samba - Aug 2016 - FW: kerberos nfs4's principals and root access

It's ok

So, if I create a httpuser and an httpgroup in my AD and use these at 
owner and group for my apache2 daemon, this one could access to userdirs 
(while permissions granting it) ? But I need to cron 'kinit' to keep 
valid ticket... ?

My local root user always can't access to the share, but my other 
problem seems to be resolved.

Thanks

Le 02/08/2016 à 16:37, Rowland Penny a écrit :
> On Tue, 2 Aug 2016 16:02:41 +0200
> Bruno MACADRÉ <bruno.macadre at univ-rouen.fr> wrote:
>
>> ** I truncate my initial mail below for size reason **
>>
>> I've tried your tips but nothing better.... AD users can still
>> accessing share (ouf !!), but local users not more.
>>
>> I can't find where it blocks....
>>
>> Thanks for your help Louis,
>>
>> Greetz,
>> Bruno
>>
>> Le 02/08/2016 à 15:33, L.P.H. van Belle a écrit :
>>> You keep 2 ranges.
>>>
>>> One for the “local (linux) users”
>>>
>>>      idmap config *:backend = tdb
>>>
>>>      idmap config *:range = 11-9999
> Please don't use 'range = 11-9999', it will not do what you
think it
> will do. the '*' range is used for the 'BUILTIN' users
& groups etc, so
> if you have system users or groups that use an ID in the range
> 11-1000, they will conflict with the Windows well known SIDs.
>
> You can have local Unix users & groups, you can have AD domain users
&
> groups, you can make an AD domain user or group into a Unix user or
> group by adding RFC2307 attributes, but what you cannot do, is to have
> the same user or group name in both /etc/passwd or /etc/group and AD
> i.e. www-data can exist in /etc/passwd but it cannot be in AD at the
> same time.
>
> To use kerberos, you need an SPN or UPN, this (as far as a Samba AD DC
> is concerned) needs to be stored in AD, so if the user isn't in AD, it
> cannot use kerberos.
>
> Rowland
>
>
-- 

Bruno MACADRE
-------------------------------------------------------------------
  Ingénieur Systèmes et Réseau     | Systems and Network Engineer
  Département Informatique         | Department of computer science
  Responsable Info SER             | SER IT Manager
  Université de Rouen              | University of Rouen
-------------------------------------------------------------------
Coordonnées / Contact :
	Université de Rouen
	Faculté des Sciences et Techniques - Madrillet
	Avenue de l'Université
	CS 70012
	76801 St Etienne du Rouvray CEDEX
	FRANCE

	Tél : +33 (0)2-32-95-51-86
	Mob : +33 (0)6-74-71-45-64
-------------------------------------------------------------------

On Tue, 2 Aug 2016 17:05:37 +0200
Bruno MACADRÉ <bruno.macadre at univ-rouen.fr> wrote:
> It's ok
> 
> So, if I create a httpuser and an httpgroup in my AD and use these at 
> owner and group for my apache2 daemon, this one could access to
> userdirs (while permissions granting it) ? But I need to cron
'kinit'
> to keep valid ticket... ?
> 
> My local root user always can't access to the share, but my other 
> problem seems to be resolved.
> 
>
OK, I went and re-read your first post and I think you are going about
this the wrong way. I did a quick google and found this:

http://blog.sumostyle.net/2009/01/nfs4-krb5-and-apache-userdir/

So to translate that into Samba:

Create a user 'httpuser' with a random password:

samba-tool user create --random-password httpuser

Give the new user an SPN:

samba-tool spn add HTTP/servername.your.realm.tld httpuser

Where 'servername' is the short hostname of your machine running Apache
and 'your.realm.tld' is (obviously) your dns/realm name  

Now export the keytab:

samba-tool domain exportkeytab /root/httpd.keytab
--principal=HTTP/servername.your.realm.tld at YOUR.REALM.TLD

copy the keytab to the machine running Apache and allow www-data to
read the keytab.

Rowland

Hi Rowland,

I've already read this article, but I never find how to indicate to 
apache to read this file... After some research, I think I need to 
install mod_auth_krb5 to specify at least how to find this keytab (even 
if I don't need Apache authentication against Kerberos).

I will try this today and comme back to say if it works !

In fact i'm stuck between my two problems (root acces to Kerberised NFS 
share / www-data access to userdir into a Kerberised NFS share), 
contrary to what I thought It's the root acces the more difficult to 
resolve...

Thanks Rowland,
Greetz,
Bruno


Le 02/08/2016 à 18:20, Rowland Penny a écrit :
> On Tue, 2 Aug 2016 17:05:37 +0200
> Bruno MACADRÉ <bruno.macadre at univ-rouen.fr> wrote:
>
>> It's ok
>>
>> So, if I create a httpuser and an httpgroup in my AD and use these at
>> owner and group for my apache2 daemon, this one could access to
>> userdirs (while permissions granting it) ? But I need to cron
'kinit'
>> to keep valid ticket... ?
>>
>> My local root user always can't access to the share, but my other
>> problem seems to be resolved.
>>
>>
> OK, I went and re-read your first post and I think you are going about
> this the wrong way. I did a quick google and found this:
>
> http://blog.sumostyle.net/2009/01/nfs4-krb5-and-apache-userdir/
>
> So to translate that into Samba:
>
> Create a user 'httpuser' with a random password:
>
> samba-tool user create --random-password httpuser
>
> Give the new user an SPN:
>
> samba-tool spn add HTTP/servername.your.realm.tld httpuser
>
> Where 'servername' is the short hostname of your machine running
Apache
> and 'your.realm.tld' is (obviously) your dns/realm name
>
> Now export the keytab:
>
> samba-tool domain exportkeytab /root/httpd.keytab
> --principal=HTTP/servername.your.realm.tld at YOUR.REALM.TLD
>
> copy the keytab to the machine running Apache and allow www-data to
> read the keytab.
>
> Rowland
>

You need for the apache keytab something like 
Alias /webmail /usr/share/webmail
#
<Directory /usr/share/ webmail >
  AuthType Kerberos
  AuthName "Kerberos Login"
  KrbMethodNegotiate On
  KrbMethodK5Passwd Off
  KrbServiceName HTTP
  KrbAuthRealms EXAMPLE.COM
  Krb5KeyTab /etc/httpd/conf/keytab
  require valid-user
</Directory>
chmod 400 /etc/httpd/conf/keytab 
chown www-data:www-data /etc/httpd/conf/keytab  

> In fact i'm stuck between my two problems (root acces to Kerberised NFS
> share / www-data access to userdir into a Kerberised NFS share),
> contrary to what I thought It's the root acces the more difficult to
> resolve...
This is because of your layout for your website. 
Now, your "abuseing" the user homedir, and normaly thats a private dir
for only the user.
For the root access, you can kinit adminsitrator in a root script, i dont know
what you exact want.
But echo "passwd" | kinit Administrator simpel resolve you problem.

And for the users/website data.

When you set a layout like this. 
/var/www/domain/site/
Add on domain for example an AD Group with write rights. 
Like "Domain website Admins" give these full control. 
And  something like "Site Admins" for a website, inherit the one
before.

No hassle with keytabs, changing owner/group. 
Besited if you want to do that, look at mod_ruid, which allows to run an apache
vhost as user.

But its what you want.

Greetz, 

Louis
 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Bruno Macadré
> Verzonden: woensdag 3 augustus 2016 8:20
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] FW: kerberos nfs4's principals and root access
> 
> Hi Rowland,
> 
> I've already read this article, but I never find how to indicate to
> apache to read this file... After some research, I think I need to
> install mod_auth_krb5 to specify at least how to find this keytab (even
> if I don't need Apache authentication against Kerberos).
> 
> I will try this today and comme back to say if it works !
> 
> In fact i'm stuck between my two problems (root acces to Kerberised NFS
> share / www-data access to userdir into a Kerberised NFS share),
> contrary to what I thought It's the root acces the more difficult to
> resolve...
> 
> Thanks Rowland,
> Greetz,
> Bruno
> 
> 
> Le 02/08/2016 à 18:20, Rowland Penny a écrit :
> > On Tue, 2 Aug 2016 17:05:37 +0200
> > Bruno MACADRÉ <bruno.macadre at univ-rouen.fr> wrote:
> >
> >> It's ok
> >>
> >> So, if I create a httpuser and an httpgroup in my AD and use these
at
> >> owner and group for my apache2 daemon, this one could access to
> >> userdirs (while permissions granting it) ? But I need to cron
'kinit'
> >> to keep valid ticket... ?
> >>
> >> My local root user always can't access to the share, but my
other
> >> problem seems to be resolved.
> >>
> >>
> > OK, I went and re-read your first post and I think you are going about
> > this the wrong way. I did a quick google and found this:
> >
> > http://blog.sumostyle.net/2009/01/nfs4-krb5-and-apache-userdir/
> >
> > So to translate that into Samba:
> >
> > Create a user 'httpuser' with a random password:
> >
> > samba-tool user create --random-password httpuser
> >
> > Give the new user an SPN:
> >
> > samba-tool spn add HTTP/servername.your.realm.tld httpuser
> >
> > Where 'servername' is the short hostname of your machine
running Apache
> > and 'your.realm.tld' is (obviously) your dns/realm name
> >
> > Now export the keytab:
> >
> > samba-tool domain exportkeytab /root/httpd.keytab
> > --principal=HTTP/servername.your.realm.tld at YOUR.REALM.TLD
> >
> > copy the keytab to the machine running Apache and allow www-data to
> > read the keytab.
> >
> > Rowland
> >
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba