On 11/9/2020 3:57 PM, Rowland penny via samba wrote:> On 09/11/2020 20:20, Jason Keltz via samba wrote: >> On 11/9/2020 3:00 PM, Rowland penny via samba wrote: >>>> I figured that I should just need to do a "kinit Administrator" on >>>> the client, and take on the root identity, then I could write as >>>> root where I have no_root_squash configured...? However, when I >>>> tried this on a client, I get a permission denied when trying to >>>> write. >>> >>> You need to do the kinit as root or using sudo, so the resultant >>> ticket belongs to root. >>> >> So that would mean I need to "samba-tool user create root "password" >> ?? I was under the impression that the "idmapd.conf" mapping would >> have avoided that.. > No, 'root' is a Unix user and should never be in AD, the same way that > the Windows user 'Administrator' should never be /etc/passwdSeems I misunderstood again...>> >> But that's fine... I created "root" with samba-tool, then did a kinit >> root, but removed all the other things I did, and it surprisingly >> still doesn't work. > It wouldn't, see above, I suggest you remove 'root' from AD again.Done.> >> Do I still need this in nfsidmap.conf? > Probably, but I would wait until Louis comments, he uses NFS in > production. >> >> I had the username map defined on the DC and on all the AD clients.? >> They all actually point to the same file, but it only has that one >> line and it's otherwise just empty (which is the case now).? I >> restart the samba-ad-dc on DC and rebooted the client... no difference. > > The Samba DC's do not need the username.map, but each Unix domain > member requires it. > > Do you have Unix clients ? (not talking about Samba servers here), if > you don't, why are you using NFS ? >Yes - soon to be several hundred mounting home directories, various software and other stuff over NFS.? That's why I'm doing this.? The NFS part is all working perfectly actually except for root access.>> >> on the dc: >> >> # Global parameters >> [global] >> ??????? netbios name = DC1 >> ??????? realm = AD.EECS.YORKU.CA >> ??????? workgroup = EECSYORKUCA >> ??????? dns forwarder = 130.63.94.4 >> ??????? server role = active directory domain controller >> ??????? idmap_ldb:use rfc2307 = yes >> ??????? interfaces = 127.0.0.1 130.63.94.66 >> ??????? bind interfaces only = yes >> >> [netlogon] >> ??????? path = /local/samba/sysvol/ad.eecs.yorku.ca/scripts >> ??????? read only = no >> ??????? guest ok = no >> >> [sysvol] >> ??????? path = /local/samba/sysvol >> ??????? read only = no >> ??????? guest ok = no >> > The 'guest ok = no' lines are not required, it is the default.Ok .. thanks..>> and on the AD client: >> >> [global] >> workgroup = EECSYORKUCA >> security = ADS >> realm = AD.EECS.YORKU.CA >> dedicated keytab file = /etc/krb5.keytab >> kerberos method = secrets and keytab >> >> >> idmap config * : backend = tdb >> idmap config * : range = 1000000-1999999 >> idmap config EECSYORKUCA : backend = ad >> idmap config EECSYORKUCA : schema_mode = rfc2307 >> idmap config EECSYORKUCA : range = 1000-999999 >> idmap config EECSYORKUCA : unix_primary_group = yes >> idmap config EECSYORKUCA : unix_nss_info = yes > > Have you added any uidNumber & gidNumber attributes to AD ?For sure...? all users have that, in addition to the home directory, shell, etc. That part is all working great..> Why are you using '1000' as the start number for the 'EECSYORKUCA' > domain, this means you cannot have any local Unix users (not to be > confused with Unix domain users).All of our users have uid > 1000.? <1000 would be OS provided users. Jason.
On 09/11/2020 21:05, Jason Keltz via samba wrote:> > Seems I misunderstood again...No problem, anything is hard when you start and it is very easy to make mistakes ?> Yes - soon to be several hundred mounting home directories, various > software and other stuff over NFS.? That's why I'm doing this. The NFS > part is all working perfectly actually except for root access.Then we need Louis, I just use CIFS and as I said, he uses it i production and could probably set NFS up in his sleep ?> >> All of our users have uid > 1000. <1000 would be OS provided users.Then I suggest you never forget your root password (I hope you are using a different one on each Unix machine) and never have problems with root, or you will have to fix things from a live CD. ? Rowland
Hai, Now, the only thing thats different here is, i do this on a member and on Debian I think if you read this : https://www.spinics.net/lists/samba/msg165144.html You have the info you need in there, at least i think, it does contain all things you need. If this is a samba member we are talking about. This its already joined. Add the spn to the HOSTNAME$ and let winbind refresh the keytab. (all in the above link) The link above shows mount binds for the userdirs, might not be needed in your setup. See how far you get, questions just ask. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Rowland penny via samba > Verzonden: maandag 9 november 2020 22:19 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] nfs root kerberos > > On 09/11/2020 21:05, Jason Keltz via samba wrote: > > > > Seems I misunderstood again... > No problem, anything is hard when you start and it is very > easy to make > mistakes ???? > > Yes - soon to be several hundred mounting home directories, various > > software and other stuff over NFS.? That's why I'm doing > this. The NFS > > part is all working perfectly actually except for root access. > Then we need Louis, I just use CIFS and as I said, he uses it i > production and could probably set NFS up in his sleep ???? > > > >> All of our users have uid > 1000. <1000 would be OS provided users. > > Then I suggest you never forget your root password (I hope > you are using > a different one on each Unix machine) and never have problems > with root, > or you will have to fix things from a live CD. ???? > > Rowland > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Hi Louis, Thanks for your message. However, I already have NFS working completely. I'm only trying to work out root NFS access on the client.? I tried your NFS translation fix via idmapd.conf? but that isn't working for me. I've discovered that's because CentOS 7 is using gssproxy so apparently your fix won't work. The fix from Red Hat (adding some lines to krb.conf seen in my original email) is not working either.? I'll keep working away at it.?? When you're testing as root I guess you use the machine credential? That didn't work for me either. Jason. On Nov. 10, 2020, 3:08 a.m., at 3:08 a.m., "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:> >Hai, > >Now, the only thing thats different here is, i do this on a member and >on Debian >I think if you read this : >https://www.spinics.net/lists/samba/msg165144.html > >You have the info you need in there, at least i think, it does contain >all things you need. > >If this is a samba member we are talking about. This its already >joined. >Add the spn to the HOSTNAME$ and let winbind refresh the keytab. >(all in the above link) > >The link above shows mount binds for the userdirs, might not be needed >in your setup. > > >See how far you get, questions just ask. > >Greetz, > >Louis > > > > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >> Rowland penny via samba >> Verzonden: maandag 9 november 2020 22:19 >> Aan: samba at lists.samba.org >> Onderwerp: Re: [Samba] nfs root kerberos >> >> On 09/11/2020 21:05, Jason Keltz via samba wrote: >> > >> > Seems I misunderstood again... >> No problem, anything is hard when you start and it is very >> easy to make >> mistakes ???? >> > Yes - soon to be several hundred mounting home directories, various > >> > software and other stuff over NFS.? That's why I'm doing >> this. The NFS >> > part is all working perfectly actually except for root access. >> Then we need Louis, I just use CIFS and as I said, he uses it i >> production and could probably set NFS up in his sleep ???? >> > >> >> All of our users have uid > 1000. <1000 would be OS provided >users. >> >> Then I suggest you never forget your root password (I hope >> you are using >> a different one on each Unix machine) and never have problems >> with root, >> or you will have to fix things from a live CD. ???? >> >> Rowland >> >> >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> > > >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba