I was used to integrate some linux client in my samba network mounting
homes with 'unix extensions = yes', and works as expected, at least
with some old lubuntu derivatives. Client side i use 'pam_mount'.
Now i'm working on a ubuntu mate derivative, and i've not found a way
to start the session properly in CIFS.
If i create a plain local home (pam_mkhome), session start as expected.
Client are in DHCP, so it is hard to use 'normal' NFSv3 mount, eg
security by IP.
I've looked around at NFSv4/Kerberos setup, but i've not found a
tutorial, or some documentation, that seems clear (at least to me).
Also, for NFSv3 i use autofs. Better o use pam_mount instead?
Breafly, someone can point me to some good documentation? Thanks.
--
dott. Marco Gaiarin GNUPG Key ID: 240A3D66
Associazione ``La Nostra Famiglia''
http://www.lanostrafamiglia.it/
Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN)
marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797
Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
Hi Marco, You will hit muliple problems, most can be solved. Im installing a new member here with samba 4.8.5 and building new samba 4.8.6 atm. ;-). Im (trying to ) fix this also again in this new setup. Below it a bit of what i know.> Client are in DHCP, so it is hard to use 'normal' NFSv3 mount, eg > security by IP.If they register ( or are registered) in the dns correctly then this is no problem. Currently I'm using NFSv4 with sys and not kerberos, there is some bug, today i'll see if thats fixed. For Cifs question. Add this part to the libdefaults of krb5.conf. default_tgs_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 default_tkt_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 permitted_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 The "why" is, cifs with kerberos might use the wrong encryptes, so define it and you set. CIFS uses this, so its really adviced to set it everywhere and keep the enctypes the same. ## NFS SERVER ## For NfsV4 server, with kerberos homes', that stopped working somewhere in jessie. You can set in the nfs server to support all settings so you can test when needed. In /etc/exports /exports 192.168.0.0/24(rw,sync,fsid=0,no_subtree_check,crossmnt,sec=sys:krb5:krb5i:krb5p) /exports/users 192.168.0.0/24(rw,sync,no_subtree_check,sec=sys:krb5:krb5i:krb5p) With in systemd the following : cat /etc/systemd/system/exports-users.mount [Unit] Description=NFS export (/exports/users) Wants=network-online.target [Mount] What=/home/samba/users Where=/exports/users Type=none Options=bind [Install] WantedBy=multi-user.target And adjust above to your needs. Using NfsV4 with kerberos, gives also a problem that kerberos wants to read a file in users home. But depending on you settings you might have blocked that. ## For the CLIENT NFS ## You can set : ignore_k5login = true in krb5.conf [libdefaults] to overcame that. And my current mount and automount in systemd systemctl cat home-users.automount # /etc/systemd/system/home-users.automount [Unit] Description=Automount Home-Users [Automount] Where=/home/users [Install] WantedBy=multi-user.target systemctl cat home-users.mount # /etc/systemd/system/home-users.mount [Unit] Description=User Homes [Mount] What=hostname.internal.domain.tld:/users Where=/home/users Type=nfs4 Options=sec=sys #Options=sec=krb5i TimeoutSec=150 [Install] WantedBy=multi-user.target And enable it. systemctl enable home-users.mount systemctl enable home-users.automount systemctl start home-users.automount The key here is, home-users.mount home-users.automount The part "home-user" MUST reflect the real path. This should give you a start to start with. Do note. Every client and server needs cifs/SPN nfs/SPN so dont forget to check that. More questions, just ask. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Marco Gaiarin via samba > Verzonden: dinsdag 9 oktober 2018 11:00 > Aan: samba at lists.samba.org > Onderwerp: [Samba] NFSv4, homes, Kerberos... > > > I was used to integrate some linux client in my samba network mounting > homes with 'unix extensions = yes', and works as expected, at least > with some old lubuntu derivatives. Client side i use 'pam_mount'. > > Now i'm working on a ubuntu mate derivative, and i've not found a way > to start the session properly in CIFS. > If i create a plain local home (pam_mkhome), session start as > expected. > > Client are in DHCP, so it is hard to use 'normal' NFSv3 mount, eg > security by IP. > > > I've looked around at NFSv4/Kerberos setup, but i've not found a > tutorial, or some documentation, that seems clear (at least to me). > > Also, for NFSv3 i use autofs. Better o use pam_mount instead? > > > Breafly, someone can point me to some good documentation? Thanks. > > -- > dott. Marco Gaiarin GNUPG > Key ID: 240A3D66 > Associazione ``La Nostra Famiglia'' > http://www.lanostrafamiglia.it/ > Polo FVG - Via della Bontà, 7 - 33078 - San Vito al > Tagliamento (PN) > marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 > f +39-0434-842797 > > Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! > http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 > (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA) > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Hai,
I'm getting somewhere, here you go, a snap of what i have atm.
And what works atm. Im asuming you have winbind already running.
Obligated is A+PTR record in the DNS.
You can turn or the rdns check in krb5.conf but i did not test that.
# Tested on Debian Stretch - NFSv4 SERVER
apt-get install --auto-remove nfs-kernel-server
systemctl stop nfs-*
Added in krb5.conf below the default_realm setting.
; ignore k5login not being accessable in the user home dir.
ignore_k5login = true
; for Windows 2008 with AES, needed by CIFS also. ( dont forget the cifs/spn )
default_tgs_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96
rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96
rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96
rc4-hmac des-cbc-crc des-cbc-md5
# Server settings for NFSv4
sed -i 's/NEED_SVCGSSD=""/NEED_SVCGSSD="yes"/g'
/etc/default/nfs-kernel-server
sed -i 's/NEED_STATD=/NEED_STATD=no/g' /etc/default/nfs-common
sed -i 's/NEED_IDMAPD=/NEED_IDMAPD=yes/g' /etc/default/nfs-common
sed -i 's/NEED_GSSD=/NEED_GSSD=yes/g' /etc/default/nfs-common
Idmap.conf
Add in [general]
Domain = internal.domain.tld
Local-Realm = YOUR.REALM
kinit Administrator
net ads keytab add nfs/hostname1.internal.domain.tld at YOUR.REALM -k
# The NFS server. /etc/exports cointains now.
/srv
192.168.0.0/24(rw,sync,fsid=0,crossmnt,no_subtree_check,sec=sys:krb5:krb5i:krb5p)
/srv/backups
192.168.0.0/24(rw,sync,no_subtree_check,sec=sys:krb5:krb5i:krb5p)
# For the Clients.
apt-get install nfs-common
kinit Administrator
# Todo on the NFSv4 client
net ads keytab add nfs/hostname2.internal.domain.tld at REALM -k
sed -i 's/NEED_STATD=/NEED_STATD=no/g' /etc/default/nfs-common
sed -i 's/NEED_IDMAPD=/NEED_IDMAPD=yes/g' /etc/default/nfs-common
sed -i 's/NEED_GSSD=/NEED_GSSD=yes/g' /etc/default/nfs-common
Test :
mount -t nfs4 -o sec=sys,vers=4.1 hostname1.internal.domain.tld:/backups /mnt -v
mount -t nfs4 -o sec=krb5,vers=4.1 hostname1.internal.domain.tld:/backups /mnt
-v
mount -t nfs4 -o sec=krb5i,vers=4.1 hostname1.internal.domain.tld:/backups /mnt
-v
mount -t nfs4 -o sec=krb5p,vers=4.1 hostname1.internal.domain.tld:/backups /mnt
-v
For tomorrow, in looking to add nfs4acl_xattr in the share.
man vfs_nfs4acl_xattr
For now.. Im heading home...
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Marco Gaiarin via samba
> Verzonden: dinsdag 9 oktober 2018 11:00
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] NFSv4, homes, Kerberos...
