Hi everyone Version 4.0.0alpha18-GIT-bfc7481 openSUSE 12.1 Conventional nfs4 export works fine, but I'm having trouble kerberizing it for Samba 4 for my Samba 4 users. I've setup the nfs4 pseudo stuff like this: hh3:/ # mkdir /export hh3:/ # mkdir /export/home hh3:/ # mount --bind /home /export/home Here is /etc/exports: /export gss/krb5(rw,fsid=0,insecure,no_subtree_check,async) /export/home gss/krb5(rw,nohide,insecure,no_subtree_check,async) /etc/sysconfig/nfs has: NFS_SECURITY_GSS="yes" I have used samba-tool to make an nfs service principal and it responds: Kerberos: TGS-REQ HH3$@HH3.SITE from ipv4:192.168.1.3:35191 for nfs/hh3.hh3.site at HH3.SITE [canonicalize, renewable] Kerberos: TGS-REQ authtime: 2012-01-28T09:31:37 starttime: 2012-01-28T09:31:37 endtime: 2012-01-28T19:31:37 renew till: 2012-01-29T09:31:37 when I: mount -t nfs4 hh3:/home /mnt -o sec=krb5 It mounts OK and mount shows: hh3:/home/ on /mnt type nfs4 (rw,relatime,vers=4,rsize=65536,wsize=65536,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=krb5,clientaddr=192.168.1.3,minorversion=0,local_lock=none,addr=192.168.1.3) Autenticated Samba 4 users get 'Permission denied when trying to cd to /mnt. Only root can enter. The permissions using ls -la are: d????????? ? ? ? ? ? mnt You can see that /home has indeed been mounted but with strange permissions. Has anyone tried nfs with Samba 4 Kerberos? Why the permissions? What am I missing? Cheers, Steve
2012-01-28 10:40 keltez?ssel, steve ?rta:> Hi everyone > Version 4.0.0alpha18-GIT-bfc7481 > openSUSE 12.1 > > Conventional nfs4 export works fine, but I'm having trouble > kerberizing it for Samba 4 for my Samba 4 users. > > I've setup the nfs4 pseudo stuff like this: > hh3:/ # mkdir /export > hh3:/ # mkdir /export/home > hh3:/ # mount --bind /home /export/home > > Here is /etc/exports: > /export gss/krb5(rw,fsid=0,insecure,no_subtree_check,async) > /export/home gss/krb5(rw,nohide,insecure,no_subtree_check,async) > > /etc/sysconfig/nfs has: > NFS_SECURITY_GSS="yes" > > I have used samba-tool to make an nfs service principal and it responds: > Kerberos: TGS-REQ HH3$@HH3.SITE from ipv4:192.168.1.3:35191 for > nfs/hh3.hh3.site at HH3.SITE [canonicalize, renewable] > Kerberos: TGS-REQ authtime: 2012-01-28T09:31:37 starttime: > 2012-01-28T09:31:37 endtime: 2012-01-28T19:31:37 renew till: > 2012-01-29T09:31:37 > when I: > mount -t nfs4 hh3:/home /mnt -o sec=krb5 > > It mounts OK and mount shows: > hh3:/home/ on /mnt type nfs4 > (rw,relatime,vers=4,rsize=65536,wsize=65536,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=krb5,clientaddr=192.168.1.3,minorversion=0,local_lock=none,addr=192.168.1.3) > > Autenticated Samba 4 users get 'Permission denied when trying to cd to > /mnt. Only root can enter. The permissions using ls -la are: > d????????? ? ? ? ? ? mnt > You can see that /home has indeed been mounted but with strange > permissions. > > Has anyone tried nfs with Samba 4 Kerberos? > Why the permissions? > What am I missing? > > Cheers, > Steveroot can enter, because (you don't have no_root_squash) it is mapped to the nobody user and thus has the basic rights I would check if the user account you are trying to read/write/list/etc the /mnt dir has got the nfs tickets, with a klist Regards Geza
OK my proplem is: - I installed Samaba4 - I created a Domain - created users - Windows workstations Joined Domain - DNS is Bind9 Every thing is going OK for windows users. I am a windows administrator who started to convert for Linux lately so please explain a step by step please with examples for examples who did you create the principle for nfs which is a service not a user using the samba-tool command as i couldn't understand what exactly dose that mean you added it as a machine or service and if there is a different. if you can reply with the needed steps to install NFS server and configure it to authenticate using kerberos authentication from Samba4 i would be thankful. -- View this message in context: http://samba.2283325.n4.nabble.com/nfs4-with-Samba-4-tp4335728p4643339.html Sent from the Samba - General mailing list archive at Nabble.com.