Hello, I am searching for a solution that I thought should be kind of standard, but until now I was not successful finding anything. Here is the problem: At our site we offer windows and linux, most servers (eg file, samba, web) are linux based. User data is stored on NFS file servers. Windows systems are part of a Windows domain with an ADS domain controller. At the moment the linux samba server is joined to the ADS domain (ADSREALM.UNI-KOBLENZ.DE) and uses a "secutrity=ADS" configuration. Works great with NFSV3. Now I would like to set up a samba server that uses NFS V4/kerberos to access user data instead of NFS3. NFSV4 with sec=krb5 is running fine using a MIT kerberos server for the realm (LINUXREALM.UNI-KOBLENZ.DE) running on linux. So when I am root eg on the samba server I can access the NFS4 mounted user directories without any problem. Now here is the problem: When samba tries to access a directory of a windows user say "john" (john's home is NFS4 mounted on the samba server) the samba process does this as the user "john" not root and gets a permission denied, since for user "john" there is no kerberos TGT allowing him to access the kerberized service NFS. This happens because a windows user authenticates against the windows ADS server when he logs in at windows and my MIT kerberos server does not know anything about this. Does anyone have a similar setup and has a solution for the problem described thats working? Thanks Rainer -- Rainer Krienke, Uni Koblenz, Rechenzentrum, A22, Universitaetsstrasse 1 56070 Koblenz, http://userpages.uni-koblenz.de/~krienke, Tel: +49261287 1312 PGP: http://userpages.uni-koblenz.de/~krienke/mypgp.html,Fax: +49261287 1001312
Guten tag Rainer, We use our Samba4/Win2k8 AD domain to authenticate all our Linux/Windows/OSX workstations. The home directories are mounted using CIFS in the Windows and OSX clients and NFS4 (krb5) in our Linux labs. Here?s our documentation (french): https://techwiki.gi.polymtl.ca/NFSv4_Kerberos <https://techwiki.gi.polymtl.ca/NFSv4_Kerberos> If Google translate gives you something unintelligible, I?ll be glad to clarify the translation to english? Hope this helps! -- Luc Lalonde, analyste ----------------------------- D?partement de g?nie informatique: ?cole polytechnique de MTL (514) 340-4711 x5049 Luc.Lalonde at polymtl.ca <mailto:Luc.Lalonde at polymtl.ca> -----------------------------> On Mar 24, 2015, at 6:18 AM, Rainer Krienke <krienke at uni-koblenz.de> wrote: > > Hello, > > I am searching for a solution that I thought should be kind of standard, > but until now I was not successful finding anything. Here is the problem: > > At our site we offer windows and linux, most servers (eg file, samba, > web) are linux based. User data is stored on NFS file servers. Windows > systems are part of a Windows domain with an ADS domain controller. At > the moment the linux samba server is joined to the ADS domain > (ADSREALM.UNI-KOBLENZ.DE) and uses a "secutrity=ADS" configuration. > Works great with NFSV3. > > Now I would like to set up a samba server that uses NFS V4/kerberos to > access user data instead of NFS3. NFSV4 with sec=krb5 is running fine > using a MIT kerberos server for the realm (LINUXREALM.UNI-KOBLENZ.DE) > running on linux. So when I am root eg on the samba server I can access > the NFS4 mounted user directories without any problem. > > Now here is the problem: When samba tries to access a directory of a > windows user say "john" (john's home is NFS4 mounted on the samba > server) the samba process does this as the user "john" not root and gets > a permission denied, since for user "john" there is no kerberos TGT > allowing him to access the kerberized service NFS. This happens because > a windows user authenticates against the windows ADS server when he logs > in at windows and my MIT kerberos server does not know anything about this. > > Does anyone have a similar setup and has a solution for the problem > described thats working? > > Thanks > Rainer > -- > Rainer Krienke, Uni Koblenz, Rechenzentrum, A22, Universitaetsstrasse 1 > 56070 Koblenz, http://userpages.uni-koblenz.de/~krienke, Tel: +49261287 1312 > PGP: http://userpages.uni-koblenz.de/~krienke/mypgp.html,Fax: +49261287 > 1001312 > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Hello Luc, thanks for your answer. If I understand you correctly than you are using samba4 as windows domaincontroller and you do not have another Windows DC? So after all you have exactly one Kerberos Server that is part of the samba4 server? Thanks Rainer Am 24.03.2015 um 12:41 schrieb Luc Lalonde:> Guten tag Rainer, > > We use our Samba4/Win2k8 AD domain to authenticate all our > Linux/Windows/OSX workstations. > > The home directories are mounted using CIFS in the Windows and OSX > clients and NFS4 (krb5) in our Linux labs. > > Here?s our documentation (french): > > https://techwiki.gi.polymtl.ca/NFSv4_Kerberos > > If Google translate gives you something unintelligible, I?ll be glad to > clarify the translation to english? > > Hope this helps! > > -- > Luc Lalonde, analyste > ----------------------------- > D?partement de g?nie informatique: > ?cole polytechnique de MTL > (514) 340-4711 x5049 > Luc.Lalonde at polymtl.ca <mailto:Luc.Lalonde at polymtl.ca> > ------------------------------- Rainer Krienke, Uni Koblenz, Rechenzentrum, A22, Universitaetsstrasse 1 56070 Koblenz, http://userpages.uni-koblenz.de/~krienke, Tel: +49261287 1312 PGP: http://userpages.uni-koblenz.de/~krienke/mypgp.html,Fax: +49261287 1001312
On Tue, Mar 24, 2015 at 11:18:13AM +0100, Rainer Krienke wrote:> Now here is the problem: When samba tries to access a directory of a > windows user say "john" (john's home is NFS4 mounted on the samba > server) the samba process does this as the user "john" not root and gets > a permission denied, since for user "john" there is no kerberos TGT > allowing him to access the kerberized service NFS. This happens because > a windows user authenticates against the windows ADS server when he logs > in at windows and my MIT kerberos server does not know anything about this. > > Does anyone have a similar setup and has a solution for the problem > described thats working?We've done something very similar eons ago with AFS. Similar problem. With the fake-kaserver Samba could create its own tickets. Something that in modern days you definitely do NOT want. We need to hook Samba much better into the nfsv4 client now. Somehow we need to acquire credentials for the NFS4 service, probably to do this MIT somehow needs to trust the AD with a cross-realm trust. If Samba has the nfsv4 ticket, we need to tell the kernel to use it when we switch to "john". Interesting project, but none of this is done yet unfortunately. Volker -- SerNet GmbH, Bahnhofsallee 1b, 37081 G?ttingen phone: +49-551-370000-0, fax: +49-551-370000-9 AG G?ttingen, HRB 2816, GF: Dr. Johannes Loxen http://www.sernet.de, mailto:kontakt at sernet.de
On Tue, Mar 24, 2015 at 01:21:50PM +0100, Volker Lendecke wrote:> On Tue, Mar 24, 2015 at 11:18:13AM +0100, Rainer Krienke wrote: > > Now here is the problem: When samba tries to access a directory of a > > windows user say "john" (john's home is NFS4 mounted on the samba > > server) the samba process does this as the user "john" not root and gets > > a permission denied, since for user "john" there is no kerberos TGT > > allowing him to access the kerberized service NFS. This happens because > > a windows user authenticates against the windows ADS server when he logs > > in at windows and my MIT kerberos server does not know anything about this. > > > > Does anyone have a similar setup and has a solution for the problem > > described thats working? > > We've done something very similar eons ago with AFS. Similar > problem. With the fake-kaserver Samba could create its own > tickets. Something that in modern days you definitely do NOT > want. We need to hook Samba much better into the nfsv4 > client now. Somehow we need to acquire credentials for the > NFS4 service, probably to do this MIT somehow needs to trust > the AD with a cross-realm trust. If Samba has the nfsv4 > ticket, we need to tell the kernel to use it when we switch > to "john". Interesting project, but none of this is done yet > unfortunately.I have some code that does this I gave to a (large) user site to test. It took a forwarded ticket from the Windows client and saved it in the /tmp/krb5cc_XXXXX file so that the NFS client redirector on Linux could use it. I got it to work in testing, but never got good feedback from the users so didn't finish it up. I can dig it out again and forward port to 4.x if you like ? Jeremy.
We have a samba server that we would like to share a directory that is nfs4 sec=krb5 mounted from another machine. However, the user has no kerberos ticket on the samba server and so their smbd process cannot access the nfs mount. If the samba server process took the user's kerberos ticket and put it where rpc.gssd could find it, then it would have access. On 05/12/2017 03:47 AM, L.P.H. van Belle wrote:> Hai, > > May i ask what the problem is? Tried to understand it from reading the threat, but i cant figure that out. > On my debian ( samba 4.6.3 ), i use kerberos and nfsv4 almost everywhere. > And i do reuse my client tickets. > > klist > Ticket cache: FILE:/tmp/krb5cc_10002_Ki1hjqMDNM > Default principal: username at MY_REALM > > Valid starting Expires Service principal > 05/12/2017 09:53:19 05/12/2017 18:06:28 krbtgt/MY_REALM at MY_REALM > renew until 05/19/2017 08:06:28 > 05/12/2017 10:30:32 05/12/2017 18:06:28 nfs/member1.internal.domain.tld@ > renew until 05/19/2017 08:06:28 > 05/12/2017 10:30:32 05/12/2017 18:06:28 nfs/member1.internal.domain.tld at MY_REALM > renew until 05/19/2017 08:06:28 > > Or this this not what you are looking for? > > Greetz, > > Louis > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >> Orion Poplawski via samba >> Verzonden: woensdag 10 mei 2017 21:43 >> Aan: samba at lists.samba.org; Jeremy Allison >> Onderwerp: Re: [Samba] Samba server with NFSV4/kerberos >> >>> I have some code that does this I gave to a (large) user >> site to test. >>> It took a forwarded ticket from the Windows client and >> saved it in the >>> /tmp/krb5cc_XXXXX file so that the NFS client redirector on Linux >>> could use it. >>> >>> I got it to work in testing, but never got good feedback from the >>> users so didn't finish it up. >>> >>> I can dig it out again and forward port to 4.x if you like ? >>> >>> Jeremy. >> >> I would be very much interested in this if this is still around. >>-- Orion Poplawski Technical Manager 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane orion at nwra.com Boulder, CO 80301 http://www.nwra.com