On Tue, Mar 24, 2015 at 01:21:50PM +0100, Volker Lendecke
wrote:> On Tue, Mar 24, 2015 at 11:18:13AM +0100, Rainer Krienke wrote:
> > Now here is the problem: When samba tries to access a directory of a
> > windows user say "john" (john's home is NFS4 mounted on
the samba
> > server) the samba process does this as the user "john" not
root and gets
> > a permission denied, since for user "john" there is no
kerberos TGT
> > allowing him to access the kerberized service NFS. This happens
because
> > a windows user authenticates against the windows ADS server when he
logs
> > in at windows and my MIT kerberos server does not know anything about
this.
> >
> > Does anyone have a similar setup and has a solution for the problem
> > described thats working?
>
> We've done something very similar eons ago with AFS. Similar
> problem. With the fake-kaserver Samba could create its own
> tickets. Something that in modern days you definitely do NOT
> want. We need to hook Samba much better into the nfsv4
> client now. Somehow we need to acquire credentials for the
> NFS4 service, probably to do this MIT somehow needs to trust
> the AD with a cross-realm trust. If Samba has the nfsv4
> ticket, we need to tell the kernel to use it when we switch
> to "john". Interesting project, but none of this is done yet
> unfortunately.
I have some code that does this I gave to a (large) user
site to test. It took a forwarded ticket from the Windows
client and saved it in the /tmp/krb5cc_XXXXX file so that
the NFS client redirector on Linux could use it.
I got it to work in testing, but never got good feedback
from the users so didn't finish it up.
I can dig it out again and forward port to 4.x if you
like ?
Jeremy.