>
>
> I was used to integrate some linux client in my samba network mounting
> homes with 'unix extensions = yes', and works as expected, at least
> with some old lubuntu derivatives. Client side i use 'pam_mount'.
>
> Now i'm working on a ubuntu mate derivative, and i've not found a
way
> to start the session properly in CIFS.
> If i create a plain local home (pam_mkhome), session start as
> expected.
>
> Client are in DHCP, so it is hard to use 'normal' NFSv3 mount, eg
> security by IP.
>
>
> I've looked around at NFSv4/Kerberos setup, but i've not found a
> tutorial, or some documentation, that seems clear (at least to me).
>
> Also, for NFSv3 i use autofs. Better o use pam_mount instead?
>
>
> Breafly, someone can point me to some good documentation? Thanks.
>
> --
> dott. Marco Gaiarin GNUPG
> Key ID: 240A3D66
> Associazione ``La Nostra Famiglia''
> http://www.lanostrafamiglia.it/
> Polo FVG - Via della Bontà, 7 - 33078 - San Vito al
> Tagliamento (PN)
> marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711
> f +39-0434-842797
>
> Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
> http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
> (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
Hai, Hmm.. Bummer.. I just discovered the debian package dont have the vfs_nfs4acl include in the build. And because of that it's not in my packages. I'll have a look into it, see what i can make of it. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > L.P.H. van Belle via samba > Verzonden: dinsdag 9 oktober 2018 17:26 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] NFSv4, homes, Kerberos... > > Hai, > > I'm getting somewhere, here you go, a snap of what i have atm. > And what works atm. Im asuming you have winbind already running. > > Obligated is A+PTR record in the DNS. > You can turn or the rdns check in krb5.conf but i did not test that. > > # Tested on Debian Stretch - NFSv4 SERVER > apt-get install --auto-remove nfs-kernel-server > systemctl stop nfs-* > > Added in krb5.conf below the default_realm setting. > ; ignore k5login not being accessable in the user home dir. > ignore_k5login = true > > ; for Windows 2008 with AES, needed by CIFS also. ( dont > forget the cifs/spn ) > default_tgs_enctypes = aes128-cts-hmac-sha1-96 > aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 > default_tkt_enctypes = aes128-cts-hmac-sha1-96 > aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 > permitted_enctypes = aes128-cts-hmac-sha1-96 > aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 > > # Server settings for NFSv4 > sed -i 's/NEED_SVCGSSD=""/NEED_SVCGSSD="yes"/g' > /etc/default/nfs-kernel-server > sed -i 's/NEED_STATD=/NEED_STATD=no/g' /etc/default/nfs-common > sed -i 's/NEED_IDMAPD=/NEED_IDMAPD=yes/g' /etc/default/nfs-common > sed -i 's/NEED_GSSD=/NEED_GSSD=yes/g' /etc/default/nfs-common > > Idmap.conf > Add in [general] > Domain = internal.domain.tld > Local-Realm = YOUR.REALM > > kinit Administrator > net ads keytab add nfs/hostname1.internal.domain.tld at YOUR.REALM -k > > # The NFS server. /etc/exports cointains now. > /srv > 192.168.0.0/24(rw,sync,fsid=0,crossmnt,no_subtree_check,sec=sy > s:krb5:krb5i:krb5p) > /srv/backups > 192.168.0.0/24(rw,sync,no_subtree_check,sec=sys:krb5:krb5i:krb5p) > > > # For the Clients. > apt-get install nfs-common > > kinit Administrator > # Todo on the NFSv4 client > net ads keytab add nfs/hostname2.internal.domain.tld at REALM -k > > sed -i 's/NEED_STATD=/NEED_STATD=no/g' /etc/default/nfs-common > sed -i 's/NEED_IDMAPD=/NEED_IDMAPD=yes/g' /etc/default/nfs-common > sed -i 's/NEED_GSSD=/NEED_GSSD=yes/g' /etc/default/nfs-common > > Test : > mount -t nfs4 -o sec=sys,vers=4.1 > hostname1.internal.domain.tld:/backups /mnt -v > mount -t nfs4 -o sec=krb5,vers=4.1 > hostname1.internal.domain.tld:/backups /mnt -v > mount -t nfs4 -o sec=krb5i,vers=4.1 > hostname1.internal.domain.tld:/backups /mnt -v > mount -t nfs4 -o sec=krb5p,vers=4.1 > hostname1.internal.domain.tld:/backups /mnt -v > > For tomorrow, in looking to add nfs4acl_xattr in the share. > man vfs_nfs4acl_xattr > > For now.. Im heading home... > > > Greetz, > > Louis > > > > -----Oorspronkelijk bericht----- > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > > Marco Gaiarin via samba > > Verzonden: dinsdag 9 oktober 2018 11:00 > > Aan: samba at lists.samba.org > > Onderwerp: [Samba] NFSv4, homes, Kerberos... > > > > > > I was used to integrate some linux client in my samba > network mounting > > homes with 'unix extensions = yes', and works as expected, at least > > with some old lubuntu derivatives. Client side i use 'pam_mount'. > > > > Now i'm working on a ubuntu mate derivative, and i've not > found a way > > to start the session properly in CIFS. > > If i create a plain local home (pam_mkhome), session start as > > expected. > > > > Client are in DHCP, so it is hard to use 'normal' NFSv3 mount, eg > > security by IP. > > > > > > I've looked around at NFSv4/Kerberos setup, but i've not found a > > tutorial, or some documentation, that seems clear (at least to me). > > > > Also, for NFSv3 i use autofs. Better o use pam_mount instead? > > > > > > Breafly, someone can point me to some good documentation? Thanks. > > > > -- > > dott. Marco Gaiarin GNUPG > > Key ID: 240A3D66 > > Associazione ``La Nostra Famiglia'' > > http://www.lanostrafamiglia.it/ > > Polo FVG - Via della Bontà, 7 - 33078 - San Vito al > > Tagliamento (PN) > > marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 > > f +39-0434-842797 > > > > Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! > > http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 > > (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA) > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
On Wed, 10 Oct 2018 09:25:16 +0200 "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:> Hai, > > Hmm.. Bummer.. > I just discovered the debian package dont have the vfs_nfs4acl > include in the build. > > And because of that it's not in my packages. I'll have a look into > it, see what i can make of it. >That is odd, it isn't as if it is a new vfs module, it has been about since 2013. Rowland
Hai Rowland,
Yes, very strang indeed, im trying to figure out whats happening.
I did find the code to build it in source3/modules/wscript_build
vfs_nfs4acl_xattr_source = '''
vfs_nfs4acl_xattr.c
nfs4acl_xattr_ndr.c
nfs4acl_xattr_xdr.c
'''
if bld.CONFIG_SET("HAVE_RPC_XDR_H"):
vfs_nfs4acl_xattr_source += ' nfs41acl_xdr.c'
bld.SAMBA3_MODULE('vfs_nfs4acl_xattr',
subsystem='vfs',
source=vfs_nfs4acl_xattr_source,
deps='NFS4_ACLS sunacl NDR_NFS4ACL',
init_function='',
internal_module=bld.SAMBA3_IS_STATIC_MODULE('vfs_nfs4acl_xattr'),
enabled=bld.SAMBA3_IS_ENABLED_MODULE('vfs_nfs4acl_xattr'))
So im wondering whats missing here in de debian packages because it looks that
its enabled.
If you have any tips where to look, very welkom.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Rowland Penny via samba
> Verzonden: woensdag 10 oktober 2018 10:12
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] NFSv4, homes, Kerberos...
>
> On Wed, 10 Oct 2018 09:25:16 +0200
> "L.P.H. van Belle via samba" <samba at lists.samba.org>
wrote:
>
> > Hai,
> >
> > Hmm.. Bummer..
