On 01/08/16 16:16, Bruno MACADRÉ wrote:> Hi, > > Sorry for this necrobump.... But I'm still can't use my local root > user to browse content of my NFSv4/Krb5 share...... (others permission > are checked when root use this share) > > So a lot of questions appeared during my tests : > > - Must i have same idmap.conf on both client and server ? > - Why rpc.idmapd only use 'nsswitch' method even if 'static' is > placed before it in 'Method' and 'GSS-Methods' list ? > - Must root user use kinit before exploring ? > > And the most important question : Is there anybody who sucess to > access (in a real root behaviour !!) to a nfsv4/krb5 share in a > Samba4/Krb5/NFSv4 setup ? > > Thanks by advance, > Best regards, > Bruno > > PS: I sent this morning a mail about access to this share from local > user (www-data), but I think that granting access to root may be a > good start point !!I scanned through the rest of what you posted and I think you have Samba 4 running as a DC with Unix clients joined to it, is this correct ? If so, then the only way to get the same UIDs & GIDs on all of them, is to use RFC2307 attributes and the winbind 'ad' backend on the clients. Now we come to the root user, this user is somewhat similar to the 'Local Administrator' on windows and as such shouldn't be in AD. On the DC, 'Administrator' is automatically mapped to 'root': root at dc1:~# getent passwd Administrator SAMDOM\administrator:*:0:10000::/home/administrator:/bin/bash This doesn't happen on a Samba Unix domain member, but what you can do is do the mapping in smb.conf. Add the line username map = /etcl/samba/user.map Then create the map file /etc/samba/user.map with this content: !root = SAMDOM\Administrator SAMDOM\administrator Administrator administrator Restart Samba and then 'Administrator' should be mapped to 'root'. The 'root' user should never be in AD. Rowland
Thanks for your answer, I already use Winbind AD backend with RFC2307. The only difference is when i use 'getent passwd' logins are never prefixed by domainname.... So, if I understand well your solution, I must : 1. Add unix attributes to my Administrator user (it's mandatory to show the account with getent) 2. Adding 'username map' option in the member smb.conf 3. Creating mapping file like you said And after, when I want to access my kerberized NFS share, I just need to 'kinit Administrator' before ? Thanks a lot, Regards, Bruno. Le 01/08/2016 à 18:03, Rowland penny a écrit :> On 01/08/16 16:16, Bruno MACADRÉ wrote: >> Hi, >> >> Sorry for this necrobump.... But I'm still can't use my local >> root user to browse content of my NFSv4/Krb5 share...... (others >> permission are checked when root use this share) >> >> So a lot of questions appeared during my tests : >> >> - Must i have same idmap.conf on both client and server ? >> - Why rpc.idmapd only use 'nsswitch' method even if 'static' is >> placed before it in 'Method' and 'GSS-Methods' list ? >> - Must root user use kinit before exploring ? >> >> And the most important question : Is there anybody who sucess to >> access (in a real root behaviour !!) to a nfsv4/krb5 share in a >> Samba4/Krb5/NFSv4 setup ? >> >> Thanks by advance, >> Best regards, >> Bruno >> >> PS: I sent this morning a mail about access to this share from local >> user (www-data), but I think that granting access to root may be a >> good start point !! > > I scanned through the rest of what you posted and I think you have > Samba 4 running as a DC with Unix clients joined to it, is this correct ? > > If so, then the only way to get the same UIDs & GIDs on all of them, > is to use RFC2307 attributes and the winbind 'ad' backend on the clients. > > Now we come to the root user, this user is somewhat similar to the > 'Local Administrator' on windows and as such shouldn't be in AD. On > the DC, 'Administrator' is automatically mapped to 'root': > > root at dc1:~# getent passwd Administrator > SAMDOM\administrator:*:0:10000::/home/administrator:/bin/bash > > This doesn't happen on a Samba Unix domain member, but what you can do > is do the mapping in smb.conf. Add the line > > username map = /etcl/samba/user.map > > Then create the map file /etc/samba/user.map with this content: > > !root = SAMDOM\Administrator SAMDOM\administrator Administrator > administrator > > Restart Samba and then 'Administrator' should be mapped to 'root'. The > 'root' user should never be in AD. > > Rowland > >
On Tue, 2 Aug 2016 08:21:30 +0200 Bruno Macadré <bruno.macadre at univ-rouen.fr> wrote:> Thanks for your answer, > > I already use Winbind AD backend with RFC2307. The only difference is > when i use 'getent passwd' logins are never prefixed by domainname.... > > So, if I understand well your solution, I must : > > 1. Add unix attributes to my Administrator user (it's mandatory to > show the account with getent)No, you should never add RFC2307 attributes to Administrator, it will break the mapping on a DC and you need this.> 2. Adding 'username map' option in the member smb.conf > 3. Creating mapping file like you said >Yes> And after, when I want to access my kerberized NFS share, I just need > to 'kinit Administrator' before ?Why do you need to do this ?? Rowland
> > And after, when I want to access my kerberized NFS share, I just need > > to 'kinit Administrator' before ? > > Why do you need to do this ??Even root cant access a user homedir over nfsv4. You need to kinit administrator to make you way to all user dirs. Or kinit as user for a single user dir But if you need to kinit as user then something is wrong, thats not needed is setup correctly. At least i never kinit as user. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny > Verzonden: dinsdag 2 augustus 2016 8:48 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] kerberos nfs4's principals and root access > > On Tue, 2 Aug 2016 08:21:30 +0200 > Bruno Macadré <bruno.macadre at univ-rouen.fr> wrote: > > > Thanks for your answer, > > > > I already use Winbind AD backend with RFC2307. The only difference is > > when i use 'getent passwd' logins are never prefixed by domainname.... > > > > So, if I understand well your solution, I must : > > > > 1. Add unix attributes to my Administrator user (it's mandatory to > > show the account with getent) > > No, you should never add RFC2307 attributes to Administrator, it will > break the mapping on a DC and you need this. > > > 2. Adding 'username map' option in the member smb.conf > > 3. Creating mapping file like you said > > > > Yes > > > And after, when I want to access my kerberized NFS share, I just need > > to 'kinit Administrator' before ? > > Why do you need to do this ?? > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba