Hai Batiste, Ok, thanks for these, i'll test that also. And the "why" is a bit more explained here. http://www.citi.umich.edu/projects/nfsv4/crossrealm/libnfsidmap_config.html and per example, http://www.citi.umich.edu/projects/nfsv4/crossrealm/ldap_server_setup.html First my work here, but this is a good one which i also need to adjust in my scripts, so thank you for asking this on the samba list ;-) Gr, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Prunk Dump > Verzonden: vrijdag 9 oktober 2015 14:11 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] kerberos nfs4's principals and root access > > Thanks Louis ! Very interesting ! > > Maybe the simplest method is to set a static translation. > > 1) Enabling the no_root_squash option in /etc/exports > > 2) Set the translation in /etc/idmapd.conf > > ------------------------ > /etc/idmap.conf > ------------------------ > > ... > [Translation] > > Method = static,nsswitch > > [Static] > > MYCLIENT$@SAMDOM.COM = root > > ------------------------ > > But I don't understand why, with samba, we can't authenticate as > client with nfs/myclient.samdom.com or root/myclient.samdom.com. It > seem that it is because we can't kinit them. But I don't understand > why... > > Thanks again ! > > Baptiste. > > > 2015-10-09 13:39 GMT+02:00 L.P.H. van Belle <belle at bazuin.nl>: > > Ok, now its clear to me. > > > > We need to set UMICH_SCHEMA in idmap.conf > > Read : http://linux.die.net/man/5/idmapd.conf > > > > Working on it now. > > > > Greetz, > > > > Louis > > > > > >> -----Oorspronkelijk bericht----- > >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens L.P.H. van > Belle > >> Verzonden: vrijdag 9 oktober 2015 13:34 > >> Aan: samba at lists.samba.org > >> Onderwerp: Re: [Samba] kerberos nfs4's principals and root access > >> > >> Ok, not working... > >> > >> But found this... > >> > >> ( http://users.suse.com/~sjayaraman/nfs4_howto.txt ) > >> > >> 4.5 A known issue using NFS with kerberos > >> _________________________________________ > >> > >> Even if "no_root_squash" option is used, while exporting a filesystem > at > >> the > >> server, root on the client gets a "Permission denied" error when > creating > >> files on the mount point. > >> > >> This is because there is no proper mapping between root and the > >> GSSAuthName. > >> > >> Note: Trying to set 777 permission is not correct as it is not secure. > >> Also, > >> any file created on the mountpoint will have "nobody" as owner. > >> > >> There is a work around for this if both NFS server and client use > >> umich_ldap > >> methods to authenticate. If the idmapd on both server and client is > >> configured > >> to use umich_ldap modules then having GSSAuthName > (<nfs/hostname at realm>) > >> parameter map to root user, on the ldap server will solve this problem. > >> > >> > >> Still reading, but should be solveable.. > >> > >> Greetz, > >> > >> Louis > >> > >> > >> > -----Oorspronkelijk bericht----- > >> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens L.P.H. van > >> Belle > >> > Verzonden: vrijdag 9 oktober 2015 13:17 > >> > Aan: samba at lists.samba.org > >> > Onderwerp: Re: [Samba] kerberos nfs4's principals and root access > >> > > >> > Hai Baptiste, > >> > > >> > I re-checked my setup and your totaly correct. > >> > I can not enter the nfsV4 mounted directory as root. > >> > > >> > What i've added in idmap.conf > >> > Is this : > >> > Domain = your_DNS_domain.tld > >> > > >> > [Translation] > >> > > >> > Method = nsswitch > >> > > >> > And i found this link. > >> > > >> > http://serverfault.com/questions/526762/root-access-to-kerberized- > nfsv4- > >> > host-on-ubuntu > >> > > >> > im testing this now. > >> > > >> > Greetz, > >> > > >> > Louis > >> > > >> > > >> > > >> > > -----Oorspronkelijk bericht----- > >> > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Prunk Dump > >> > > Verzonden: vrijdag 9 oktober 2015 11:34 > >> > > Aan: samba at lists.samba.org > >> > > Onderwerp: Re: [Samba] kerberos nfs4's principals and root access > >> > > > >> > > Thanks you very much Louis ! > >> > > > >> > > I have tried your setup and I can't mount the share neither from > the > >> > > server itself or the client. > >> > > > >> > > On /var/log/syslog I have : > >> > > > >> > > rpc.gssd : ERROR : no credentials found for connecting to server > >> > myserver > >> > > > >> > > This is because the machine principal is not present in the keytab > : > >> > > > >> > > $ klist -k > >> > > 1 nfs/myclient.samdom.com at SAMDOM.COM > >> > > 1 nfs/myclient.samdom.com at SAMDOM.COM > >> > > 1 nfs/myclient.samdom.com at SAMDOM.COM > >> > > > >> > > If I add the machine principal. I can mount the share but root user > >> > > write as "machine" not as "root". > >> > > > >> > > Can you check your setup ? Do you have your machine credential in > >> > > /etc/krb5.keytab ? (with klist -k) > >> > > > >> > > Do you do something related with kerberos when you login as root ? > >> > > > >> > > Do you have additional options in "/etc/idmap.conf" ? > >> > > > >> > > Can you give me the result of : > >> > > > >> > > $klist > >> > > $klist -k > >> > > > >> > > When you are logged as root ? > >> > > > >> > > Thanks you again ! > >> > > > >> > > Baptiste. > >> > > > >> > > > >> > > 2015-10-09 9:13 GMT+02:00 L.P.H. van Belle <belle at bazuin.nl>: > >> > > > Hai, > >> > > > > >> > > > I had it the other way around. Only root acces. > >> > > > > >> > > > I have scripted my setup and tested on debian. > >> > > > Look here > >> > > > https://secure.bazuin.nl/scripts/these_are_experimental_scripts/ > >> > > > setup-nfsv4-kerberos.sh > >> > > > > >> > > > If you get the file, setup-nfsv4-kerberos.sh and compair it to > your > >> > > setup. > >> > > > If you can read the bash script maybe you see something you > missed. > >> > > > > >> > > > When i write as "root" its root and not the machine account who > owns > >> > the > >> > > file. > >> > > > > >> > > > > >> > > > How is your exports file on the server configured? > >> > > > > >> > > > Greetz, > >> > > > > >> > > > Louis > >> > > > > >> > > > > >> > > > > >> > > >> -----Oorspronkelijk bericht----- > >> > > >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Prunk > Dump > >> > > >> Verzonden: vrijdag 9 oktober 2015 8:59 > >> > > >> Aan: samba at lists.samba.org > >> > > >> Onderwerp: [Samba] kerberos nfs4's principals and root access > >> > > >> > >> > > >> Hello samba team ! > >> > > >> > >> > > >> I have some NFS4 exports managed by a Samba's Kerberos realm. > All > >> the > >> > > >> standard user accesses work fine. > >> > > >> > >> > > >> I try now to setup an NFS4 root access to administer the share > from > >> > > >> another server (the two host are DC, one PDC and one SDC). But > I > >> > have > >> > > >> trouble understanding the kerberos/principals layer. > >> > > >> > >> > > >> ------------ > >> > > >> Actually I do > >> > > >> ------------- > >> > > >> > >> > > >> -> on the server I create an nfs principal and export it to the > >> > keytab > >> > > >> $ samba-tool user add nfs-myserver --random-password > >> > > >> $ samba-tool spn add nfs/myserver.samdom.com nfs-myserver > >> > > >> $ samba-tool domain exportkeytab -- > >> principal=nfs/myserver.samdom.com > >> > > >> /etc/krb5.keytab > >> > > >> > >> > > >> -> on the client I use the machine keytab. > >> > > >> $ samba-tool domain exportkeytab --principal=MYCLIENT$ > >> > /etc/krb5.keytab > >> > > >> > >> > > >> With this setup all my domain users can write to the share. But > >> when > >> > I > >> > > >> try with the root account it use the machine keytab (that's > normal, > >> > > >> root is not a domain user but he have access to the keytab) : > >> > > >> > >> > > >> -> on the client as root > >> > > >> $ touch /myshare/testfile > >> > > >> > >> > > >> -> on the server > >> > > >> $ ls -al /srv/nfs4/myshare/testfile > >> > > >> -rw-r--r-- SAMDOM\MYCLIENT$ SAMDOM\Domain Controllers > .... > >> > > >> /nfs4/myshare/tesfile > >> > > >> > >> > > >> But I need root access ! > >> > > >> > >> > > >> ---------- > >> > > >> I have tried with a root/myclient service principal name > >> > > >> ---------- > >> > > >> > >> > > >> -> on the client I create an root/myclient spn and export to > keytab > >> > > >> $ samba-tool user add root-myclient --random-password > >> > > >> $ samba-tool spn add root/myclient.samdom.com root-myclient > >> > > >> $ samba-tool domain exportkeytab -- > >> principal=root/myclient.samdom.com > >> > > >> /etc/krb5.keytab > >> > > >> > >> > > >> But nothings change when I access the share. I tried to kinit > this > >> > > >> principal but it fail. However kinit with the machine principal > >> > works. > >> > > >> > >> > > >> $ kinit -k root/myclient.samdom.com > >> > > >> kinit: Client 'root/myclient.samdom.com at SAMDOM.COM' not found in > >> > > >> kerberos database while getting initial credentials > >> > > >> > >> > > >> $ kinit -k MYCLIENT$ > >> > > >> ok > >> > > >> > >> > > >> --------- > >> > > >> I tried creating a samba root user. > >> > > >> --------- > >> > > >> > >> > > >> -> on the client I create a root user and export to keytab > >> > > >> $ samba-tool user add root > >> > > >> $ samba-tool domain exportkeytab --principal=root > /etc/krb5.keytab > >> > > >> > >> > > >> Same problem but here "kinit -k root" works. > >> > > >> > >> > > >> $ kinit -k root > >> > > >> ok > >> > > >> > >> > > >> > >> > > >> ------ > >> > > >> I tried to kinit anather samba user > >> > > >> ------ > >> > > >> > >> > > >> -> on the client I kinit a valid user and write to the share > >> > > >> > >> > > >> $ kinit validuser > >> > > >> $ touch /myshare/testfile2 > >> > > >> > >> > > >> Here the nfs4 connection is not made with the validuser's > >> principal. > >> > > >> Always with the machine's principal. > >> > > >> > >> > > >> > >> > > >> ------- > >> > > >> So > >> > > >> ------- > >> > > >> > >> > > >> I don't understand why in can "kinit root" but not "kinit > >> > > >> root/myclient.samdom.com". What's the difference between there > >> > > >> principals ? > >> > > >> > >> > > >> I don't understand how the nfs4 client choose the principal used > to > >> > > >> make the connection to the nfs4 share. Why the root user can > only > >> use > >> > > >> the machine's principal ? > >> > > >> > >> > > >> I don't know if the problem come from the creation of kerberos > >> > > >> principals or come from the nfs4 client not choosing the correct > >> > > >> principal... > >> > > >> > >> > > >> Can someone give me a tips ? > >> > > >> > >> > > >> Thanks ! > >> > > >> > >> > > >> Baptiste. > >> > > >> > >> > > >> -- > >> > > >> To unsubscribe from this list go to the following URL and read > the > >> > > >> instructions: https://lists.samba.org/mailman/options/samba > >> > > > > >> > > > > >> > > > > >> > > > -- > >> > > > To unsubscribe from this list go to the following URL and read > the > >> > > > instructions: https://lists.samba.org/mailman/options/samba > >> > > > >> > > -- > >> > > To unsubscribe from this list go to the following URL and read the > >> > > instructions: https://lists.samba.org/mailman/options/samba > >> > > >> > > >> > > >> > -- > >> > To unsubscribe from this list go to the following URL and read the > >> > instructions: https://lists.samba.org/mailman/options/samba > >> > >> > >> > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/options/samba > > > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Hi,
Sorry for this necrobump.... But I'm still can't use my local root
user to browse content of my NFSv4/Krb5 share...... (others permission
are checked when root use this share)
So a lot of questions appeared during my tests :
- Must i have same idmap.conf on both client and server ?
- Why rpc.idmapd only use 'nsswitch' method even if
'static' is
placed before it in 'Method' and 'GSS-Methods' list ?
- Must root user use kinit before exploring ?
And the most important question : Is there anybody who sucess to
access (in a real root behaviour !!) to a nfsv4/krb5 share in a
Samba4/Krb5/NFSv4 setup ?
Thanks by advance,
Best regards,
Bruno
PS: I sent this morning a mail about access to this share from local
user (www-data), but I think that granting access to root may be a good
start point !!
Le 09/10/2015 à 15:42, L.P.H. van Belle a écrit :> Hai Batiste,
>
> Ok, thanks for these, i'll test that also.
>
> And the "why" is a bit more explained here.
> http://www.citi.umich.edu/projects/nfsv4/crossrealm/libnfsidmap_config.html
> and per example,
> http://www.citi.umich.edu/projects/nfsv4/crossrealm/ldap_server_setup.html
>
> First my work here, but this is a good one which i also need to adjust in
my scripts, so thank you for asking this on the samba list ;-)
>
> Gr,
>
> Louis
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Prunk Dump
>> Verzonden: vrijdag 9 oktober 2015 14:11
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] kerberos nfs4's principals and root access
>>
>> Thanks Louis ! Very interesting !
>>
>> Maybe the simplest method is to set a static translation.
>>
>> 1) Enabling the no_root_squash option in /etc/exports
>>
>> 2) Set the translation in /etc/idmapd.conf
>>
>> ------------------------
>> /etc/idmap.conf
>> ------------------------
>>
>> ...
>> [Translation]
>>
>> Method = static,nsswitch
>>
>> [Static]
>>
>> MYCLIENT$@SAMDOM.COM = root
>>
>> ------------------------
>>
>> But I don't understand why, with samba, we can't authenticate
as
>> client with nfs/myclient.samdom.com or root/myclient.samdom.com. It
>> seem that it is because we can't kinit them. But I don't
understand
>> why...
>>
>> Thanks again !
>>
>> Baptiste.
>>
>>
>> 2015-10-09 13:39 GMT+02:00 L.P.H. van Belle <belle at bazuin.nl>:
>>> Ok, now its clear to me.
>>>
>>> We need to set UMICH_SCHEMA in idmap.conf
>>> Read : http://linux.die.net/man/5/idmapd.conf
>>>
>>> Working on it now.
>>>
>>> Greetz,
>>>
>>> Louis
>>>
>>>
>>>> -----Oorspronkelijk bericht-----
>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
L.P.H. van
>> Belle
>>>> Verzonden: vrijdag 9 oktober 2015 13:34
>>>> Aan: samba at lists.samba.org
>>>> Onderwerp: Re: [Samba] kerberos nfs4's principals and root
access
>>>>
>>>> Ok, not working...
>>>>
>>>> But found this...
>>>>
>>>> ( http://users.suse.com/~sjayaraman/nfs4_howto.txt )
>>>>
>>>> 4.5 A known issue using NFS with kerberos
>>>> _________________________________________
>>>>
>>>> Even if "no_root_squash" option is used, while
exporting a filesystem
>> at
>>>> the
>>>> server, root on the client gets a "Permission denied"
error when
>> creating
>>>> files on the mount point.
>>>>
>>>> This is because there is no proper mapping between root and the
>>>> GSSAuthName.
>>>>
>>>> Note: Trying to set 777 permission is not correct as it is not
secure.
>>>> Also,
>>>> any file created on the mountpoint will have "nobody"
as owner.
>>>>
>>>> There is a work around for this if both NFS server and client
use
>>>> umich_ldap
>>>> methods to authenticate. If the idmapd on both server and
client is
>>>> configured
>>>> to use umich_ldap modules then having GSSAuthName
>> (<nfs/hostname at realm>)
>>>> parameter map to root user, on the ldap server will solve this
problem.
>>>>
>>>>
>>>> Still reading, but should be solveable..
>>>>
>>>> Greetz,
>>>>
>>>> Louis
>>>>
>>>>
>>>>> -----Oorspronkelijk bericht-----
>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
L.P.H. van
>>>> Belle
>>>>> Verzonden: vrijdag 9 oktober 2015 13:17
>>>>> Aan: samba at lists.samba.org
>>>>> Onderwerp: Re: [Samba] kerberos nfs4's principals and
root access
>>>>>
>>>>> Hai Baptiste,
>>>>>
>>>>> I re-checked my setup and your totaly correct.
>>>>> I can not enter the nfsV4 mounted directory as root.
>>>>>
>>>>> What i've added in idmap.conf
>>>>> Is this :
>>>>> Domain = your_DNS_domain.tld
>>>>>
>>>>> [Translation]
>>>>>
>>>>> Method = nsswitch
>>>>>
>>>>> And i found this link.
>>>>>
>>>>>
http://serverfault.com/questions/526762/root-access-to-kerberized-
>> nfsv4-
>>>>> host-on-ubuntu
>>>>>
>>>>> im testing this now.
>>>>>
>>>>> Greetz,
>>>>>
>>>>> Louis
>>>>>
>>>>>
>>>>>
>>>>>> -----Oorspronkelijk bericht-----
>>>>>> Van: samba [mailto:samba-bounces at lists.samba.org]
Namens Prunk Dump
>>>>>> Verzonden: vrijdag 9 oktober 2015 11:34
>>>>>> Aan: samba at lists.samba.org
>>>>>> Onderwerp: Re: [Samba] kerberos nfs4's principals
and root access
>>>>>>
>>>>>> Thanks you very much Louis !
>>>>>>
>>>>>> I have tried your setup and I can't mount the share
neither from
>> the
>>>>>> server itself or the client.
>>>>>>
>>>>>> On /var/log/syslog I have :
>>>>>>
>>>>>> rpc.gssd : ERROR : no credentials found for connecting
to server
>>>>> myserver
>>>>>> This is because the machine principal is not present in
the keytab
>> :
>>>>>> $ klist -k
>>>>>> 1 nfs/myclient.samdom.com at SAMDOM.COM
>>>>>> 1 nfs/myclient.samdom.com at SAMDOM.COM
>>>>>> 1 nfs/myclient.samdom.com at SAMDOM.COM
>>>>>>
>>>>>> If I add the machine principal. I can mount the share
but root user
>>>>>> write as "machine" not as "root".
>>>>>>
>>>>>> Can you check your setup ? Do you have your machine
credential in
>>>>>> /etc/krb5.keytab ? (with klist -k)
>>>>>>
>>>>>> Do you do something related with kerberos when you
login as root ?
>>>>>>
>>>>>> Do you have additional options in
"/etc/idmap.conf" ?
>>>>>>
>>>>>> Can you give me the result of :
>>>>>>
>>>>>> $klist
>>>>>> $klist -k
>>>>>>
>>>>>> When you are logged as root ?
>>>>>>
>>>>>> Thanks you again !
>>>>>>
>>>>>> Baptiste.
>>>>>>
>>>>>>
>>>>>> 2015-10-09 9:13 GMT+02:00 L.P.H. van Belle <belle at
bazuin.nl>:
>>>>>>> Hai,
>>>>>>>
>>>>>>> I had it the other way around. Only root acces.
>>>>>>>
>>>>>>> I have scripted my setup and tested on debian.
>>>>>>> Look here
>>>>>>>
https://secure.bazuin.nl/scripts/these_are_experimental_scripts/
>>>>>>> setup-nfsv4-kerberos.sh
>>>>>>>
>>>>>>> If you get the file, setup-nfsv4-kerberos.sh and
compair it to
>> your
>>>>>> setup.
>>>>>>> If you can read the bash script maybe you see
something you
>> missed.
>>>>>>> When i write as "root" its root and not
the machine account who
>> owns
>>>>> the
>>>>>> file.
>>>>>>>
>>>>>>> How is your exports file on the server configured?
>>>>>>>
>>>>>>> Greetz,
>>>>>>>
>>>>>>> Louis
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> -----Oorspronkelijk bericht-----
>>>>>>>> Van: samba [mailto:samba-bounces at
lists.samba.org] Namens Prunk
>> Dump
>>>>>>>> Verzonden: vrijdag 9 oktober 2015 8:59
>>>>>>>> Aan: samba at lists.samba.org
>>>>>>>> Onderwerp: [Samba] kerberos nfs4's
principals and root access
>>>>>>>>
>>>>>>>> Hello samba team !
>>>>>>>>
>>>>>>>> I have some NFS4 exports managed by a
Samba's Kerberos realm.
>> All
>>>> the
>>>>>>>> standard user accesses work fine.
>>>>>>>>
>>>>>>>> I try now to setup an NFS4 root access to
administer the share
>> from
>>>>>>>> another server (the two host are DC, one PDC
and one SDC). But
>> I
>>>>> have
>>>>>>>> trouble understanding the kerberos/principals
layer.
>>>>>>>>
>>>>>>>> ------------
>>>>>>>> Actually I do
>>>>>>>> -------------
>>>>>>>>
>>>>>>>> -> on the server I create an nfs principal
and export it to the
>>>>> keytab
>>>>>>>> $ samba-tool user add nfs-myserver
--random-password
>>>>>>>> $ samba-tool spn add nfs/myserver.samdom.com
nfs-myserver
>>>>>>>> $ samba-tool domain exportkeytab --
>>>> principal=nfs/myserver.samdom.com
>>>>>>>> /etc/krb5.keytab
>>>>>>>>
>>>>>>>> -> on the client I use the machine keytab.
>>>>>>>> $ samba-tool domain exportkeytab
--principal=MYCLIENT$
>>>>> /etc/krb5.keytab
>>>>>>>> With this setup all my domain users can write
to the share. But
>>>> when
>>>>> I
>>>>>>>> try with the root account it use the machine
keytab (that's
>> normal,
>>>>>>>> root is not a domain user but he have access to
the keytab) :
>>>>>>>>
>>>>>>>> -> on the client as root
>>>>>>>> $ touch /myshare/testfile
>>>>>>>>
>>>>>>>> -> on the server
>>>>>>>> $ ls -al /srv/nfs4/myshare/testfile
>>>>>>>> -rw-r--r-- SAMDOM\MYCLIENT$
SAMDOM\Domain Controllers
>> ....
>>>>>>>> /nfs4/myshare/tesfile
>>>>>>>>
>>>>>>>> But I need root access !
>>>>>>>>
>>>>>>>> ----------
>>>>>>>> I have tried with a root/myclient service
principal name
>>>>>>>> ----------
>>>>>>>>
>>>>>>>> -> on the client I create an root/myclient
spn and export to
>> keytab
>>>>>>>> $ samba-tool user add root-myclient
--random-password
>>>>>>>> $ samba-tool spn add root/myclient.samdom.com
root-myclient
>>>>>>>> $ samba-tool domain exportkeytab --
>>>> principal=root/myclient.samdom.com
>>>>>>>> /etc/krb5.keytab
>>>>>>>>
>>>>>>>> But nothings change when I access the share. I
tried to kinit
>> this
>>>>>>>> principal but it fail. However kinit with the
machine principal
>>>>> works.
>>>>>>>> $ kinit -k root/myclient.samdom.com
>>>>>>>> kinit: Client 'root/myclient.samdom.com at
SAMDOM.COM' not found in
>>>>>>>> kerberos database while getting initial
credentials
>>>>>>>>
>>>>>>>> $ kinit -k MYCLIENT$
>>>>>>>> ok
>>>>>>>>
>>>>>>>> ---------
>>>>>>>> I tried creating a samba root user.
>>>>>>>> ---------
>>>>>>>>
>>>>>>>> -> on the client I create a root user and
export to keytab
>>>>>>>> $ samba-tool user add root
>>>>>>>> $ samba-tool domain exportkeytab
--principal=root
>> /etc/krb5.keytab
>>>>>>>> Same problem but here "kinit -k root"
works.
>>>>>>>>
>>>>>>>> $ kinit -k root
>>>>>>>> ok
>>>>>>>>
>>>>>>>>
>>>>>>>> ------
>>>>>>>> I tried to kinit anather samba user
>>>>>>>> ------
>>>>>>>>
>>>>>>>> -> on the client I kinit a valid user and
write to the share
>>>>>>>>
>>>>>>>> $ kinit validuser
>>>>>>>> $ touch /myshare/testfile2
>>>>>>>>
>>>>>>>> Here the nfs4 connection is not made with the
validuser's
>>>> principal.
>>>>>>>> Always with the machine's principal.
>>>>>>>>
>>>>>>>>
>>>>>>>> -------
>>>>>>>> So
>>>>>>>> -------
>>>>>>>>
>>>>>>>> I don't understand why in can "kinit
root" but not "kinit
>>>>>>>> root/myclient.samdom.com". What's the
difference between there
>>>>>>>> principals ?
>>>>>>>>
>>>>>>>> I don't understand how the nfs4 client
choose the principal used
>> to
>>>>>>>> make the connection to the nfs4 share. Why the
root user can
>> only
>>>> use
>>>>>>>> the machine's principal ?
>>>>>>>>
>>>>>>>> I don't know if the problem come from the
creation of kerberos
>>>>>>>> principals or come from the nfs4 client not
choosing the correct
>>>>>>>> principal...
>>>>>>>>
>>>>>>>> Can someone give me a tips ?
>>>>>>>>
>>>>>>>> Thanks !
>>>>>>>>
>>>>>>>> Baptiste.
>>>>>>>>
>>>>>>>> --
>>>>>>>> To unsubscribe from this list go to the
following URL and read
>> the
>>>>>>>> instructions:
https://lists.samba.org/mailman/options/samba
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> To unsubscribe from this list go to the following
URL and read
>> the
>>>>>>> instructions:
https://lists.samba.org/mailman/options/samba
>>>>>> --
>>>>>> To unsubscribe from this list go to the following URL
and read the
>>>>>> instructions:
https://lists.samba.org/mailman/options/samba
>>>>>
>>>>>
>>>>> --
>>>>> To unsubscribe from this list go to the following URL and
read the
>>>>> instructions:
https://lists.samba.org/mailman/options/samba
>>>>
>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read
the
>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/options/samba
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>
>
--
Bruno MACADRE
-------------------------------------------------------------------
Ingénieur Systèmes et Réseau | Systems and Network Engineer
Département Informatique | Department of computer science
Responsable Info SER | SER IT Manager
Université de Rouen | University of Rouen
-------------------------------------------------------------------
Coordonnées / Contact :
Université de Rouen
Faculté des Sciences et Techniques - Madrillet
Avenue de l'Université
CS 70012
76801 St Etienne du Rouvray CEDEX
FRANCE
Tél : +33 (0)2-32-95-51-86
Mob : +33 (0)6-74-71-45-64
-------------------------------------------------------------------
On 01/08/16 16:16, Bruno MACADRÉ wrote:> Hi, > > Sorry for this necrobump.... But I'm still can't use my local root > user to browse content of my NFSv4/Krb5 share...... (others permission > are checked when root use this share) > > So a lot of questions appeared during my tests : > > - Must i have same idmap.conf on both client and server ? > - Why rpc.idmapd only use 'nsswitch' method even if 'static' is > placed before it in 'Method' and 'GSS-Methods' list ? > - Must root user use kinit before exploring ? > > And the most important question : Is there anybody who sucess to > access (in a real root behaviour !!) to a nfsv4/krb5 share in a > Samba4/Krb5/NFSv4 setup ? > > Thanks by advance, > Best regards, > Bruno > > PS: I sent this morning a mail about access to this share from local > user (www-data), but I think that granting access to root may be a > good start point !!I scanned through the rest of what you posted and I think you have Samba 4 running as a DC with Unix clients joined to it, is this correct ? If so, then the only way to get the same UIDs & GIDs on all of them, is to use RFC2307 attributes and the winbind 'ad' backend on the clients. Now we come to the root user, this user is somewhat similar to the 'Local Administrator' on windows and as such shouldn't be in AD. On the DC, 'Administrator' is automatically mapped to 'root': root at dc1:~# getent passwd Administrator SAMDOM\administrator:*:0:10000::/home/administrator:/bin/bash This doesn't happen on a Samba Unix domain member, but what you can do is do the mapping in smb.conf. Add the line username map = /etcl/samba/user.map Then create the map file /etc/samba/user.map with this content: !root = SAMDOM\Administrator SAMDOM\administrator Administrator administrator Restart Samba and then 'Administrator' should be mapped to 'root'. The 'root' user should never be in AD. Rowland
Hai, Here you go.. But all my settings are scripted. https://github.com/thctlo/samba4 found here. Read the script : samba-with-nfsv4.sh Start it like ./ samba-with-nfsv4.sh (client or server) Its tested and works on debian jessie. I contains the nfs server settings and client settings. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Bruno MACADRÉ > Verzonden: maandag 1 augustus 2016 17:16 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] kerberos nfs4's principals and root access > > Hi, > > Sorry for this necrobump.... But I'm still can't use my local root > user to browse content of my NFSv4/Krb5 share...... (others permission > are checked when root use this share) > > So a lot of questions appeared during my tests : > > - Must i have same idmap.conf on both client and server ? > - Why rpc.idmapd only use 'nsswitch' method even if 'static' is > placed before it in 'Method' and 'GSS-Methods' list ? > - Must root user use kinit before exploring ? > > And the most important question : Is there anybody who sucess to > access (in a real root behaviour !!) to a nfsv4/krb5 share in a > Samba4/Krb5/NFSv4 setup ? > > Thanks by advance, > Best regards, > Bruno > > PS: I sent this morning a mail about access to this share from local > user (www-data), but I think that granting access to root may be a good > start point !! > > Le 09/10/2015 à 15:42, L.P.H. van Belle a écrit : > > Hai Batiste, > > > > Ok, thanks for these, i'll test that also. > > > > And the "why" is a bit more explained here. > > > http://www.citi.umich.edu/projects/nfsv4/crossrealm/libnfsidmap_config.htm > l > > and per example, > > > http://www.citi.umich.edu/projects/nfsv4/crossrealm/ldap_server_setup.html > > > > First my work here, but this is a good one which i also need to adjust > in my scripts, so thank you for asking this on the samba list ;-) > > > > Gr, > > > > Louis > > > >> -----Oorspronkelijk bericht----- > >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Prunk Dump > >> Verzonden: vrijdag 9 oktober 2015 14:11 > >> Aan: samba at lists.samba.org > >> Onderwerp: Re: [Samba] kerberos nfs4's principals and root access > >> > >> Thanks Louis ! Very interesting ! > >> > >> Maybe the simplest method is to set a static translation. > >> > >> 1) Enabling the no_root_squash option in /etc/exports > >> > >> 2) Set the translation in /etc/idmapd.conf > >> > >> ------------------------ > >> /etc/idmap.conf > >> ------------------------ > >> > >> ... > >> [Translation] > >> > >> Method = static,nsswitch > >> > >> [Static] > >> > >> MYCLIENT$@SAMDOM.COM = root > >> > >> ------------------------ > >> > >> But I don't understand why, with samba, we can't authenticate as > >> client with nfs/myclient.samdom.com or root/myclient.samdom.com. It > >> seem that it is because we can't kinit them. But I don't understand > >> why... > >> > >> Thanks again ! > >> > >> Baptiste. > >> > >> > >> 2015-10-09 13:39 GMT+02:00 L.P.H. van Belle <belle at bazuin.nl>: > >>> Ok, now its clear to me. > >>> > >>> We need to set UMICH_SCHEMA in idmap.conf > >>> Read : http://linux.die.net/man/5/idmapd.conf > >>> > >>> Working on it now. > >>> > >>> Greetz, > >>> > >>> Louis > >>> > >>> > >>>> -----Oorspronkelijk bericht----- > >>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens L.P.H. van > >> Belle > >>>> Verzonden: vrijdag 9 oktober 2015 13:34 > >>>> Aan: samba at lists.samba.org > >>>> Onderwerp: Re: [Samba] kerberos nfs4's principals and root access > >>>> > >>>> Ok, not working... > >>>> > >>>> But found this... > >>>> > >>>> ( http://users.suse.com/~sjayaraman/nfs4_howto.txt ) > >>>> > >>>> 4.5 A known issue using NFS with kerberos > >>>> _________________________________________ > >>>> > >>>> Even if "no_root_squash" option is used, while exporting a filesystem > >> at > >>>> the > >>>> server, root on the client gets a "Permission denied" error when > >> creating > >>>> files on the mount point. > >>>> > >>>> This is because there is no proper mapping between root and the > >>>> GSSAuthName. > >>>> > >>>> Note: Trying to set 777 permission is not correct as it is not > secure. > >>>> Also, > >>>> any file created on the mountpoint will have "nobody" as owner. > >>>> > >>>> There is a work around for this if both NFS server and client use > >>>> umich_ldap > >>>> methods to authenticate. If the idmapd on both server and client is > >>>> configured > >>>> to use umich_ldap modules then having GSSAuthName > >> (<nfs/hostname at realm>) > >>>> parameter map to root user, on the ldap server will solve this > problem. > >>>> > >>>> > >>>> Still reading, but should be solveable.. > >>>> > >>>> Greetz, > >>>> > >>>> Louis > >>>> > >>>> > >>>>> -----Oorspronkelijk bericht----- > >>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens L.P.H. van > >>>> Belle > >>>>> Verzonden: vrijdag 9 oktober 2015 13:17 > >>>>> Aan: samba at lists.samba.org > >>>>> Onderwerp: Re: [Samba] kerberos nfs4's principals and root access > >>>>> > >>>>> Hai Baptiste, > >>>>> > >>>>> I re-checked my setup and your totaly correct. > >>>>> I can not enter the nfsV4 mounted directory as root. > >>>>> > >>>>> What i've added in idmap.conf > >>>>> Is this : > >>>>> Domain = your_DNS_domain.tld > >>>>> > >>>>> [Translation] > >>>>> > >>>>> Method = nsswitch > >>>>> > >>>>> And i found this link. > >>>>> > >>>>> http://serverfault.com/questions/526762/root-access-to-kerberized- > >> nfsv4- > >>>>> host-on-ubuntu > >>>>> > >>>>> im testing this now. > >>>>> > >>>>> Greetz, > >>>>> > >>>>> Louis > >>>>> > >>>>> > >>>>> > >>>>>> -----Oorspronkelijk bericht----- > >>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Prunk Dump > >>>>>> Verzonden: vrijdag 9 oktober 2015 11:34 > >>>>>> Aan: samba at lists.samba.org > >>>>>> Onderwerp: Re: [Samba] kerberos nfs4's principals and root access > >>>>>> > >>>>>> Thanks you very much Louis ! > >>>>>> > >>>>>> I have tried your setup and I can't mount the share neither from > >> the > >>>>>> server itself or the client. > >>>>>> > >>>>>> On /var/log/syslog I have : > >>>>>> > >>>>>> rpc.gssd : ERROR : no credentials found for connecting to server > >>>>> myserver > >>>>>> This is because the machine principal is not present in the keytab > >> : > >>>>>> $ klist -k > >>>>>> 1 nfs/myclient.samdom.com at SAMDOM.COM > >>>>>> 1 nfs/myclient.samdom.com at SAMDOM.COM > >>>>>> 1 nfs/myclient.samdom.com at SAMDOM.COM > >>>>>> > >>>>>> If I add the machine principal. I can mount the share but root user > >>>>>> write as "machine" not as "root". > >>>>>> > >>>>>> Can you check your setup ? Do you have your machine credential in > >>>>>> /etc/krb5.keytab ? (with klist -k) > >>>>>> > >>>>>> Do you do something related with kerberos when you login as root ? > >>>>>> > >>>>>> Do you have additional options in "/etc/idmap.conf" ? > >>>>>> > >>>>>> Can you give me the result of : > >>>>>> > >>>>>> $klist > >>>>>> $klist -k > >>>>>> > >>>>>> When you are logged as root ? > >>>>>> > >>>>>> Thanks you again ! > >>>>>> > >>>>>> Baptiste. > >>>>>> > >>>>>> > >>>>>> 2015-10-09 9:13 GMT+02:00 L.P.H. van Belle <belle at bazuin.nl>: > >>>>>>> Hai, > >>>>>>> > >>>>>>> I had it the other way around. Only root acces. > >>>>>>> > >>>>>>> I have scripted my setup and tested on debian. > >>>>>>> Look here > >>>>>>> https://secure.bazuin.nl/scripts/these_are_experimental_scripts/ > >>>>>>> setup-nfsv4-kerberos.sh > >>>>>>> > >>>>>>> If you get the file, setup-nfsv4-kerberos.sh and compair it to > >> your > >>>>>> setup. > >>>>>>> If you can read the bash script maybe you see something you > >> missed. > >>>>>>> When i write as "root" its root and not the machine account who > >> owns > >>>>> the > >>>>>> file. > >>>>>>> > >>>>>>> How is your exports file on the server configured? > >>>>>>> > >>>>>>> Greetz, > >>>>>>> > >>>>>>> Louis > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>>> -----Oorspronkelijk bericht----- > >>>>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Prunk > >> Dump > >>>>>>>> Verzonden: vrijdag 9 oktober 2015 8:59 > >>>>>>>> Aan: samba at lists.samba.org > >>>>>>>> Onderwerp: [Samba] kerberos nfs4's principals and root access > >>>>>>>> > >>>>>>>> Hello samba team ! > >>>>>>>> > >>>>>>>> I have some NFS4 exports managed by a Samba's Kerberos realm. > >> All > >>>> the > >>>>>>>> standard user accesses work fine. > >>>>>>>> > >>>>>>>> I try now to setup an NFS4 root access to administer the share > >> from > >>>>>>>> another server (the two host are DC, one PDC and one SDC). But > >> I > >>>>> have > >>>>>>>> trouble understanding the kerberos/principals layer. > >>>>>>>> > >>>>>>>> ------------ > >>>>>>>> Actually I do > >>>>>>>> ------------- > >>>>>>>> > >>>>>>>> -> on the server I create an nfs principal and export it to the > >>>>> keytab > >>>>>>>> $ samba-tool user add nfs-myserver --random-password > >>>>>>>> $ samba-tool spn add nfs/myserver.samdom.com nfs-myserver > >>>>>>>> $ samba-tool domain exportkeytab -- > >>>> principal=nfs/myserver.samdom.com > >>>>>>>> /etc/krb5.keytab > >>>>>>>> > >>>>>>>> -> on the client I use the machine keytab. > >>>>>>>> $ samba-tool domain exportkeytab --principal=MYCLIENT$ > >>>>> /etc/krb5.keytab > >>>>>>>> With this setup all my domain users can write to the share. But > >>>> when > >>>>> I > >>>>>>>> try with the root account it use the machine keytab (that's > >> normal, > >>>>>>>> root is not a domain user but he have access to the keytab) : > >>>>>>>> > >>>>>>>> -> on the client as root > >>>>>>>> $ touch /myshare/testfile > >>>>>>>> > >>>>>>>> -> on the server > >>>>>>>> $ ls -al /srv/nfs4/myshare/testfile > >>>>>>>> -rw-r--r-- SAMDOM\MYCLIENT$ SAMDOM\Domain Controllers > >> .... > >>>>>>>> /nfs4/myshare/tesfile > >>>>>>>> > >>>>>>>> But I need root access ! > >>>>>>>> > >>>>>>>> ---------- > >>>>>>>> I have tried with a root/myclient service principal name > >>>>>>>> ---------- > >>>>>>>> > >>>>>>>> -> on the client I create an root/myclient spn and export to > >> keytab > >>>>>>>> $ samba-tool user add root-myclient --random-password > >>>>>>>> $ samba-tool spn add root/myclient.samdom.com root-myclient > >>>>>>>> $ samba-tool domain exportkeytab -- > >>>> principal=root/myclient.samdom.com > >>>>>>>> /etc/krb5.keytab > >>>>>>>> > >>>>>>>> But nothings change when I access the share. I tried to kinit > >> this > >>>>>>>> principal but it fail. However kinit with the machine principal > >>>>> works. > >>>>>>>> $ kinit -k root/myclient.samdom.com > >>>>>>>> kinit: Client 'root/myclient.samdom.com at SAMDOM.COM' not found in > >>>>>>>> kerberos database while getting initial credentials > >>>>>>>> > >>>>>>>> $ kinit -k MYCLIENT$ > >>>>>>>> ok > >>>>>>>> > >>>>>>>> --------- > >>>>>>>> I tried creating a samba root user. > >>>>>>>> --------- > >>>>>>>> > >>>>>>>> -> on the client I create a root user and export to keytab > >>>>>>>> $ samba-tool user add root > >>>>>>>> $ samba-tool domain exportkeytab --principal=root > >> /etc/krb5.keytab > >>>>>>>> Same problem but here "kinit -k root" works. > >>>>>>>> > >>>>>>>> $ kinit -k root > >>>>>>>> ok > >>>>>>>> > >>>>>>>> > >>>>>>>> ------ > >>>>>>>> I tried to kinit anather samba user > >>>>>>>> ------ > >>>>>>>> > >>>>>>>> -> on the client I kinit a valid user and write to the share > >>>>>>>> > >>>>>>>> $ kinit validuser > >>>>>>>> $ touch /myshare/testfile2 > >>>>>>>> > >>>>>>>> Here the nfs4 connection is not made with the validuser's > >>>> principal. > >>>>>>>> Always with the machine's principal. > >>>>>>>> > >>>>>>>> > >>>>>>>> ------- > >>>>>>>> So > >>>>>>>> ------- > >>>>>>>> > >>>>>>>> I don't understand why in can "kinit root" but not "kinit > >>>>>>>> root/myclient.samdom.com". What's the difference between there > >>>>>>>> principals ? > >>>>>>>> > >>>>>>>> I don't understand how the nfs4 client choose the principal used > >> to > >>>>>>>> make the connection to the nfs4 share. Why the root user can > >> only > >>>> use > >>>>>>>> the machine's principal ? > >>>>>>>> > >>>>>>>> I don't know if the problem come from the creation of kerberos > >>>>>>>> principals or come from the nfs4 client not choosing the correct > >>>>>>>> principal... > >>>>>>>> > >>>>>>>> Can someone give me a tips ? > >>>>>>>> > >>>>>>>> Thanks ! > >>>>>>>> > >>>>>>>> Baptiste. > >>>>>>>> > >>>>>>>> -- > >>>>>>>> To unsubscribe from this list go to the following URL and read > >> the > >>>>>>>> instructions: https://lists.samba.org/mailman/options/samba > >>>>>>> > >>>>>>> > >>>>>>> -- > >>>>>>> To unsubscribe from this list go to the following URL and read > >> the > >>>>>>> instructions: https://lists.samba.org/mailman/options/samba > >>>>>> -- > >>>>>> To unsubscribe from this list go to the following URL and read the > >>>>>> instructions: https://lists.samba.org/mailman/options/samba > >>>>> > >>>>> > >>>>> -- > >>>>> To unsubscribe from this list go to the following URL and read the > >>>>> instructions: https://lists.samba.org/mailman/options/samba > >>>> > >>>> > >>>> -- > >>>> To unsubscribe from this list go to the following URL and read the > >>>> instructions: https://lists.samba.org/mailman/options/samba > >>> > >>> > >>> -- > >>> To unsubscribe from this list go to the following URL and read the > >>> instructions: https://lists.samba.org/mailman/options/samba > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/options/samba > > > > > > -- > > Bruno MACADRE > ------------------------------------------------------------------- > Ingénieur Systèmes et Réseau | Systems and Network Engineer > Département Informatique | Department of computer science > Responsable Info SER | SER IT Manager > Université de Rouen | University of Rouen > ------------------------------------------------------------------- > Coordonnées / Contact : > Université de Rouen > Faculté des Sciences et Techniques - Madrillet > Avenue de l'Université > CS 70012 > 76801 St Etienne du Rouvray CEDEX > FRANCE > > Tél : +33 (0)2-32-95-51-86 > Mob : +33 (0)6-74-71-45-64 > ------------------------------------------------------------------- > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Thanks, I'll see that today and come back ! Bruno Le 02/08/2016 à 08:11, L.P.H. van Belle a écrit :> Hai, > > Here you go.. > > But all my settings are scripted. > https://github.com/thctlo/samba4 > found here. > > Read the script : samba-with-nfsv4.sh > Start it like ./ samba-with-nfsv4.sh (client or server) > > Its tested and works on debian jessie. > I contains the nfs server settings and client settings. > > Greetz, > > Louis > > > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Bruno MACADRÉ >> Verzonden: maandag 1 augustus 2016 17:16 >> Aan: samba at lists.samba.org >> Onderwerp: Re: [Samba] kerberos nfs4's principals and root access >> >> Hi, >> >> Sorry for this necrobump.... But I'm still can't use my local root >> user to browse content of my NFSv4/Krb5 share...... (others permission >> are checked when root use this share) >> >> So a lot of questions appeared during my tests : >> >> - Must i have same idmap.conf on both client and server ? >> - Why rpc.idmapd only use 'nsswitch' method even if 'static' is >> placed before it in 'Method' and 'GSS-Methods' list ? >> - Must root user use kinit before exploring ? >> >> And the most important question : Is there anybody who sucess to >> access (in a real root behaviour !!) to a nfsv4/krb5 share in a >> Samba4/Krb5/NFSv4 setup ? >> >> Thanks by advance, >> Best regards, >> Bruno >> >> PS: I sent this morning a mail about access to this share from local >> user (www-data), but I think that granting access to root may be a good >> start point !! >> >> Le 09/10/2015 à 15:42, L.P.H. van Belle a écrit : >>> Hai Batiste, >>> >>> Ok, thanks for these, i'll test that also. >>> >>> And the "why" is a bit more explained here. >>> >> http://www.citi.umich.edu/projects/nfsv4/crossrealm/libnfsidmap_config.htm >> l >>> and per example, >>> >> http://www.citi.umich.edu/projects/nfsv4/crossrealm/ldap_server_setup.html >>> First my work here, but this is a good one which i also need to adjust >> in my scripts, so thank you for asking this on the samba list ;-) >>> Gr, >>> >>> Louis >>> >>>> -----Oorspronkelijk bericht----- >>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Prunk Dump >>>> Verzonden: vrijdag 9 oktober 2015 14:11 >>>> Aan: samba at lists.samba.org >>>> Onderwerp: Re: [Samba] kerberos nfs4's principals and root access >>>> >>>> Thanks Louis ! Very interesting ! >>>> >>>> Maybe the simplest method is to set a static translation. >>>> >>>> 1) Enabling the no_root_squash option in /etc/exports >>>> >>>> 2) Set the translation in /etc/idmapd.conf >>>> >>>> ------------------------ >>>> /etc/idmap.conf >>>> ------------------------ >>>> >>>> ... >>>> [Translation] >>>> >>>> Method = static,nsswitch >>>> >>>> [Static] >>>> >>>> MYCLIENT$@SAMDOM.COM = root >>>> >>>> ------------------------ >>>> >>>> But I don't understand why, with samba, we can't authenticate as >>>> client with nfs/myclient.samdom.com or root/myclient.samdom.com. It >>>> seem that it is because we can't kinit them. But I don't understand >>>> why... >>>> >>>> Thanks again ! >>>> >>>> Baptiste. >>>> >>>> >>>> 2015-10-09 13:39 GMT+02:00 L.P.H. van Belle <belle at bazuin.nl>: >>>>> Ok, now its clear to me. >>>>> >>>>> We need to set UMICH_SCHEMA in idmap.conf >>>>> Read : http://linux.die.net/man/5/idmapd.conf >>>>> >>>>> Working on it now. >>>>> >>>>> Greetz, >>>>> >>>>> Louis >>>>> >>>>> >>>>>> -----Oorspronkelijk bericht----- >>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens L.P.H. van >>>> Belle >>>>>> Verzonden: vrijdag 9 oktober 2015 13:34 >>>>>> Aan: samba at lists.samba.org >>>>>> Onderwerp: Re: [Samba] kerberos nfs4's principals and root access >>>>>> >>>>>> Ok, not working... >>>>>> >>>>>> But found this... >>>>>> >>>>>> ( http://users.suse.com/~sjayaraman/nfs4_howto.txt ) >>>>>> >>>>>> 4.5 A known issue using NFS with kerberos >>>>>> _________________________________________ >>>>>> >>>>>> Even if "no_root_squash" option is used, while exporting a filesystem >>>> at >>>>>> the >>>>>> server, root on the client gets a "Permission denied" error when >>>> creating >>>>>> files on the mount point. >>>>>> >>>>>> This is because there is no proper mapping between root and the >>>>>> GSSAuthName. >>>>>> >>>>>> Note: Trying to set 777 permission is not correct as it is not >> secure. >>>>>> Also, >>>>>> any file created on the mountpoint will have "nobody" as owner. >>>>>> >>>>>> There is a work around for this if both NFS server and client use >>>>>> umich_ldap >>>>>> methods to authenticate. If the idmapd on both server and client is >>>>>> configured >>>>>> to use umich_ldap modules then having GSSAuthName >>>> (<nfs/hostname at realm>) >>>>>> parameter map to root user, on the ldap server will solve this >> problem. >>>>>> >>>>>> Still reading, but should be solveable.. >>>>>> >>>>>> Greetz, >>>>>> >>>>>> Louis >>>>>> >>>>>> >>>>>>> -----Oorspronkelijk bericht----- >>>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens L.P.H. van >>>>>> Belle >>>>>>> Verzonden: vrijdag 9 oktober 2015 13:17 >>>>>>> Aan: samba at lists.samba.org >>>>>>> Onderwerp: Re: [Samba] kerberos nfs4's principals and root access >>>>>>> >>>>>>> Hai Baptiste, >>>>>>> >>>>>>> I re-checked my setup and your totaly correct. >>>>>>> I can not enter the nfsV4 mounted directory as root. >>>>>>> >>>>>>> What i've added in idmap.conf >>>>>>> Is this : >>>>>>> Domain = your_DNS_domain.tld >>>>>>> >>>>>>> [Translation] >>>>>>> >>>>>>> Method = nsswitch >>>>>>> >>>>>>> And i found this link. >>>>>>> >>>>>>> http://serverfault.com/questions/526762/root-access-to-kerberized- >>>> nfsv4- >>>>>>> host-on-ubuntu >>>>>>> >>>>>>> im testing this now. >>>>>>> >>>>>>> Greetz, >>>>>>> >>>>>>> Louis >>>>>>> >>>>>>> >>>>>>> >>>>>>>> -----Oorspronkelijk bericht----- >>>>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Prunk Dump >>>>>>>> Verzonden: vrijdag 9 oktober 2015 11:34 >>>>>>>> Aan: samba at lists.samba.org >>>>>>>> Onderwerp: Re: [Samba] kerberos nfs4's principals and root access >>>>>>>> >>>>>>>> Thanks you very much Louis ! >>>>>>>> >>>>>>>> I have tried your setup and I can't mount the share neither from >>>> the >>>>>>>> server itself or the client. >>>>>>>> >>>>>>>> On /var/log/syslog I have : >>>>>>>> >>>>>>>> rpc.gssd : ERROR : no credentials found for connecting to server >>>>>>> myserver >>>>>>>> This is because the machine principal is not present in the keytab >>>> : >>>>>>>> $ klist -k >>>>>>>> 1 nfs/myclient.samdom.com at SAMDOM.COM >>>>>>>> 1 nfs/myclient.samdom.com at SAMDOM.COM >>>>>>>> 1 nfs/myclient.samdom.com at SAMDOM.COM >>>>>>>> >>>>>>>> If I add the machine principal. I can mount the share but root user >>>>>>>> write as "machine" not as "root". >>>>>>>> >>>>>>>> Can you check your setup ? Do you have your machine credential in >>>>>>>> /etc/krb5.keytab ? (with klist -k) >>>>>>>> >>>>>>>> Do you do something related with kerberos when you login as root ? >>>>>>>> >>>>>>>> Do you have additional options in "/etc/idmap.conf" ? >>>>>>>> >>>>>>>> Can you give me the result of : >>>>>>>> >>>>>>>> $klist >>>>>>>> $klist -k >>>>>>>> >>>>>>>> When you are logged as root ? >>>>>>>> >>>>>>>> Thanks you again ! >>>>>>>> >>>>>>>> Baptiste. >>>>>>>> >>>>>>>> >>>>>>>> 2015-10-09 9:13 GMT+02:00 L.P.H. van Belle <belle at bazuin.nl>: >>>>>>>>> Hai, >>>>>>>>> >>>>>>>>> I had it the other way around. Only root acces. >>>>>>>>> >>>>>>>>> I have scripted my setup and tested on debian. >>>>>>>>> Look here >>>>>>>>> https://secure.bazuin.nl/scripts/these_are_experimental_scripts/ >>>>>>>>> setup-nfsv4-kerberos.sh >>>>>>>>> >>>>>>>>> If you get the file, setup-nfsv4-kerberos.sh and compair it to >>>> your >>>>>>>> setup. >>>>>>>>> If you can read the bash script maybe you see something you >>>> missed. >>>>>>>>> When i write as "root" its root and not the machine account who >>>> owns >>>>>>> the >>>>>>>> file. >>>>>>>>> How is your exports file on the server configured? >>>>>>>>> >>>>>>>>> Greetz, >>>>>>>>> >>>>>>>>> Louis >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>>> -----Oorspronkelijk bericht----- >>>>>>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Prunk >>>> Dump >>>>>>>>>> Verzonden: vrijdag 9 oktober 2015 8:59 >>>>>>>>>> Aan: samba at lists.samba.org >>>>>>>>>> Onderwerp: [Samba] kerberos nfs4's principals and root access >>>>>>>>>> >>>>>>>>>> Hello samba team ! >>>>>>>>>> >>>>>>>>>> I have some NFS4 exports managed by a Samba's Kerberos realm. >>>> All >>>>>> the >>>>>>>>>> standard user accesses work fine. >>>>>>>>>> >>>>>>>>>> I try now to setup an NFS4 root access to administer the share >>>> from >>>>>>>>>> another server (the two host are DC, one PDC and one SDC). But >>>> I >>>>>>> have >>>>>>>>>> trouble understanding the kerberos/principals layer. >>>>>>>>>> >>>>>>>>>> ------------ >>>>>>>>>> Actually I do >>>>>>>>>> ------------- >>>>>>>>>> >>>>>>>>>> -> on the server I create an nfs principal and export it to the >>>>>>> keytab >>>>>>>>>> $ samba-tool user add nfs-myserver --random-password >>>>>>>>>> $ samba-tool spn add nfs/myserver.samdom.com nfs-myserver >>>>>>>>>> $ samba-tool domain exportkeytab -- >>>>>> principal=nfs/myserver.samdom.com >>>>>>>>>> /etc/krb5.keytab >>>>>>>>>> >>>>>>>>>> -> on the client I use the machine keytab. >>>>>>>>>> $ samba-tool domain exportkeytab --principal=MYCLIENT$ >>>>>>> /etc/krb5.keytab >>>>>>>>>> With this setup all my domain users can write to the share. But >>>>>> when >>>>>>> I >>>>>>>>>> try with the root account it use the machine keytab (that's >>>> normal, >>>>>>>>>> root is not a domain user but he have access to the keytab) : >>>>>>>>>> >>>>>>>>>> -> on the client as root >>>>>>>>>> $ touch /myshare/testfile >>>>>>>>>> >>>>>>>>>> -> on the server >>>>>>>>>> $ ls -al /srv/nfs4/myshare/testfile >>>>>>>>>> -rw-r--r-- SAMDOM\MYCLIENT$ SAMDOM\Domain Controllers >>>> .... >>>>>>>>>> /nfs4/myshare/tesfile >>>>>>>>>> >>>>>>>>>> But I need root access ! >>>>>>>>>> >>>>>>>>>> ---------- >>>>>>>>>> I have tried with a root/myclient service principal name >>>>>>>>>> ---------- >>>>>>>>>> >>>>>>>>>> -> on the client I create an root/myclient spn and export to >>>> keytab >>>>>>>>>> $ samba-tool user add root-myclient --random-password >>>>>>>>>> $ samba-tool spn add root/myclient.samdom.com root-myclient >>>>>>>>>> $ samba-tool domain exportkeytab -- >>>>>> principal=root/myclient.samdom.com >>>>>>>>>> /etc/krb5.keytab >>>>>>>>>> >>>>>>>>>> But nothings change when I access the share. I tried to kinit >>>> this >>>>>>>>>> principal but it fail. However kinit with the machine principal >>>>>>> works. >>>>>>>>>> $ kinit -k root/myclient.samdom.com >>>>>>>>>> kinit: Client 'root/myclient.samdom.com at SAMDOM.COM' not found in >>>>>>>>>> kerberos database while getting initial credentials >>>>>>>>>> >>>>>>>>>> $ kinit -k MYCLIENT$ >>>>>>>>>> ok >>>>>>>>>> >>>>>>>>>> --------- >>>>>>>>>> I tried creating a samba root user. >>>>>>>>>> --------- >>>>>>>>>> >>>>>>>>>> -> on the client I create a root user and export to keytab >>>>>>>>>> $ samba-tool user add root >>>>>>>>>> $ samba-tool domain exportkeytab --principal=root >>>> /etc/krb5.keytab >>>>>>>>>> Same problem but here "kinit -k root" works. >>>>>>>>>> >>>>>>>>>> $ kinit -k root >>>>>>>>>> ok >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> ------ >>>>>>>>>> I tried to kinit anather samba user >>>>>>>>>> ------ >>>>>>>>>> >>>>>>>>>> -> on the client I kinit a valid user and write to the share >>>>>>>>>> >>>>>>>>>> $ kinit validuser >>>>>>>>>> $ touch /myshare/testfile2 >>>>>>>>>> >>>>>>>>>> Here the nfs4 connection is not made with the validuser's >>>>>> principal. >>>>>>>>>> Always with the machine's principal. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> ------- >>>>>>>>>> So >>>>>>>>>> ------- >>>>>>>>>> >>>>>>>>>> I don't understand why in can "kinit root" but not "kinit >>>>>>>>>> root/myclient.samdom.com". What's the difference between there >>>>>>>>>> principals ? >>>>>>>>>> >>>>>>>>>> I don't understand how the nfs4 client choose the principal used >>>> to >>>>>>>>>> make the connection to the nfs4 share. Why the root user can >>>> only >>>>>> use >>>>>>>>>> the machine's principal ? >>>>>>>>>> >>>>>>>>>> I don't know if the problem come from the creation of kerberos >>>>>>>>>> principals or come from the nfs4 client not choosing the correct >>>>>>>>>> principal... >>>>>>>>>> >>>>>>>>>> Can someone give me a tips ? >>>>>>>>>> >>>>>>>>>> Thanks ! >>>>>>>>>> >>>>>>>>>> Baptiste. >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> To unsubscribe from this list go to the following URL and read >>>> the >>>>>>>>>> instructions: https://lists.samba.org/mailman/options/samba >>>>>>>>> >>>>>>>>> -- >>>>>>>>> To unsubscribe from this list go to the following URL and read >>>> the >>>>>>>>> instructions: https://lists.samba.org/mailman/options/samba >>>>>>>> -- >>>>>>>> To unsubscribe from this list go to the following URL and read the >>>>>>>> instructions: https://lists.samba.org/mailman/options/samba >>>>>>> >>>>>>> -- >>>>>>> To unsubscribe from this list go to the following URL and read the >>>>>>> instructions: https://lists.samba.org/mailman/options/samba >>>>>> >>>>>> -- >>>>>> To unsubscribe from this list go to the following URL and read the >>>>>> instructions: https://lists.samba.org/mailman/options/samba >>>>> >>>>> -- >>>>> To unsubscribe from this list go to the following URL and read the >>>>> instructions: https://lists.samba.org/mailman/options/samba >>>> -- >>>> To unsubscribe from this list go to the following URL and read the >>>> instructions: https://lists.samba.org/mailman/options/samba >>> >> -- >> >> Bruno MACADRE >> ------------------------------------------------------------------- >> Ingénieur Systèmes et Réseau | Systems and Network Engineer >> Département Informatique | Department of computer science >> Responsable Info SER | SER IT Manager >> Université de Rouen | University of Rouen >> ------------------------------------------------------------------- >> Coordonnées / Contact : >> Université de Rouen >> Faculté des Sciences et Techniques - Madrillet >> Avenue de l'Université >> CS 70012 >> 76801 St Etienne du Rouvray CEDEX >> FRANCE >> >> Tél : +33 (0)2-32-95-51-86 >> Mob : +33 (0)6-74-71-45-64 >> ------------------------------------------------------------------- >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba > >
Hi Louis,
I read your script and changed my configuration accordingly, but it
still does not work.
Here are my conf files :
----- NFS SERVER SIDE (Ubuntu Server 14.04 x64) -----
/etc/fstab:
...
/home /nfs4export/homes none bind 0 0
...
/etc/exports:
...
/nfs4export NETWORK/24(ro,fsid=0,no_subtree_check,sync,sec=krb5)
/nfs4export/homes
NETWORK/24(rw,sync,no_root_squash,no_subtree_check,sec=krb5)
...
/etc/default/nfs-kernel-server:
RPCNFSDCOUNT=8
RPCNFSDPRIORITY=0
RPCMOUNTDOPTS="--manage-gids --debug all"
NEED_SVCGSSD="yes"
RPCSVCGSSDOPTS="-vvv"
RPCNFSDOPTS="--debug"
/etc/idmapd.conf:
[General]
Verbosity = 5
Pipefs-Directory = /run/rpc_pipefs
Domain = domain
Local-Realm = DOMAIN
[Mapping]
Nobody-User = nobody
Nobody-Group = nogroup
[Translation]
Method = nsswitch
/etc/smb.conf (compiled samba 4.2.3):
[global]
netbios name = FILSRV
workgroup = WKG
security = ADS
realm = DOMAIN
encrypt passwords = yes
log level = 3
log file = /var/log/samba/log.%m
idmap config *:backend = tdb
idmap config *:range = 70000-80000
idmap config WKG:backend = ad
idmap config WKG:schema = rfc2307
idmap config WKG:range = 10000-60000
winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = yes
winbind expand groups = 10
...
kerberos method = system keytab
FILSRV joined fine the DC.
- Adding SPN by the use of 'net ads keytab' => net ads keytab
add
nfs -U administrator
klist of FILSRV (klist -kt) :
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal
---- -------------------
------------------------------------------------------
54 01/08/2016 10:31:59 host/filsrv.domain at DOMAIN
54 01/08/2016 10:31:59 host/filsrv.domain at DOMAIN
54 01/08/2016 10:31:59 host/filsrv.domain at DOMAIN
54 01/08/2016 10:31:59 host/filsrv.domain at DOMAIN
54 01/08/2016 10:31:59 host/filsrv.domain at DOMAIN
54 01/08/2016 10:31:59 host/filsrv at DOMAIN
54 01/08/2016 10:31:59 host/filsrv at DOMAIN
54 01/08/2016 10:31:59 host/filsrv at DOMAIN
54 01/08/2016 10:31:59 host/filsrv at DOMAIN
54 01/08/2016 10:31:59 host/filsrv at DOMAIN
54 01/08/2016 10:31:59 nfs/filsrv.domain at DOMAIN
54 01/08/2016 10:31:59 nfs/filsrv.domain at DOMAIN
54 01/08/2016 10:31:59 nfs/filsrv.domain at DOMAIN
54 01/08/2016 10:31:59 nfs/filsrv.domain at DOMAIN
54 01/08/2016 10:31:59 nfs/filsrv.domain at DOMAIN
54 01/08/2016 10:31:59 nfs/filsrv at DOMAIN
54 01/08/2016 10:31:59 nfs/filsrv at DOMAIN
54 01/08/2016 10:31:59 nfs/filsrv at DOMAIN
54 01/08/2016 10:31:59 nfs/filsrv at DOMAIN
54 01/08/2016 10:31:59 nfs/filsrv at DOMAIN
54 01/08/2016 10:31:59 FILSRV$@DOMAIN
54 01/08/2016 10:31:59 FILSRV$@DOMAIN
54 01/08/2016 10:31:59 FILSRV$@DOMAIN
54 01/08/2016 10:31:59 FILSRV$@DOMAIN
54 01/08/2016 10:31:59 FILSRV$@DOMAIN
----- CLIENT SIDE (XUbuntu 16.04 x64) -----
/etc/fstab:
...
filsrv:/homes /home nfs4 sec=krb5 0 0
...
/etc/idmapd.conf:
[General]
Verbosity = 5
Pipefs-Directory = /run/rpc_pipefs
Domain = domain
Local-Realm = DOMAIN
[Mapping]
Nobody-User = nobody
Nobody-Group = nogroup
[Translation]
Method = static,nsswitch
GSS-Methods = static,nsswitch
[Static]
CLIENT1$@DOMAIN = root
host/client1.domain at DOMAIN = root
nfs/client1.domain at DOMAIN = root
nfs/client1.domain@ = root
/etc/smb.conf (Samba 4.3.9 from repos) :
[global]
netbios name = CLIENT1
workgroup = WKG
security = ADS
realm = DOMAIN
encrypt passwords = yes
idmap config *:backend = tdb
idmap config *:range = 70000-80000
idmap config WKG:backend = ad
idmap config WKG:schema = rfc2307
idmap config WKG:range = 10000-60000
winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = yes
winbind expand groups = 10
kerberos method = system keytab
- Joining : Ok
- Adding SPN by : net ads keytab add nfs : Ok
- Mounting NFS share : Ok
- Authenticating users against Kerberos (with libpam-krb5) : Ok
klist of Client1 (klist -kt) :
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal
---- -------------------
------------------------------------------------------
4 01/08/2016 10:31:59 host/client1.domain at DOMAIN
4 01/08/2016 10:31:59 host/client1.domain at DOMAIN
4 01/08/2016 10:31:59 host/client1.domain at DOMAIN
4 01/08/2016 10:31:59 host/client1.domain at DOMAIN
4 01/08/2016 10:31:59 host/client1.domain at DOMAIN
4 01/08/2016 10:31:59 host/client1 at DOMAIN
4 01/08/2016 10:31:59 host/client1 at DOMAIN
4 01/08/2016 10:31:59 host/client1 at DOMAIN
4 01/08/2016 10:31:59 host/client1 at DOMAIN
4 01/08/2016 10:31:59 host/client1 at DOMAIN
4 01/08/2016 10:31:59 nfs/client1.domain at DOMAIN
4 01/08/2016 10:31:59 nfs/client1.domain at DOMAIN
4 01/08/2016 10:31:59 nfs/client1.domain at DOMAIN
4 01/08/2016 10:31:59 nfs/client1.domain at DOMAIN
4 01/08/2016 10:31:59 nfs/client1.domain at DOMAIN
4 01/08/2016 10:31:59 nfs/client1 at DOMAIN
4 01/08/2016 10:31:59 nfs/client1 at DOMAIN
4 01/08/2016 10:31:59 nfs/client1 at DOMAIN
4 01/08/2016 10:31:59 nfs/client1 at DOMAIN
4 01/08/2016 10:31:59 nfs/client1 at DOMAIN
4 01/08/2016 10:31:59 root/client1.domain at DOMAIN
4 01/08/2016 10:31:59 root/client1.domain at DOMAIN
4 01/08/2016 10:31:59 root/client1.domain at DOMAIN
4 01/08/2016 10:31:59 root/client1.domain at DOMAIN
4 01/08/2016 10:31:59 root/client1 at DOMAIN
4 01/08/2016 10:31:59 root/client1 at DOMAIN
4 01/08/2016 10:31:59 root/client1 at DOMAIN
4 01/08/2016 10:31:59 root/client1 at DOMAIN
4 01/08/2016 10:31:59 root/client1 at DOMAIN
4 01/08/2016 10:31:59 CLIENT1$@DOMAIN
4 01/08/2016 10:31:59 CLIENT1$@DOMAIN
4 01/08/2016 10:31:59 CLIENT1$@DOMAIN
4 01/08/2016 10:31:59 CLIENT1$@DOMAIN
4 01/08/2016 10:31:59 CLIENT1$@DOMAIN
Testing root access on NFS share :
For testing purpose a tstroot directory was created on the share
with a 0777 mode on it. When I 'touch foo' in this directory the owner
of foo was nobody and his group : nogroup...
When I see logs, something sounds strange for me : rpc.idmapd
(server side) and nfsidmap (client side -- rpc.idmapd not needed anymore
on client apparently) never use static method even if static was
specified (client side)...
Parts of syslog :
...
rpc.gssd: libnfsidmap: using domain: domain
rpc.gssd: libnfsidmap: Realms list: 'DOMAIN'
rpc.gssd: libnfsidmap: processing 'Method' list
rpc.gssd: libnfsidmap: loaded plugin
/lib/x86_64-linux-gnu/libnfsidmap/static.so for method static
rpc.gssd: libnfsidmap: loaded plugin
/lib/x86_64-linux-gnu/libnfsidmap/nsswitch.so for method nsswitch
rpc.gssd: Expiration time is 600 seconds.
...
nfsidmap: nfsdcb: authbuf=gss/krb5 authtype=user
nfsidmap: nfs4_uid_to_name: calling nsswitch->uid_to_name
nfsidmap: nfs4_uid_to_name: nsswitch->uid_to_name returned 0
nfsidmap: nfs4_uid_to_name: final return value is 0
nfsidmap: Server : (user) id "65534" -> name "nobody at
domain"
nfsidmap: nfsdcb: authbuf=gss/krb5 authtype=group
nfsidmap: nfs4_gid_to_name: calling nsswitch->gid_to_name
nfsidmap: nfs4_gid_to_name: nsswitch->gid_to_name returned 0
nfsidmap: nfs4_gid_to_name: final return value is 0
nfsidmap: Server : (group) id "65534" -> name "nogroup at
domain"
...
That's all for the moment.... sorry for this enormous mail, but
it's so strange that i can't choose what show or not....
Greetz,
Bruno
Le 02/08/2016 à 08:11, L.P.H. van Belle a écrit :> Hai,
>
> Here you go..
>
> But all my settings are scripted.
> https://github.com/thctlo/samba4
> found here.
>
> Read the script : samba-with-nfsv4.sh
> Start it like ./ samba-with-nfsv4.sh (client or server)
>
> Its tested and works on debian jessie.
> I contains the nfs server settings and client settings.
>
> Greetz,
>
> Louis
>
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Bruno
MACADRÉ
>> Verzonden: maandag 1 augustus 2016 17:16
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] kerberos nfs4's principals and root access
>>
>> Hi,
>>
>> Sorry for this necrobump.... But I'm still can't use my
local root
>> user to browse content of my NFSv4/Krb5 share...... (others permission
>> are checked when root use this share)
>>
>> So a lot of questions appeared during my tests :
>>
>> - Must i have same idmap.conf on both client and server ?
>> - Why rpc.idmapd only use 'nsswitch' method even if
'static' is
>> placed before it in 'Method' and 'GSS-Methods' list ?
>> - Must root user use kinit before exploring ?
>>
>> And the most important question : Is there anybody who sucess to
>> access (in a real root behaviour !!) to a nfsv4/krb5 share in a
>> Samba4/Krb5/NFSv4 setup ?
>>
>> Thanks by advance,
>> Best regards,
>> Bruno
>>
>> PS: I sent this morning a mail about access to this share from local
>> user (www-data), but I think that granting access to root may be a good
>> start point !!
>>
>> Le 09/10/2015 à 15:42, L.P.H. van Belle a écrit :
>>> Hai Batiste,
>>>
>>> Ok, thanks for these, i'll test that also.
>>>
>>> And the "why" is a bit more explained here.
>>>
>>
http://www.citi.umich.edu/projects/nfsv4/crossrealm/libnfsidmap_config.htm
>> l
>>> and per example,
>>>
>>
http://www.citi.umich.edu/projects/nfsv4/crossrealm/ldap_server_setup.html
>>> First my work here, but this is a good one which i also need to
adjust
>> in my scripts, so thank you for asking this on the samba list ;-)
>>> Gr,
>>>
>>> Louis
>>>
>>>> -----Oorspronkelijk bericht-----
>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
Prunk Dump
>>>> Verzonden: vrijdag 9 oktober 2015 14:11
>>>> Aan: samba at lists.samba.org
>>>> Onderwerp: Re: [Samba] kerberos nfs4's principals and root
access
>>>>
>>>> Thanks Louis ! Very interesting !
>>>>
>>>> Maybe the simplest method is to set a static translation.
>>>>
>>>> 1) Enabling the no_root_squash option in /etc/exports
>>>>
>>>> 2) Set the translation in /etc/idmapd.conf
>>>>
>>>> ------------------------
>>>> /etc/idmap.conf
>>>> ------------------------
>>>>
>>>> ...
>>>> [Translation]
>>>>
>>>> Method = static,nsswitch
>>>>
>>>> [Static]
>>>>
>>>> MYCLIENT$@SAMDOM.COM = root
>>>>
>>>> ------------------------
>>>>
>>>> But I don't understand why, with samba, we can't
authenticate as
>>>> client with nfs/myclient.samdom.com or
root/myclient.samdom.com. It
>>>> seem that it is because we can't kinit them. But I
don't understand
>>>> why...
>>>>
>>>> Thanks again !
>>>>
>>>> Baptiste.
>>>>
>>>>
>>>> 2015-10-09 13:39 GMT+02:00 L.P.H. van Belle <belle at
bazuin.nl>:
>>>>> Ok, now its clear to me.
>>>>>
>>>>> We need to set UMICH_SCHEMA in idmap.conf
>>>>> Read : http://linux.die.net/man/5/idmapd.conf
>>>>>
>>>>> Working on it now.
>>>>>
>>>>> Greetz,
>>>>>
>>>>> Louis
>>>>>
>>>>>
>>>>>> -----Oorspronkelijk bericht-----
>>>>>> Van: samba [mailto:samba-bounces at lists.samba.org]
Namens L.P.H. van
>>>> Belle
>>>>>> Verzonden: vrijdag 9 oktober 2015 13:34
>>>>>> Aan: samba at lists.samba.org
>>>>>> Onderwerp: Re: [Samba] kerberos nfs4's principals
and root access
>>>>>>
>>>>>> Ok, not working...
>>>>>>
>>>>>> But found this...
>>>>>>
>>>>>> ( http://users.suse.com/~sjayaraman/nfs4_howto.txt )
>>>>>>
>>>>>> 4.5 A known issue using NFS with kerberos
>>>>>> _________________________________________
>>>>>>
>>>>>> Even if "no_root_squash" option is used,
while exporting a filesystem
>>>> at
>>>>>> the
>>>>>> server, root on the client gets a "Permission
denied" error when
>>>> creating
>>>>>> files on the mount point.
>>>>>>
>>>>>> This is because there is no proper mapping between root
and the
>>>>>> GSSAuthName.
>>>>>>
>>>>>> Note: Trying to set 777 permission is not correct as it
is not
>> secure.
>>>>>> Also,
>>>>>> any file created on the mountpoint will have
"nobody" as owner.
>>>>>>
>>>>>> There is a work around for this if both NFS server and
client use
>>>>>> umich_ldap
>>>>>> methods to authenticate. If the idmapd on both server
and client is
>>>>>> configured
>>>>>> to use umich_ldap modules then having GSSAuthName
>>>> (<nfs/hostname at realm>)
>>>>>> parameter map to root user, on the ldap server will
solve this
>> problem.
>>>>>>
>>>>>> Still reading, but should be solveable..
>>>>>>
>>>>>> Greetz,
>>>>>>
>>>>>> Louis
>>>>>>
>>>>>>
>>>>>>> -----Oorspronkelijk bericht-----
>>>>>>> Van: samba [mailto:samba-bounces at
lists.samba.org] Namens L.P.H. van
>>>>>> Belle
>>>>>>> Verzonden: vrijdag 9 oktober 2015 13:17
>>>>>>> Aan: samba at lists.samba.org
>>>>>>> Onderwerp: Re: [Samba] kerberos nfs4's
principals and root access
>>>>>>>
>>>>>>> Hai Baptiste,
>>>>>>>
>>>>>>> I re-checked my setup and your totaly correct.
>>>>>>> I can not enter the nfsV4 mounted directory as
root.
>>>>>>>
>>>>>>> What i've added in idmap.conf
>>>>>>> Is this :
>>>>>>> Domain = your_DNS_domain.tld
>>>>>>>
>>>>>>> [Translation]
>>>>>>>
>>>>>>> Method = nsswitch
>>>>>>>
>>>>>>> And i found this link.
>>>>>>>
>>>>>>>
http://serverfault.com/questions/526762/root-access-to-kerberized-
>>>> nfsv4-
>>>>>>> host-on-ubuntu
>>>>>>>
>>>>>>> im testing this now.
>>>>>>>
>>>>>>> Greetz,
>>>>>>>
>>>>>>> Louis
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> -----Oorspronkelijk bericht-----
>>>>>>>> Van: samba [mailto:samba-bounces at
lists.samba.org] Namens Prunk Dump
>>>>>>>> Verzonden: vrijdag 9 oktober 2015 11:34
>>>>>>>> Aan: samba at lists.samba.org
>>>>>>>> Onderwerp: Re: [Samba] kerberos nfs4's
principals and root access
>>>>>>>>
>>>>>>>> Thanks you very much Louis !
>>>>>>>>
>>>>>>>> I have tried your setup and I can't mount
the share neither from
>>>> the
>>>>>>>> server itself or the client.
>>>>>>>>
>>>>>>>> On /var/log/syslog I have :
>>>>>>>>
>>>>>>>> rpc.gssd : ERROR : no credentials found for
connecting to server
>>>>>>> myserver
>>>>>>>> This is because the machine principal is not
present in the keytab
>>>> :
>>>>>>>> $ klist -k
>>>>>>>> 1 nfs/myclient.samdom.com at SAMDOM.COM
>>>>>>>> 1 nfs/myclient.samdom.com at SAMDOM.COM
>>>>>>>> 1 nfs/myclient.samdom.com at SAMDOM.COM
>>>>>>>>
>>>>>>>> If I add the machine principal. I can mount the
share but root user
>>>>>>>> write as "machine" not as
"root".
>>>>>>>>
>>>>>>>> Can you check your setup ? Do you have your
machine credential in
>>>>>>>> /etc/krb5.keytab ? (with klist -k)
>>>>>>>>
>>>>>>>> Do you do something related with kerberos when
you login as root ?
>>>>>>>>
>>>>>>>> Do you have additional options in
"/etc/idmap.conf" ?
>>>>>>>>
>>>>>>>> Can you give me the result of :
>>>>>>>>
>>>>>>>> $klist
>>>>>>>> $klist -k
>>>>>>>>
>>>>>>>> When you are logged as root ?
>>>>>>>>
>>>>>>>> Thanks you again !
>>>>>>>>
>>>>>>>> Baptiste.
>>>>>>>>
>>>>>>>>
>>>>>>>> 2015-10-09 9:13 GMT+02:00 L.P.H. van Belle
<belle at bazuin.nl>:
>>>>>>>>> Hai,
>>>>>>>>>
>>>>>>>>> I had it the other way around. Only root
acces.
>>>>>>>>>
>>>>>>>>> I have scripted my setup and tested on
debian.
>>>>>>>>> Look here
>>>>>>>>>
https://secure.bazuin.nl/scripts/these_are_experimental_scripts/
>>>>>>>>> setup-nfsv4-kerberos.sh
>>>>>>>>>
>>>>>>>>> If you get the file,
setup-nfsv4-kerberos.sh and compair it to
>>>> your
>>>>>>>> setup.
>>>>>>>>> If you can read the bash script maybe you
see something you
>>>> missed.
>>>>>>>>> When i write as "root" its root
and not the machine account who
>>>> owns
>>>>>>> the
>>>>>>>> file.
>>>>>>>>> How is your exports file on the server
configured?
>>>>>>>>>
>>>>>>>>> Greetz,
>>>>>>>>>
>>>>>>>>> Louis
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> -----Oorspronkelijk bericht-----
>>>>>>>>>> Van: samba [mailto:samba-bounces at
lists.samba.org] Namens Prunk
>>>> Dump
>>>>>>>>>> Verzonden: vrijdag 9 oktober 2015 8:59
>>>>>>>>>> Aan: samba at lists.samba.org
>>>>>>>>>> Onderwerp: [Samba] kerberos nfs4's
principals and root access
>>>>>>>>>>
>>>>>>>>>> Hello samba team !
>>>>>>>>>>
>>>>>>>>>> I have some NFS4 exports managed by a
Samba's Kerberos realm.
>>>> All
>>>>>> the
>>>>>>>>>> standard user accesses work fine.
>>>>>>>>>>
>>>>>>>>>> I try now to setup an NFS4 root access
to administer the share
>>>> from
>>>>>>>>>> another server (the two host are DC,
one PDC and one SDC). But
>>>> I
>>>>>>> have
>>>>>>>>>> trouble understanding the
kerberos/principals layer.
>>>>>>>>>>
>>>>>>>>>> ------------
>>>>>>>>>> Actually I do
>>>>>>>>>> -------------
>>>>>>>>>>
>>>>>>>>>> -> on the server I create an nfs
principal and export it to the
>>>>>>> keytab
>>>>>>>>>> $ samba-tool user add nfs-myserver
--random-password
>>>>>>>>>> $ samba-tool spn add
nfs/myserver.samdom.com nfs-myserver
>>>>>>>>>> $ samba-tool domain exportkeytab --
>>>>>> principal=nfs/myserver.samdom.com
>>>>>>>>>> /etc/krb5.keytab
>>>>>>>>>>
>>>>>>>>>> -> on the client I use the machine
keytab.
>>>>>>>>>> $ samba-tool domain exportkeytab
--principal=MYCLIENT$
>>>>>>> /etc/krb5.keytab
>>>>>>>>>> With this setup all my domain users can
write to the share. But
>>>>>> when
>>>>>>> I
>>>>>>>>>> try with the root account it use the
machine keytab (that's
>>>> normal,
>>>>>>>>>> root is not a domain user but he have
access to the keytab) :
>>>>>>>>>>
>>>>>>>>>> -> on the client as root
>>>>>>>>>> $ touch /myshare/testfile
>>>>>>>>>>
>>>>>>>>>> -> on the server
>>>>>>>>>> $ ls -al /srv/nfs4/myshare/testfile
>>>>>>>>>> -rw-r--r-- SAMDOM\MYCLIENT$
SAMDOM\Domain Controllers
>>>> ....
>>>>>>>>>> /nfs4/myshare/tesfile
>>>>>>>>>>
>>>>>>>>>> But I need root access !
>>>>>>>>>>
>>>>>>>>>> ----------
>>>>>>>>>> I have tried with a root/myclient
service principal name
>>>>>>>>>> ----------
>>>>>>>>>>
>>>>>>>>>> -> on the client I create an
root/myclient spn and export to
>>>> keytab
>>>>>>>>>> $ samba-tool user add root-myclient
--random-password
>>>>>>>>>> $ samba-tool spn add
root/myclient.samdom.com root-myclient
>>>>>>>>>> $ samba-tool domain exportkeytab --
>>>>>> principal=root/myclient.samdom.com
>>>>>>>>>> /etc/krb5.keytab
>>>>>>>>>>
>>>>>>>>>> But nothings change when I access the
share. I tried to kinit
>>>> this
>>>>>>>>>> principal but it fail. However kinit
with the machine principal
>>>>>>> works.
>>>>>>>>>> $ kinit -k root/myclient.samdom.com
>>>>>>>>>> kinit: Client
'root/myclient.samdom.com at SAMDOM.COM' not found in
>>>>>>>>>> kerberos database while getting initial
credentials
>>>>>>>>>>
>>>>>>>>>> $ kinit -k MYCLIENT$
>>>>>>>>>> ok
>>>>>>>>>>
>>>>>>>>>> ---------
>>>>>>>>>> I tried creating a samba root user.
>>>>>>>>>> ---------
>>>>>>>>>>
>>>>>>>>>> -> on the client I create a root
user and export to keytab
>>>>>>>>>> $ samba-tool user add root
>>>>>>>>>> $ samba-tool domain exportkeytab
--principal=root
>>>> /etc/krb5.keytab
>>>>>>>>>> Same problem but here "kinit -k
root" works.
>>>>>>>>>>
>>>>>>>>>> $ kinit -k root
>>>>>>>>>> ok
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> ------
>>>>>>>>>> I tried to kinit anather samba user
>>>>>>>>>> ------
>>>>>>>>>>
>>>>>>>>>> -> on the client I kinit a valid
user and write to the share
>>>>>>>>>>
>>>>>>>>>> $ kinit validuser
>>>>>>>>>> $ touch /myshare/testfile2
>>>>>>>>>>
>>>>>>>>>> Here the nfs4 connection is not made
with the validuser's
>>>>>> principal.
>>>>>>>>>> Always with the machine's
principal.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> -------
>>>>>>>>>> So
>>>>>>>>>> -------
>>>>>>>>>>
>>>>>>>>>> I don't understand why in can
"kinit root" but not "kinit
>>>>>>>>>> root/myclient.samdom.com".
What's the difference between there
>>>>>>>>>> principals ?
>>>>>>>>>>
>>>>>>>>>> I don't understand how the nfs4
client choose the principal used
>>>> to
>>>>>>>>>> make the connection to the nfs4 share.
Why the root user can
>>>> only
>>>>>> use
>>>>>>>>>> the machine's principal ?
>>>>>>>>>>
>>>>>>>>>> I don't know if the problem come
from the creation of kerberos
>>>>>>>>>> principals or come from the nfs4 client
not choosing the correct
>>>>>>>>>> principal...
>>>>>>>>>>
>>>>>>>>>> Can someone give me a tips ?
>>>>>>>>>>
>>>>>>>>>> Thanks !
>>>>>>>>>>
>>>>>>>>>> Baptiste.
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> To unsubscribe from this list go to the
following URL and read
>>>> the
>>>>>>>>>> instructions:
https://lists.samba.org/mailman/options/samba
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> To unsubscribe from this list go to the
following URL and read
>>>> the
>>>>>>>>> instructions:
https://lists.samba.org/mailman/options/samba
>>>>>>>> --
>>>>>>>> To unsubscribe from this list go to the
following URL and read the
>>>>>>>> instructions:
https://lists.samba.org/mailman/options/samba
>>>>>>>
>>>>>>> --
>>>>>>> To unsubscribe from this list go to the following
URL and read the
>>>>>>> instructions:
https://lists.samba.org/mailman/options/samba
>>>>>>
>>>>>> --
>>>>>> To unsubscribe from this list go to the following URL
and read the
>>>>>> instructions:
https://lists.samba.org/mailman/options/samba
>>>>>
>>>>> --
>>>>> To unsubscribe from this list go to the following URL and
read the
>>>>> instructions:
https://lists.samba.org/mailman/options/samba
>>>> --
>>>> To unsubscribe from this list go to the following URL and read
the
>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>
>> --
>>
>> Bruno MACADRE
>> -------------------------------------------------------------------
>> Ingénieur Systèmes et Réseau | Systems and Network Engineer
>> Département Informatique | Department of computer science
>> Responsable Info SER | SER IT Manager
>> Université de Rouen | University of Rouen
>> -------------------------------------------------------------------
>> Coordonnées / Contact :
>> Université de Rouen
>> Faculté des Sciences et Techniques - Madrillet
>> Avenue de l'Université
>> CS 70012
>> 76801 St Etienne du Rouvray CEDEX
>> FRANCE
>>
>> Tél : +33 (0)2-32-95-51-86
>> Mob : +33 (0)6-74-71-45-64
>> -------------------------------------------------------------------
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>
>
--
Bruno MACADRE
-------------------------------------------------------------------
Ingénieur Systèmes et Réseau | Systems and Network Engineer
Département Informatique | Department of computer science
Responsable Info SER | SER IT Manager
Université de Rouen | University of Rouen
-------------------------------------------------------------------
Coordonnées / Contact :
Université de Rouen
Faculté des Sciences et Techniques - Madrillet
Avenue de l'Université
CS 70012
76801 St Etienne du Rouvray CEDEX
FRANCE
Tél : +33 (0)2-32-95-51-86
Mob : +33 (0)6-74-71-45-64
-------------------------------------------------------------------