: Re: [Samba] Using Samba AD for NFSV4 Kerberos 
> servers and clients
> 
> I found one of my problems was that on the client, in the 
> /etc/krb5.conf 
> file, the domain name was in lower case. The one on the 
> server was upper 
> case. Upper case'ing the client one fixed my nfs4 mount 
> issue, but now I 
> have another one.
> 
> The nfs4 krb5 export mounts on the remote client, but doesn't seem to 
> recognize permissions. The mount directory is shown as owned 
> by root and 
> the group is 4294967294
> 
> If I mount the export using nfs4 without krb5 it works as 
> expected and 
> the mount directory is owned by root and the group is from 
> Samba AD as 
> DOMAIN\group
> 
> I suppose this has something to do with id mapping and a special 
> requirement for nfs4 krb5. I have winbindd running, which of 
> course is 
> why my perms are working non-krb5.
> 
> Help?
> 
> 
> On 02/04/2018 08:23 PM, Ken McDonald via samba wrote:
> > Thanks Luc,
> >
> > First, can I just use the small /etc/krb5.conf suggested in 
> Samba AD 
> > docs or do I need something more substantial on the server &
client
> > for Kerberos NFS to work?
> >
> > [libdefaults]
> >         default_realm = SUBDOMAIN.DOMAIN.COM
> >         dns_lookup_realm = false
> >         dns_lookup_kdc = true
> >
> > I understand a /etc/krb5.keytab file has to be created on 
> both server 
> > & client. Most of the existing docs show commands to do 
> this using a 
> > real KDC, not Samba AD. If I try to use the kadmin tool, there's a
> > message about the krb5.conf being incomplete. I am able to 
> use klist 
> > and ktutil
> >
> > How do I generate the keytab file with the correct credentials?
> >
> > nfs/server at subdomain.domain.com
> >
> > nfs/client at subdomain.domain.com
> >
> > Are these created manually by adding some account in ADUC 
> and then use 
> > "samba-tool domain exportkeytab" to export the krb5.keytab
file
> >
> > https://wiki.samba.org/index.php/Generating_Keytabs
> >
> > -Ken
> >
> >
> >
> > On 02/04/2018 06:29 PM, Luc Lalonde wrote:
> >> Hey Ken,
> >>
> >> We?re using AD as a Kerberos server for NFSv4 in our Linux labs to
> >> automount the students home directories.
> >>
> >> I can answer specific questions if you?ve got some.
> >>
> >> Cheers, Luc.
> >>
> >>
> >> Luc Lalonde, analyste
> >> -----------------------------
> >> Département de génie informatique:
> >> École polytechnique de MTL
> >> (514) 340-4711 x5049
> >> Luc.Lalonde at polymtl.ca
> >> -----------------------------
> >>
> >>> On Feb 4, 2018, at 16:30, Ken McDonald via samba 
> >>> <samba at lists.samba.org> wrote:
> >>>
> >>> Is it possible to use Samba AD for Kerberos KDC with NFV4
servers
> >>> and then have clients connect to them?
> >>>
> >>> I have Ubuntu Server for the server and Linux Mint for 
> clients. So 
> >>> far, I've got a lot setup according to these instructions
> >>>
> >>> https://help.ubuntu.com/community/NFSv4Howto
> >>>
> >>> And seem to have adapted the keytab entries from using 
> this Samba AD 
> >>> info
> >>>
> >>> https://wiki.samba.org/index.php/Generating_Keytabs
> >>>
> >>> But I'm kind of stuck getting the actual mount to work on 
> a client 
> >>> side. I'll admit to never using Kerberos with NFS before
and my
> >>> Samba AD knowledge is also fairly new (but I do have 
> working Samba 
> >>> AD for Windows and Linux client logins, group, POSIX & 
> Win ACls). I 
> >>> can't seem to find good information or howto on
implementing
> >>> NFSKerberos + SambaAD
> >>>
> >>> Before I post actual questions and logs, is this 
> configuration even 
> >>> possible?
> >>>
> >>>
> >>> -- 
> >>> To unsubscribe from this list go to the following URL and read
the
> >>> instructions:  https://lists.samba.org/mailman/options/samba
> >>>
> >>
> >
> >
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

Hello Kevin,

We have a  Samba/Windows20008R2 domain that's been running a few years now.

Here are the details:

  * clients auth with SSSD (ldap, kerberos, ldap_schema=rfc2307bis)
  * idmap
  * samba on clients/server for joining domain

We have scripts that automatically create users with UnixHomeDir, UID 
and GUID numbers within AD.

I don't know about using WInbind...  I dropped that option during 
testing.   I found it to be a flaky daemon.   SSSD also had more options.

Here's a sanitized version of some of some config files:

########## /etc/auto.master #################################
/users          /etc/auto.home_all --timeout=60
#############################################################

########## /etc/auto.home_all ###############################
*    -fstype=nfs4,rw,sec=krb5      server.example.com:/&
#############################################################

########## begin client /etc/samba/smb.conf ##########################
[global]
    workgroup = GIGL
    realm = example.com
    netbios name = workstation-name
    security = ADS
    password server = DOMSERVER1.EXAMPLE.COM, DOMSERVER2.EXAMPLE.COM
    client signing = yes
    client use spnego = yes
    kerberos method = secrets and keytab
    log file = /var/log/samba/%m.log
    dedicated keytab file = /etc/krb5.keytab
########## end client /etc/samba/smb.conf ############################

########## begin server /etc/samba/smb.conf ##########################
[global]
    workgroup = GIGL
    realm = example.com
    netbios name = SERVER
    security = ADS
    password server = DOMSERVER1.EXAMPLE.COM, DOMSERVER2.EXAMPLE.COM
    client signing = yes
    client use spnego = yes
    kerberos method = secrets and keytab
    log file = /var/log/samba/%m.log
    dedicated keytab file = /etc/krb5.keytab

[homes]
         comment = homes
         read only = No
         directory mask = 0700
         force directory mode = 0700
         create mask = 0600
         force create mode = 0600
         browseable = No
         valid users = %S
         follow symlinks = yes
########## end server /etc/samba/smb.conf ############################

############## begin /etc/krb5.conf ####################
[logging]
  default = SYSLOG:INFO:DAEMON
  kdc = SYSLOG:INFO:DAEMON
  admin_server = SYSLOG:INFO:DAEMON

[libdefaults]
  default_realm = EXAMPLE.COM
  dns_lookup_realm = false
  dns_lookup_kdc = false
  ticket_lifetime = 10h
  renew_lifetime = 7d
  forwardable = true
  allow_weak_crypto = true

[realms]
  EXAMPLE.COM = {
    default_domain = example.com
    master_kdc= domserver1.example.com
    kdc=domserver1.example.com
    kdc=domserver2.example.com
    admin_server=domserver1.example.com
  }

[domain_realm]
  example.com = EXAMPLE.COM
  subnet1.example.com = EXAMPLE.COM
  .subnet1.example.com = EXAMPLE.COM
  subnet2.example.com = EXAMPLE.COM
  .subnet2.example.com = EXAMPLE.COM

[appdefaults]
  pam = {
    debug = false
    ticket_lifetime = 10h
    renew_lifetime = 7d
    forwardable = true
    krb4_convert = false
    validate = true
  }
############## end /etc/krb5.conf #####################

Here's the command that I run to generate the keytab on the nfs server 
(after properly configuring '/etc/samba/smb.conf':

#############
kinit Administrator at EXMAPLE.COM
rm -rf /etc/krb5.keytab;
msktutil --delegation --dont-expire-password \
--no-pac --computer-name server \
--enctypes 0x1F -b "OU=Services" \
-k /etc/krb5.keytab -h server.example.com \
-s nfs/server.example.com \
--upn nfs/server.example.com  --verbose

rm -rf /etc/krb5.keytab
net ads join -k -UAdministrator
#############

Also, don't forget that you need the 'ServicePrincipalNames' enabled
for
your NFS service.  I don't know the command on Samba, but here's the 
command on Windows2008R2 (I keep these in the OU=Services):

#############

setspn -A nfs/server.example.com example
setspn -A nfs/server server
setspn -L server
Registered ServicePrincipalNames for 
CN=server,OU=Services,DC=example,DC=com:
         nfs/server
         nfs/server.example.com
         HOST/server.example.com
         HOST/server

#############


And on the client:

#############
kinit Administrator at EXMAPLE.COM
rm -rf /etc/krb5.keytab;
msktutil --server domserver1.example.com --delegation \
--dont-expire-password --no-pac --computer-name workstation-client-nfs \
--enctypes 0x1F -b "OU=Services" -k /etc/krb5.keytab \
-h workstation-client.example.com \
-s nfs/workstation-client.example.com \
--upn nfs/workstation-client.example.com  --verbose
#############

There are more details... too much to put in this email. Hopefully, this 
can get you on the right path.   Maybe I should take the time to 
document this on the Samba Wiki.

Bye.

On 2018-02-05 12:13 AM, Ken McDonald via samba wrote:
> I found one of my problems was that on the client, in the 
> /etc/krb5.conf file, the domain name was in lower case. The one on the 
> server was upper case. Upper case'ing the client one fixed my nfs4 
> mount issue, but now I have another one.
>
> The nfs4 krb5 export mounts on the remote client, but doesn't seem to 
> recognize permissions. The mount directory is shown as owned by root 
> and the group is 4294967294
>
> If I mount the export using nfs4 without krb5 it works as expected and 
> the mount directory is owned by root and the group is from Samba AD as 
> DOMAIN\group
>
> I suppose this has something to do with id mapping and a special 
> requirement for nfs4 krb5. I have winbindd running, which of course is 
> why my perms are working non-krb5.
>
> Help?
>
>
> On 02/04/2018 08:23 PM, Ken McDonald via samba wrote:
>> Thanks Luc,
>>
>> First, can I just use the small /etc/krb5.conf suggested in Samba AD 
>> docs or do I need something more substantial on the server & client
>> for Kerberos NFS to work?
>>
>> [libdefaults]
>>         default_realm = SUBDOMAIN.DOMAIN.COM
>>         dns_lookup_realm = false
>>         dns_lookup_kdc = true
>>
>> I understand a /etc/krb5.keytab file has to be created on both server 
>> & client. Most of the existing docs show commands to do this using
a
>> real KDC, not Samba AD. If I try to use the kadmin tool, there's a 
>> message about the krb5.conf being incomplete. I am able to use klist 
>> and ktutil
>>
>> How do I generate the keytab file with the correct credentials?
>>
>> nfs/server at subdomain.domain.com
>>
>> nfs/client at subdomain.domain.com
>>
>> Are these created manually by adding some account in ADUC and then 
>> use "samba-tool domain exportkeytab" to export the
krb5.keytab file
>>
>> https://wiki.samba.org/index.php/Generating_Keytabs
>>
>> -Ken
>>
>>
>>
>> On 02/04/2018 06:29 PM, Luc Lalonde wrote:
>>> Hey Ken,
>>>
>>> We’re using AD as a Kerberos server for NFSv4 in our Linux labs to 
>>> automount the students home directories.
>>>
>>> I can answer specific questions if you’ve got some.
>>>
>>> Cheers, Luc.
>>>
>>>
>>> Luc Lalonde, analyste
>>> -----------------------------
>>> Département de génie informatique:
>>> École polytechnique de MTL
>>> (514) 340-4711 x5049
>>> Luc.Lalonde at polymtl.ca
>>> -----------------------------
>>>
>>>> On Feb 4, 2018, at 16:30, Ken McDonald via samba 
>>>> <samba at lists.samba.org> wrote:
>>>>
>>>> Is it possible to use Samba AD for Kerberos KDC with NFV4
servers
>>>> and then have clients connect to them?
>>>>
>>>> I have Ubuntu Server for the server and Linux Mint for clients.
So
>>>> far, I've got a lot setup according to these instructions
>>>>
>>>> https://help.ubuntu.com/community/NFSv4Howto
>>>>
>>>> And seem to have adapted the keytab entries from using this
Samba
>>>> AD info
>>>>
>>>> https://wiki.samba.org/index.php/Generating_Keytabs
>>>>
>>>> But I'm kind of stuck getting the actual mount to work on a
client
>>>> side. I'll admit to never using Kerberos with NFS before
and my
>>>> Samba AD knowledge is also fairly new (but I do have working
Samba
>>>> AD for Windows and Linux client logins, group, POSIX & Win
ACls). I
>>>> can't seem to find good information or howto on
implementing
>>>> NFSKerberos + SambaAD
>>>>
>>>> Before I post actual questions and logs, is this configuration
even
>>>> possible?
>>>>
>>>>
>>>> -- 
>>>> To unsubscribe from this list go to the following URL and read
the
>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>
>>>
>>
>>
>
>

Louis,

Thank you for your insightful response. It's a shame that once I figured 
this all out, I got to such a terminal problem. I suppose the NFS4 krb5 
remote mount ACL issue works OK with other, non- Samba AD, KDC's? Is 
that the core issue of this problem, the KDC portion?

My plan was almost done: from a single bare-metal Ubuntu 16.04.3 server, 
setup Samba AD as the user/group directory and make a file server 
sharing to both Windows and Linux Mint clients using SMB and NFS4 
(encrypted) with POSIX & Windows ACLs for each style. I got that 
implementation to work quite well all the way down to the NFS4 Kerberos 
ACL problem in this thread. It all works OK with non-Kerberos NFS4 and I 
suppose I'll have to deploy it that way for now; changing to the 
encrypted style should be no problem in the future.

Strangely, I did not run into the "Using the Domain Controller as a File 
Server" problem "Running shares with POSIX ACLs on a Samba DC is not 
supported" mentioned here:

https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller

I guess this works because my Linux clients connect through NFS and get 
POSIX ACL's that way, (even though those POSIX ACL's are making use of 
Samda AD users/groups through windindd (with "idmap config 
DOMAIN:backend = ad")?

Any other helpful comments by anyone for this particulr Samba AD file 
server implementation would be appreciated. I think I'll make a full 
step-by-step writeup once I get all this working.