> > I just discovered the debian package dont have the vfs_nfs4acl
> > include in the build.
> >
> > And because of that it's not in my packages. I'll have a look
into
> > it, see what i can make of it.
> >
>
> That is odd, it isn't as if it is a new vfs module, it has been about
> since 2013.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
On Wed, 10 Oct 2018 09:25:16 +0200 "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:> Hai, > > Hmm.. Bummer.. > I just discovered the debian package dont have the vfs_nfs4acl > include in the build. > > And because of that it's not in my packages. I'll have a look into > it, see what i can make of it. >After thinking about this, I thought, hang on, is that the correct name ? After all on Linux it is 'vfs_acl_xattr' So on one of my DCs I ran this: 'man vfs_nfs4acl_xattr' That exists. Rowland
Yeah.. The manual exists... Thats not the problem.. I'll trying some extra packages now at build time there is something missing. Greetz , Louis> -----Oorspronkelijk bericht----- > Van: Rowland Penny [mailto:rpenny at samba.org] > Verzonden: woensdag 10 oktober 2018 11:07 > Aan: samba at lists.samba.org > CC: L.P.H. van Belle > Onderwerp: Re: [Samba] NFSv4, homes, Kerberos... > > On Wed, 10 Oct 2018 09:25:16 +0200 > "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote: > > > Hai, > > > > Hmm.. Bummer.. > > I just discovered the debian package dont have the vfs_nfs4acl > > include in the build. > > > > And because of that it's not in my packages. I'll have a look into > > it, see what i can make of it. > > > > After thinking about this, I thought, hang on, is that the correct > name ? After all on Linux it is 'vfs_acl_xattr' > > So on one of my DCs I ran this: 'man vfs_nfs4acl_xattr' > > That exists. > > Rowland > >
Hi, just a hint. In our case it was impossible to use the rpc.svcgssd service for kerberized nfs4, due to a bug (our server OS: Debian 9). We got some kind of kernel panic on the server, when a client mounted an kerberized nfs4 export. So we are using the "gssproxy" package right now. see https://bugs.launchpad.net/ubuntu/+source/nfs-utils/+bug/1466654 -- Regards, Andreas Hauffe Am 09.10.18 um 17:26 schrieb L.P.H. van Belle via samba:> Hai, > > I'm getting somewhere, here you go, a snap of what i have atm. > And what works atm. Im asuming you have winbind already running. > > Obligated is A+PTR record in the DNS. > You can turn or the rdns check in krb5.conf but i did not test that. > > # Tested on Debian Stretch - NFSv4 SERVER > apt-get install --auto-remove nfs-kernel-server > systemctl stop nfs-* > > Added in krb5.conf below the default_realm setting. > ; ignore k5login not being accessable in the user home dir. > ignore_k5login = true > > ; for Windows 2008 with AES, needed by CIFS also. ( dont forget the cifs/spn ) > default_tgs_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 > default_tkt_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 > permitted_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 > > # Server settings for NFSv4 > sed -i 's/NEED_SVCGSSD=""/NEED_SVCGSSD="yes"/g' /etc/default/nfs-kernel-server > sed -i 's/NEED_STATD=/NEED_STATD=no/g' /etc/default/nfs-common > sed -i 's/NEED_IDMAPD=/NEED_IDMAPD=yes/g' /etc/default/nfs-common > sed -i 's/NEED_GSSD=/NEED_GSSD=yes/g' /etc/default/nfs-common > > Idmap.conf > Add in [general] > Domain = internal.domain.tld > Local-Realm = YOUR.REALM > > kinit Administrator > net ads keytab add nfs/hostname1.internal.domain.tld at YOUR.REALM -k > > # The NFS server. /etc/exports cointains now. > /srv 192.168.0.0/24(rw,sync,fsid=0,crossmnt,no_subtree_check,sec=sys:krb5:krb5i:krb5p) > /srv/backups 192.168.0.0/24(rw,sync,no_subtree_check,sec=sys:krb5:krb5i:krb5p) > > > # For the Clients. > apt-get install nfs-common > > kinit Administrator > # Todo on the NFSv4 client > net ads keytab add nfs/hostname2.internal.domain.tld at REALM -k > > sed -i 's/NEED_STATD=/NEED_STATD=no/g' /etc/default/nfs-common > sed -i 's/NEED_IDMAPD=/NEED_IDMAPD=yes/g' /etc/default/nfs-common > sed -i 's/NEED_GSSD=/NEED_GSSD=yes/g' /etc/default/nfs-common > > Test : > mount -t nfs4 -o sec=sys,vers=4.1 hostname1.internal.domain.tld:/backups /mnt -v > mount -t nfs4 -o sec=krb5,vers=4.1 hostname1.internal.domain.tld:/backups /mnt -v > mount -t nfs4 -o sec=krb5i,vers=4.1 hostname1.internal.domain.tld:/backups /mnt -v > mount -t nfs4 -o sec=krb5p,vers=4.1 hostname1.internal.domain.tld:/backups /mnt -v > > For tomorrow, in looking to add nfs4acl_xattr in the share. > man vfs_nfs4acl_xattr > > For now.. Im heading home... > > > Greetz, > > Louis > > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >> Marco Gaiarin via samba >> Verzonden: dinsdag 9 oktober 2018 11:00 >> Aan: samba at lists.samba.org >> Onderwerp: [Samba] NFSv4, homes, Kerberos... >> >> >> I was used to integrate some linux client in my samba network mounting >> homes with 'unix extensions = yes', and works as expected, at least >> with some old lubuntu derivatives. Client side i use 'pam_mount'. >> >> Now i'm working on a ubuntu mate derivative, and i've not found a way >> to start the session properly in CIFS. >> If i create a plain local home (pam_mkhome), session start as >> expected. >> >> Client are in DHCP, so it is hard to use 'normal' NFSv3 mount, eg >> security by IP. >> >> >> I've looked around at NFSv4/Kerberos setup, but i've not found a >> tutorial, or some documentation, that seems clear (at least to me). >> >> Also, for NFSv3 i use autofs. Better o use pam_mount instead? >> >> >> Breafly, someone can point me to some good documentation? Thanks. >> >> -- >> dott. Marco Gaiarin GNUPG >> Key ID: 240A3D66 >> Associazione ``La Nostra Famiglia'' >> http://www.lanostrafamiglia.it/ >> Polo FVG - Via della Bontà, 7 - 33078 - San Vito al >> Tagliamento (PN) >> marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 >> f +39-0434-842797 >> >> Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! >> http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 >> (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA) >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >>
Thank you for that, i did have a good look at that one. And i use Debian 9, if you test what i posted below in the thread, you will see NFSv4 works fine. Below is missing one more thing, the "allow to delegate (kerberos only) " on the computer object in the AD, should be enabled. And yes, i've see bugchecks also but only on my debian .. Lenny.. Stt.. ;-) .. Its my last lenny server. No craches on jessie or stretch, i dont have fstab entries, everything is done by systemd. My problem is not crashing, but building the vfs_nfs4acl_xattr module. Kerberos and NFSv4 works fine here, but now i want the vfs_nfs4acl_xattr module with it. But thank you for the reply, the more info i find/get the quicker i've found the problem. Anyone else an other hint. I do think outside the box so trow anything at me. :-) Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Andreas Hauffe via samba > Verzonden: woensdag 10 oktober 2018 12:43 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] NFSv4, homes, Kerberos... > > Hi, > > just a hint. In our case it was impossible to use the rpc.svcgssd > service for kerberized nfs4, due to a bug (our server OS: > Debian 9). We > got some kind of kernel panic on the server, when a client mounted an > kerberized nfs4 export. So we are using the "gssproxy" > package right now. > > see https://bugs.launchpad.net/ubuntu/+source/nfs-utils/+bug/1466654 > > -- > Regards, > Andreas Hauffe > > Am 09.10.18 um 17:26 schrieb L.P.H. van Belle via samba: > > Hai, > > > > I'm getting somewhere, here you go, a snap of what i have atm. > > And what works atm. Im asuming you have winbind already running. > > > > Obligated is A+PTR record in the DNS. > > You can turn or the rdns check in krb5.conf but i did not test that. > > > > # Tested on Debian Stretch - NFSv4 SERVER > > apt-get install --auto-remove nfs-kernel-server > > systemctl stop nfs-* > > > > Added in krb5.conf below the default_realm setting. > > ; ignore k5login not being accessable in the user home dir. > > ignore_k5login = true > > > > ; for Windows 2008 with AES, needed by CIFS also. ( dont > forget the cifs/spn ) > > default_tgs_enctypes = aes128-cts-hmac-sha1-96 > aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 > > default_tkt_enctypes = aes128-cts-hmac-sha1-96 > aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 > > permitted_enctypes = aes128-cts-hmac-sha1-96 > aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 > > > > # Server settings for NFSv4 > > sed -i 's/NEED_SVCGSSD=""/NEED_SVCGSSD="yes"/g' > /etc/default/nfs-kernel-server > > sed -i 's/NEED_STATD=/NEED_STATD=no/g' /etc/default/nfs-common > > sed -i 's/NEED_IDMAPD=/NEED_IDMAPD=yes/g' /etc/default/nfs-common > > sed -i 's/NEED_GSSD=/NEED_GSSD=yes/g' /etc/default/nfs-common > > > > Idmap.conf > > Add in [general] > > Domain = internal.domain.tld > > Local-Realm = YOUR.REALM > > > > kinit Administrator > > net ads keytab add nfs/hostname1.internal.domain.tld at YOUR.REALM -k > > > > # The NFS server. /etc/exports cointains now. > > /srv > 192.168.0.0/24(rw,sync,fsid=0,crossmnt,no_subtree_check,sec=sy > s:krb5:krb5i:krb5p) > > /srv/backups > 192.168.0.0/24(rw,sync,no_subtree_check,sec=sys:krb5:krb5i:krb5p) > > > > > > # For the Clients. > > apt-get install nfs-common > > > > kinit Administrator > > # Todo on the NFSv4 client > > net ads keytab add nfs/hostname2.internal.domain.tld at REALM -k > > > > sed -i 's/NEED_STATD=/NEED_STATD=no/g' /etc/default/nfs-common > > sed -i 's/NEED_IDMAPD=/NEED_IDMAPD=yes/g' /etc/default/nfs-common > > sed -i 's/NEED_GSSD=/NEED_GSSD=yes/g' /etc/default/nfs-common > > > > Test : > > mount -t nfs4 -o sec=sys,vers=4.1 > hostname1.internal.domain.tld:/backups /mnt -v > > mount -t nfs4 -o sec=krb5,vers=4.1 > hostname1.internal.domain.tld:/backups /mnt -v > > mount -t nfs4 -o sec=krb5i,vers=4.1 > hostname1.internal.domain.tld:/backups /mnt -v > > mount -t nfs4 -o sec=krb5p,vers=4.1 > hostname1.internal.domain.tld:/backups /mnt -v > > > > For tomorrow, in looking to add nfs4acl_xattr in the share. > > man vfs_nfs4acl_xattr > > > > For now.. Im heading home... > > > > > > Greetz, > > > > Louis > > > > > >> -----Oorspronkelijk bericht----- > >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens > >> Marco Gaiarin via samba > >> Verzonden: dinsdag 9 oktober 2018 11:00 > >> Aan: samba at lists.samba.org > >> Onderwerp: [Samba] NFSv4, homes, Kerberos... > >> > >> > >> I was used to integrate some linux client in my samba > network mounting > >> homes with 'unix extensions = yes', and works as expected, at least > >> with some old lubuntu derivatives. Client side i use 'pam_mount'. > >> > >> Now i'm working on a ubuntu mate derivative, and i've not > found a way > >> to start the session properly in CIFS. > >> If i create a plain local home (pam_mkhome), session start as > >> expected. > >> > >> Client are in DHCP, so it is hard to use 'normal' NFSv3 mount, eg > >> security by IP. > >> > >> > >> I've looked around at NFSv4/Kerberos setup, but i've not found a > >> tutorial, or some documentation, that seems clear (at least to me). > >> > >> Also, for NFSv3 i use autofs. Better o use pam_mount instead? > >> > >> > >> Breafly, someone can point me to some good documentation? Thanks. > >> > >> -- > >> dott. Marco Gaiarin GNUPG > >> Key ID: 240A3D66 > >> Associazione ``La Nostra Famiglia'' > >> http://www.lanostrafamiglia.it/ > >> Polo FVG - Via della Bontà, 7 - 33078 - San Vito al > >> Tagliamento (PN) > >> marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 > >> f +39-0434-842797 > >> > >> Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! > >> > http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 > >> (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA) > >> > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/options/samba > >> > >> > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Mandi! L.P.H. van Belle via samba In chel di` si favelave...> You will hit muliple problems, most can be solved.Sorry, but i'm totally ''puzzled'' by your email. I try to summarize, hoping correctly (and hoping someone can put after on wiki). 1) ON SERVER a) if you want to use CIFS, add on /etc/krb5.conf that, to force ''ciphers compatibility'' between samba and kernel cifs module default_tgs_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 default_tkt_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 permitted_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 add also: ignore_k5login = true because by default kerberos try to read that file on user's home, and they are not mounted (but, this is on client... WHY on server?). b) add SPN for 'NFS' on server, eg: samba-tool spn add NFS/mynfs.server.tld mynfs$ c) create keytab for that SPN: net ads keytab add NFS/mynfs.server.tld at YOUR.REALM -k d) configure server settings: sed -i 's/NEED_SVCGSSD=""/NEED_SVCGSSD="yes"/g' /etc/default/nfs-kernel-server sed -i 's/NEED_STATD=/NEED_STATD=no/g' /etc/default/nfs-common sed -i 's/NEED_IDMAPD=/NEED_IDMAPD=yes/g' /etc/default/nfs-common sed -i 's/NEED_GSSD=/NEED_GSSD=yes/g' /etc/default/nfs-common Idmap.conf Add in [general] Domain = internal.domain.tld Local-Realm = YOUR.REALM e) defined export dirs /srv 192.168.0.0/24(rw,sync,fsid=0,crossmnt,no_subtree_check,sec=sys:krb5:krb5i:krb5p) /srv/backups 192.168.0.0/24(rw,sync,no_subtree_check,sec=sys:krb5:krb5i:krb5p) 2) ON CLIENT a) install and configure nfs-common: sed -i 's/NEED_STATD=/NEED_STATD=no/g' /etc/default/nfs-common sed -i 's/NEED_IDMAPD=/NEED_IDMAPD=yes/g' /etc/default/nfs-common sed -i 's/NEED_GSSD=/NEED_GSSD=yes/g' /etc/default/nfs-common b) create again keytab for NFS SPN: net ads keytab add NFS/mynfs.server.tld at YOUR.REALM -k WHY that? It not suffices to create keytab only once? c) define systemd automount Misc question:> With in systemd the following : > cat /etc/systemd/system/exports-users.mount > [Unit] > Description=NFS export (/exports/users) > Wants=network-online.targetWhy?! Seems to me that define /etc/exports suffices...> systemctl cat home-users.automount > # /etc/systemd/system/home-users.automountCool! I was still using 'autofs', i was not aware of systemd automount! Thanks. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)