samba - Nov 2020 - nfs root kerberos

Hi Louis,
Thanks for your message. 
However, I already have NFS working completely. I'm only trying to work out
root NFS access on the client.? I tried your NFS translation fix via
idmapd.conf? but that isn't working for me. I've discovered that's
because CentOS 7 is using gssproxy so apparently your fix won't work. The
fix from Red Hat (adding some lines to krb.conf seen in my original email) is
not working either.? I'll keep working away at it.?? When you're testing
as root I guess you use the machine credential? That didn't work for me
either.

Jason.

On Nov. 10, 2020, 3:08 a.m., at 3:08 a.m., "L.P.H. van Belle via
samba" <samba at lists.samba.org> wrote:
>
>Hai, 
>
>Now, the only thing thats different here is, i do this on a member and
>on Debian
>I think if you read this :
>https://www.spinics.net/lists/samba/msg165144.html  
>
>You have the info you need in there, at least i think, it does contain
>all things you need. 
>
>If this is a samba member we are talking about. This its already
>joined.
>Add the spn to the HOSTNAME$ and let winbind refresh the keytab. 
>(all in the above link) 
>
>The link above shows mount binds for the userdirs, might not be needed
>in your setup. 
>
>
>See how far you get, questions just ask. 
>
>Greetz,
>
>Louis
>
>
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
>> Rowland penny via samba
>> Verzonden: maandag 9 november 2020 22:19
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] nfs root kerberos
>> 
>> On 09/11/2020 21:05, Jason Keltz via samba wrote:
>> >
>> > Seems I misunderstood again...
>> No problem, anything is hard when you start and it is very 
>> easy to make 
>> mistakes ????
>> > Yes - soon to be several hundred mounting home directories,
various
>
>> > software and other stuff over NFS.? That's why I'm doing 
>> this. The NFS 
>> > part is all working perfectly actually except for root access.
>> Then we need Louis, I just use CIFS and as I said, he uses it i 
>> production and could probably set NFS up in his sleep ????
>> >
>> >> All of our users have uid > 1000. <1000 would be OS
provided
>users.
>> 
>> Then I suggest you never forget your root password (I hope 
>> you are using 
>> a different one on each Unix machine) and never have problems 
>> with root, 
>> or you will have to fix things from a live CD. ????
>> 
>> Rowland
>> 
>> 
>> 
>> 
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>> 
>> 
>
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba

On 10/11/2020 11:56, Jason Keltz via samba wrote:
> Hi Louis,
> Thanks for your message.
> However, I already have NFS working completely. I'm only trying to work
out root NFS access on the client.? I tried your NFS translation fix via
idmapd.conf? but that isn't working for me. I've discovered that's
because CentOS 7 is using gssproxy so apparently your fix won't work. The
fix from Red Hat (adding some lines to krb.conf seen in my original email) is
not working either.? I'll keep working away at it.?? When you're testing
as root I guess you use the machine credential? That didn't work for me
either.
>
> Jason.
>
I wonder if the problem is kerberos ? By this I mean MIT instead of 
Heimdal, the Samba DC will be using Heimdal and the Centos 7 client will 
be using MIT, so whilst the client may understand the lines added to 
krb5.conf, your Samba AD DC might not.

As I said, I do not use NFS, but Louis does, extensively. So I would 
advise listening to him.

Rowland

Well, my problem is i dont now how Centos/RH is handing this. 

I just know that the basics are.. 

1) The server must have A and PTR record. (optional you can use CNAMEs as long
A+PTR match).
   
2) you use nfs/$(hostname -f) and add this in the local keytab and in the
computer object$
   net ads keytab add_update_ads nfs/$(hostname -f)

   ( you dont add the REALM here ) ! 


3) i know nfs tries mutiple spns, like : ( random order. )
	nfs/HOSTNAME$
	nfs/hostname.fqdn
	root/hostname.fqdn
On of these must exist in the local keytab file. ( in debian /etc/krb5.keytab ) 
klist -ke /etc/krb5.keytab
Should have at least one with nfs/$(hostname -f)@REALM 

4) you must add this to smb.conf : 
    # renew the kerberos ticket
    winbind refresh tickets = yes

Or the keytab will expire. 

Now, i as said, i dont know Centos and MIT/Heimdall differences, that might be a
point.
But how did you setup the exports, did you define the pseudo NFS4 root. 
Examples here. 
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/5/html/deployment_guide/s1-nfs-server-config-exports

This is how my export looks.
/exports        
192.168.0.0/24(rw,sync,fsid=0,no_subtree_check,crossmnt,sec=sys:krb5:krb5i:krb5p)
/exports/users  
192.168.0.0/24(rw,sync,no_subtree_check,sec=sys:krb5:krb5i:krb5p)

I hope this helps you out. 


Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland penny via samba
> Verzonden: dinsdag 10 november 2020 13:13
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] nfs root kerberos
> 
> On 10/11/2020 11:56, Jason Keltz via samba wrote:
> > Hi Louis,
> > Thanks for your message.
> > However, I already have NFS working completely. I'm only 
> trying to work out root NFS access on the client.? I tried 
> your NFS translation fix via idmapd.conf? but that isn't 
> working for me. I've discovered that's because CentOS 7 is 
> using gssproxy so apparently your fix won't work. The fix 
> from Red Hat (adding some lines to krb.conf seen in my 
> original email) is not working either.? I'll keep working 
> away at it.?? When you're testing as root I guess you use the 
> machine credential? That didn't work for me either.
> >
> > Jason.
> >
> I wonder if the problem is kerberos ? By this I mean MIT instead of 
> Heimdal, the Samba DC will be using Heimdal and the Centos 7 
> client will 
> be using MIT, so whilst the client may understand the lines added to 
> krb5.conf, your Samba AD DC might not.
> 
> As I said, I do not use NFS, but Louis does, extensively. So I would 
> advise listening to him.
> 
> Rowland
> 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

Hi Louis,

I've done all that, and my setup is similar to yours.

I believe it's a gss-proxy issue, which you probably aren't using, but I
don't know enough about that to debug this issue, especially because it 
could have to do with, as Rowland says, the difference in Kerberos 
between Heimdal and MIT.? I was hoping one of the Samba developers might 
shed some light on this, or I'm stuck without root.?? I wasn't going to 
have root on every client anyway, but it would be useful to have it 
temporarily on certain machines are required.

Jason.

On 11/10/2020 8:44 AM, L.P.H. van Belle via samba wrote:
> Well, my problem is i dont now how Centos/RH is handing this.
>
> I just know that the basics are..
>
> 1) The server must have A and PTR record. (optional you can use CNAMEs as
long A+PTR match).
>     
> 2) you use nfs/$(hostname -f) and add this in the local keytab and in the
computer object$
>     net ads keytab add_update_ads nfs/$(hostname -f)
>
>     ( you dont add the REALM here ) !
>
>
> 3) i know nfs tries mutiple spns, like : ( random order. )
> 	nfs/HOSTNAME$
> 	nfs/hostname.fqdn
> 	root/hostname.fqdn
> On of these must exist in the local keytab file. ( in debian
/etc/krb5.keytab )
> klist -ke /etc/krb5.keytab
> Should have at least one with nfs/$(hostname -f)@REALM
>
> 4) you must add this to smb.conf :
>      # renew the kerberos ticket
>      winbind refresh tickets = yes
>
> Or the keytab will expire.
>
> Now, i as said, i dont know Centos and MIT/Heimdall differences, that might
be a point.
> But how did you setup the exports, did you define the pseudo NFS4 root.
> Examples here.
>
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/5/html/deployment_guide/s1-nfs-server-config-exports
>
> This is how my export looks.
> /exports        
192.168.0.0/24(rw,sync,fsid=0,no_subtree_check,crossmnt,sec=sys:krb5:krb5i:krb5p)
> /exports/users  
192.168.0.0/24(rw,sync,no_subtree_check,sec=sys:krb5:krb5i:krb5p)
>
> I hope this helps you out.
>
>
> Greetz,
>
> Louis
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>> Rowland penny via samba
>> Verzonden: dinsdag 10 november 2020 13:13
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] nfs root kerberos
>>
>> On 10/11/2020 11:56, Jason Keltz via samba wrote:
>>> Hi Louis,
>>> Thanks for your message.
>>> However, I already have NFS working completely. I'm only
>> trying to work out root NFS access on the client.? I tried
>> your NFS translation fix via idmapd.conf? but that isn't
>> working for me. I've discovered that's because CentOS 7 is
>> using gssproxy so apparently your fix won't work. The fix
>> from Red Hat (adding some lines to krb.conf seen in my
>> original email) is not working either.? I'll keep working
>> away at it.?? When you're testing as root I guess you use the
>> machine credential? That didn't work for me either.
>>> Jason.
>>>
>> I wonder if the problem is kerberos ? By this I mean MIT instead of
>> Heimdal, the Samba DC will be using Heimdal and the Centos 7
>> client will
>> be using MIT, so whilst the client may understand the lines added to
>> krb5.conf, your Samba AD DC might not.
>>
>> As I said, I do not use NFS, but Louis does, extensively. So I would
>> advise listening to him.
>>
>> Rowland
>>
>>
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>>

Hai Jason, 

Hmm, yes, well, only one thing i can think of now is
And thats the last one..

Is the server allowed to delelagate kerberos services? 
If you have set that also? It's the last thing i can remember.

Greetz, 

Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Jason Keltz via samba
> Verzonden: dinsdag 10 november 2020 18:23
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] nfs root kerberos
> 
> Hi Louis,
> 
> I've done all that, and my setup is similar to yours.
> 
> I believe it's a gss-proxy issue, which you probably aren't 
> using, but I 
> don't know enough about that to debug this issue, especially 
> because it 
> could have to do with, as Rowland says, the difference in Kerberos 
> between Heimdal and MIT.? I was hoping one of the Samba 
> developers might 
> shed some light on this, or I'm stuck without root.?? I 
> wasn't going to 
> have root on every client anyway, but it would be useful to have it 
> temporarily on certain machines are required.
> 
> Jason.
> 
> On 11/10/2020 8:44 AM, L.P.H. van Belle via samba wrote:
> > Well, my problem is i dont now how Centos/RH is handing this.
> >
> > I just know that the basics are..
> >
> > 1) The server must have A and PTR record. (optional you can 
> use CNAMEs as long A+PTR match).
> >     
> > 2) you use nfs/$(hostname -f) and add this in the local 
> keytab and in the computer object$
> >     net ads keytab add_update_ads nfs/$(hostname -f)
> >
> >     ( you dont add the REALM here ) !
> >
> >
> > 3) i know nfs tries mutiple spns, like : ( random order. )
> > 	nfs/HOSTNAME$
> > 	nfs/hostname.fqdn
> > 	root/hostname.fqdn
> > On of these must exist in the local keytab file. ( in 
> debian /etc/krb5.keytab )
> > klist -ke /etc/krb5.keytab
> > Should have at least one with nfs/$(hostname -f)@REALM
> >
> > 4) you must add this to smb.conf :
> >      # renew the kerberos ticket
> >      winbind refresh tickets = yes
> >
> > Or the keytab will expire.
> >
> > Now, i as said, i dont know Centos and MIT/Heimdall 
> differences, that might be a point.
> > But how did you setup the exports, did you define the 
> pseudo NFS4 root.
> > Examples here.
> > 
> https://access.redhat.com/documentation/en-us/red_hat_enterpri
> se_linux/5/html/deployment_guide/s1-nfs-server-config-exports
> >
> > This is how my export looks.
> > /exports         
> 192.168.0.0/24(rw,sync,fsid=0,no_subtree_check,crossmnt,sec=sy
> s:krb5:krb5i:krb5p)
> > /exports/users   
> 192.168.0.0/24(rw,sync,no_subtree_check,sec=sys:krb5:krb5i:krb5p)
> >
> > I hope this helps you out.
> >
> >
> > Greetz,
> >
> > Louis
> >
> >
> >> -----Oorspronkelijk bericht-----
> >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> >> Rowland penny via samba
> >> Verzonden: dinsdag 10 november 2020 13:13
> >> Aan: samba at lists.samba.org
> >> Onderwerp: Re: [Samba] nfs root kerberos
> >>
> >> On 10/11/2020 11:56, Jason Keltz via samba wrote:
> >>> Hi Louis,
> >>> Thanks for your message.
> >>> However, I already have NFS working completely. I'm only
> >> trying to work out root NFS access on the client.? I tried
> >> your NFS translation fix via idmapd.conf? but that isn't
> >> working for me. I've discovered that's because CentOS 7 is
> >> using gssproxy so apparently your fix won't work. The fix
> >> from Red Hat (adding some lines to krb.conf seen in my
> >> original email) is not working either.? I'll keep working
> >> away at it.?? When you're testing as root I guess you use the
> >> machine credential? That didn't work for me either.
> >>> Jason.
> >>>
> >> I wonder if the problem is kerberos ? By this I mean MIT instead
of
> >> Heimdal, the Samba DC will be using Heimdal and the Centos 7
> >> client will
> >> be using MIT, so whilst the client may understand the 
> lines added to
> >> krb5.conf, your Samba AD DC might not.
> >>
> >> As I said, I do not use NFS, but Louis does, extensively. 
> So I would
> >> advise listening to him.
> >>
> >> Rowland
> >>
> >>
> >>
> >> -- 
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/options/samba
> >>
> >>
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>