-Ken


On 02/05/2018 06:00 AM, L.P.H. van Belle via samba
wrote:
> Hai,
>
> NfsV4 and samba works fine but there is a big BUT and you have found it
already.
>> The nfs4 krb5 export mounts on the remote client, but doesn't seem
to
>> recognize permissions. The mount directory is shown as owned by root
and the group is 4294967294
> Yes, the nfsv4 acls and system acl over kerberos doent match anymore.
> This is a know problem and i dont know when it wil be fixed.
>
> I use atm this for for the NFS Server.
>
> # Test all sec variable.
> /exports        
192.168.0.0/24(rw,sync,fsid=0,no_subtree_check,crossmnt,sec=sys:krb5:krb5i:krb5p)
> /exports/users  
192.168.0.0/24(rw,sync,no_subtree_check,sec=sys:krb5:krb5i:krb5p)
>
> This gives the option to test all sec= settings.
> Now if you use sys, ( not kerberos ) all right work ok and you should have
a 100% match.
>
> I've tried with one of the latest libnfsidmap files and builded it for
debian stretch.
> http://apt.van-belle.nl/current-packages-in-stretch-experimental-apt.txt
>>   stretch-experimental|main|amd64: libnfsidmap2 0.27-0.1~deb9
> Since changlogs indicate that it should be fixed with 0.27 but its not,
> well at least i did not get the correct acls also with kerberos mounts.
> Irritation is, it did work for some time in Debian Jessie about 6-12 months
ago, then it stopped there also.
>
> See also my message to debian:
> https://lists.debian.org/debian-kernel/2017/11/msg00079.html
>
>
> Now about the keytab nfs generation. ( use sys for now that works fine.)
>  From : https://wiki.samba.org/index.php/Generating_Keytabs
>
> samba-tool spn add host/hostname.dom.tld "NETBIOSNAME\$"
> samba-tool spn add host/hostname.dom.tld at REALM "NETBIOSNAME\$"
< i dont use this one, imo only when you use muliple REALMS.
> samba-tool domain exportkeytab --principal=nfs/hostname.dom.tld
~/nfs-hostname.keytab
> Copy ~/nfs-hostname.keytab to the correct server.
>
> ktutil
> rkt /etc/krb5.keytab
> rkt ~/nfs-hostname.keytab
> list   ... Aka check it.
> wkt /etc/krb5.keytab.NEW
>
> stop samba/winbind
> cp /etc/krb5.keytab{,.backup}
> cp /etc/krb5.keytab.NEW /etc/krb5.keytab
> Start samba/winbind
>
> Give it a try
>
>
> Greetz,
>
> Louis
>
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ken
>> McDonald via samba
>> Verzonden: maandag 5 februari 2018 6:14
>> Aan: samba
>> Onderwerp: Re: [Samba] Using Samba AD for NFSV4 Kerberos
>> servers and clients
>>
>> I found one of my problems was that on the client, in the
>> /etc/krb5.conf
>> file, the domain name was in lower case. The one on the
>> server was upper
>> case. Upper case'ing the client one fixed my nfs4 mount
>> issue, but now I
>> have another one.
>>
>> The nfs4 krb5 export mounts on the remote client, but doesn't seem
to
>> recognize permissions. The mount directory is shown as owned
>> by root and
>> the group is 4294967294
>>
>> If I mount the export using nfs4 without krb5 it works as
>> expected and
>> the mount directory is owned by root and the group is from
>> Samba AD as
>> DOMAIN\group
>>
>> I suppose this has something to do with id mapping and a special
>> requirement for nfs4 krb5. I have winbindd running, which of
>> course is
>> why my perms are working non-krb5.
>>
>> Help?
>>
>>
>> On 02/04/2018 08:23 PM, Ken McDonald via samba wrote:
>>> Thanks Luc,
>>>
>>> First, can I just use the small /etc/krb5.conf suggested in
>> Samba AD
>>> docs or do I need something more substantial on the server &
client
>>> for Kerberos NFS to work?
>>>
>>> [libdefaults]
>>>          default_realm = SUBDOMAIN.DOMAIN.COM
>>>          dns_lookup_realm = false
>>>          dns_lookup_kdc = true
>>>
>>> I understand a /etc/krb5.keytab file has to be created on
>> both server
>>> & client. Most of the existing docs show commands to do
>> this using a
>>> real KDC, not Samba AD. If I try to use the kadmin tool,
there's a
>>> message about the krb5.conf being incomplete. I am able to
>> use klist
>>> and ktutil
>>>
>>> How do I generate the keytab file with the correct credentials?
>>>
>>> nfs/server at subdomain.domain.com
>>>
>>> nfs/client at subdomain.domain.com
>>>
>>> Are these created manually by adding some account in ADUC
>> and then use
>>> "samba-tool domain exportkeytab" to export the
krb5.keytab file
>>>
>>> https://wiki.samba.org/index.php/Generating_Keytabs
>>>
>>> -Ken
>>>
>>>
>>>
>>> On 02/04/2018 06:29 PM, Luc Lalonde wrote:
>>>> Hey Ken,
>>>>
>>>> We?re using AD as a Kerberos server for NFSv4 in our Linux labs
to
>>>> automount the students home directories.
>>>>
>>>> I can answer specific questions if you?ve got some.
>>>>
>>>> Cheers, Luc.
>>>>
>>>>
>>>> Luc Lalonde, analyste
>>>> -----------------------------
>>>> Département de génie informatique:
>>>> École polytechnique de MTL
>>>> (514) 340-4711 x5049
>>>> Luc.Lalonde at polymtl.ca
>>>> -----------------------------
>>>>
>>>>> On Feb 4, 2018, at 16:30, Ken McDonald via samba
>>>>> <samba at lists.samba.org> wrote:
>>>>>
>>>>> Is it possible to use Samba AD for Kerberos KDC with NFV4
servers
>>>>> and then have clients connect to them?
>>>>>
>>>>> I have Ubuntu Server for the server and Linux Mint for
>> clients. So
>>>>> far, I've got a lot setup according to these
instructions
>>>>>
>>>>> https://help.ubuntu.com/community/NFSv4Howto
>>>>>
>>>>> And seem to have adapted the keytab entries from using
>> this Samba AD
>>>>> info
>>>>>
>>>>> https://wiki.samba.org/index.php/Generating_Keytabs
>>>>>
>>>>> But I'm kind of stuck getting the actual mount to work
on
>> a client
>>>>> side. I'll admit to never using Kerberos with NFS
before and my
>>>>> Samba AD knowledge is also fairly new (but I do have
>> working Samba
>>>>> AD for Windows and Linux client logins, group, POSIX &
>> Win ACls). I
>>>>> can't seem to find good information or howto on
implementing
>>>>> NFSKerberos + SambaAD
>>>>>
>>>>> Before I post actual questions and logs, is this
>> configuration even
>>>>> possible?
>>>>>
>>>>>
>>>>> -- 
>>>>> To unsubscribe from this list go to the following URL and
read the
>>>>> instructions: 
https://lists.samba.org/mailman/options/samba
>>>>>
>>>
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>>
>

Hai Ken, 

I suggest, have a look here : 
https://github.com/thctlo/samba4/tree/master/howtos 

This is my production setup on debian Stretch. 
Now for Ubuntu 16.04 its about the same, i suggest, read through it., you see it
and get it ;-)
The order how i install helps preventing error in other steps so take note of
that.

I work with AD backend for every server with shares and auth only members can
use rid in the mix, like a proxy server.
Why AD backend, very advisable for file servers, see
https://wiki.samba.org/index.php/Idmap_config_ad 
And
https://wiki.samba.org/index.php/Idmap_config_rid 

My only reason : AD Advantage: 
IDs are not stored in a local database that can corrupt and thus file ownerships
are not lost.
.... I hate corruptions, happend one time... Never again.. .

And see below i commented a bit also inbetween your lines. 

> -----Oorspronkelijk bericht-----
> Van: Ken McDonald [mailto:ken at generation.tech] 
> Verzonden: maandag 5 februari 2018 14:10
> Aan: L.P.H. van Belle; samba at lists.samba.org
> Onderwerp: Re: [Samba] Using Samba AD for NFSV4 Kerberos 
> servers and clients
> 
> Louis,
> 
> Thank you for your insightful response. It's a shame that 
> once I figured 
> this all out, I got to such a terminal problem. I suppose the 
> NFS4 krb5 
> remote mount ACL issue works OK with other, non- Samba AD, KDC's? Is 
> that the core issue of this problem, the KDC portion?
Its only linux as far i know, but this is only a matter of time to get it fixed.
> 
> My plan was almost done: from a single bare-metal Ubuntu 16.04.3 server, 
> setup Samba AD as the user/group directory and make a file server 
> sharing to both Windows and Linux Mint clients using SMB and NFS4 
> (encrypted) with POSIX & Windows ACLs for each style. I got that 
> implementation to work quite well all the way down to the NFS4 Kerberos 
> ACL problem in this thread. It all works OK with non-Kerberos NFS4 and I 
> suppose I'll have to deploy it that way for now; changing to the 
> encrypted style should be no problem in the future.
For that i use : ignore system acls = yes
Man smb.conf for the info about this one. 
> 
> Strangely, I did not run into the "Using the Domain 
> Controller as a File 
> Server" problem "Running shares with POSIX ACLs on a Samba DC is
not
> supported" mentioned here:
> 
>
https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller
> 
> I guess this works because my Linux clients connect through 
> NFS and get  POSIX ACL's that way, (even though those POSIX ACL's
are  making use of
> Samda AD users/groups through winbindd (with "idmap config
DOMAIN:backend = ad")?
> 
> Any other helpful comments by anyone for this particulr Samba AD file 
> server implementation would be appreciated. I think I'll make a full 
> step-by-step writeup once I get all this working.
See my howtos and change them to Ubuntu, and send me a copy when done.  ;-) 
Or better put them on github so i can fork them. 
> 
> -Ken
> 
> 
Good luck. 


Louis

Louis,

Can we revisit this idea? As I posted in another thread, I am not able 
to get NFS-Kerberos to work normally, after snipping some source code I 
was able to get a mount to work. Beyond that hangup, I have found that I 
can get id mapping and permissions to work with remote mounted NFS share 
using Kerberos by editing the file:

/etc/modprobe.d/nfsd.conf

and adding this line

options nfsd nfs4_disable_idmapping=0

after rebooting, verify it's working by

cat /sys/module/nfsd/parameters/nfs4_disable_idmapping

which should return "N." This seems to make the permission, user,
group
mapping work across NFS

Got the info here

https://serverfault.com/questions/766869/nfs4-id-mapping

-Ken


On 02/05/2018 06:00 AM, L.P.H. van Belle via samba
wrote:
> Hai,
>
> NfsV4 and samba works fine but there is a big BUT and you have found it
already.
>> The nfs4 krb5 export mounts on the remote client, but doesn't seem
to
>> recognize permissions. The mount directory is shown as owned by root
and the group is 4294967294
> Yes, the nfsv4 acls and system acl over kerberos doent match anymore.
> This is a know problem and i dont know when it wil be fixed.
>
> I use atm this for for the NFS Server.
>
> # Test all sec variable.
> /exports        
192.168.0.0/24(rw,sync,fsid=0,no_subtree_check,crossmnt,sec=sys:krb5:krb5i:krb5p)
> /exports/users  
192.168.0.0/24(rw,sync,no_subtree_check,sec=sys:krb5:krb5i:krb5p)
>
> This gives the option to test all sec= settings.
> Now if you use sys, ( not kerberos ) all right work ok and you should have
a 100% match.
>
> I've tried with one of the latest libnfsidmap files and builded it for
debian stretch.
> http://apt.van-belle.nl/current-packages-in-stretch-experimental-apt.txt
>>   stretch-experimental|main|amd64: libnfsidmap2 0.27-0.1~deb9
> Since changlogs indicate that it should be fixed with 0.27 but its not,
> well at least i did not get the correct acls also with kerberos mounts.
> Irritation is, it did work for some time in Debian Jessie about 6-12 months
ago, then it stopped there also.
>
> See also my message to debian:
> https://lists.debian.org/debian-kernel/2017/11/msg00079.html
>
>
> Now about the keytab nfs generation. ( use sys for now that works fine.)
>  From : https://wiki.samba.org/index.php/Generating_Keytabs
>
> samba-tool spn add host/hostname.dom.tld "NETBIOSNAME\$"
> samba-tool spn add host/hostname.dom.tld at REALM "NETBIOSNAME\$"
< i dont use this one, imo only when you use muliple REALMS.
> samba-tool domain exportkeytab --principal=nfs/hostname.dom.tld
~/nfs-hostname.keytab
> Copy ~/nfs-hostname.keytab to the correct server.
>
> ktutil
> rkt /etc/krb5.keytab
> rkt ~/nfs-hostname.keytab
> list   ... Aka check it.
> wkt /etc/krb5.keytab.NEW
>
> stop samba/winbind
> cp /etc/krb5.keytab{,.backup}
> cp /etc/krb5.keytab.NEW /etc/krb5.keytab
> Start samba/winbind
>
> Give it a try
>
>
> Greetz,
>
> Louis
>
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ken
>> McDonald via samba
>> Verzonden: maandag 5 februari 2018 6:14
>> Aan: samba
>> Onderwerp: Re: [Samba] Using Samba AD for NFSV4 Kerberos
>> servers and clients
>>
>> I found one of my problems was that on the client, in the
>> /etc/krb5.conf
>> file, the domain name was in lower case. The one on the
>> server was upper
>> case. Upper case'ing the client one fixed my nfs4 mount
>> issue, but now I
>> have another one.
>>
>> The nfs4 krb5 export mounts on the remote client, but doesn't seem
to
>> recognize permissions. The mount directory is shown as owned
>> by root and
>> the group is 4294967294
>>
>> If I mount the export using nfs4 without krb5 it works as
>> expected and
>> the mount directory is owned by root and the group is from
>> Samba AD as
>> DOMAIN\group
>>
>> I suppose this has something to do with id mapping and a special
>> requirement for nfs4 krb5. I have winbindd running, which of
>> course is
>> why my perms are working non-krb5.
>>
>> Help?
>>
>>
>> On 02/04/2018 08:23 PM, Ken McDonald via samba wrote:
>>> Thanks Luc,
>>>
>>> First, can I just use the small /etc/krb5.conf suggested in
>> Samba AD
>>> docs or do I need something more substantial on the server &
client
>>> for Kerberos NFS to work?
>>>
>>> [libdefaults]
>>>          default_realm = SUBDOMAIN.DOMAIN.COM
>>>          dns_lookup_realm = false
>>>          dns_lookup_kdc = true
>>>
>>> I understand a /etc/krb5.keytab file has to be created on
>> both server
>>> & client. Most of the existing docs show commands to do
>> this using a
>>> real KDC, not Samba AD. If I try to use the kadmin tool,
there's a
>>> message about the krb5.conf being incomplete. I am able to
>> use klist
>>> and ktutil
>>>
>>> How do I generate the keytab file with the correct credentials?
>>>
>>> nfs/server at subdomain.domain.com
>>>
>>> nfs/client at subdomain.domain.com
>>>
>>> Are these created manually by adding some account in ADUC
>> and then use
>>> "samba-tool domain exportkeytab" to export the
krb5.keytab file
>>>
>>> https://wiki.samba.org/index.php/Generating_Keytabs
>>>
>>> -Ken
>>>
>>>
>>>
>>> On 02/04/2018 06:29 PM, Luc Lalonde wrote:
>>>> Hey Ken,
>>>>
>>>> We?re using AD as a Kerberos server for NFSv4 in our Linux labs
to
>>>> automount the students home directories.
>>>>
>>>> I can answer specific questions if you?ve got some.
>>>>
>>>> Cheers, Luc.
>>>>
>>>>
>>>> Luc Lalonde, analyste
>>>> -----------------------------
>>>> Département de génie informatique:
>>>> École polytechnique de MTL
>>>> (514) 340-4711 x5049
>>>> Luc.Lalonde at polymtl.ca
>>>> -----------------------------
>>>>
>>>>> On Feb 4, 2018, at 16:30, Ken McDonald via samba
>>>>> <samba at lists.samba.org> wrote:
>>>>>
>>>>> Is it possible to use Samba AD for Kerberos KDC with NFV4
servers
>>>>> and then have clients connect to them?
>>>>>
>>>>> I have Ubuntu Server for the server and Linux Mint for
>> clients. So
>>>>> far, I've got a lot setup according to these
instructions
>>>>>
>>>>> https://help.ubuntu.com/community/NFSv4Howto
>>>>>
>>>>> And seem to have adapted the keytab entries from using
>> this Samba AD
>>>>> info
>>>>>
>>>>> https://wiki.samba.org/index.php/Generating_Keytabs
>>>>>
>>>>> But I'm kind of stuck getting the actual mount to work
on
>> a client
>>>>> side. I'll admit to never using Kerberos with NFS
before and my
>>>>> Samba AD knowledge is also fairly new (but I do have
>> working Samba
>>>>> AD for Windows and Linux client logins, group, POSIX &
>> Win ACls). I
>>>>> can't seem to find good information or howto on
implementing
>>>>> NFSKerberos + SambaAD
>>>>>
>>>>> Before I post actual questions and logs, is this
>> configuration even
>>>>> possible?
>>>>>
>>>>>
>>>>> -- 
>>>>> To unsubscribe from this list go to the following URL and
read the
>>>>> instructions: 
https://lists.samba.org/mailman/options/samba
>>>>>
>>>
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>>
>