Hi Team, I have been using Kerberized nfs4 between 2 domain-members successfully since August last year. All machines are Debian 11. The NFS-server and the desktop run with stock Samba 4.13. Two days ago while I was working on the desktop-machine nfs stopped communicating. After rebooting the desktop I can login with my domain credentials on the console (not graphical as it requires home-dir access) but the home-dir is not there. - wbinfo reports active connection (on all 3 items). - klist in my user on the desktop shows a valid ticket and if I login on the nfsserver I get a valid ticket there as well - system time is in sync on both machines - resolving of domain users,groups,hosts through getent works fine, i.e. winbind is working on both sides - On the DCs (I run Louis' 4.15.7 here) I have auditing enabled but audit.log does not show any failures, while trying to access /home from the desktop /home on the desktop gets mounted by autofs with the equivalent of: mount -t nfs4 -o rw,soft,sync,nodev,exec,nosuid,noatime,fsc,sec=krb5p nfsserver.example.com:/home /home Exports on the nfsserver: # Root path /srv/nfs 192.168.1.0/24(rw,root_squash,no_subtree_check,fsid=0,crossmnt,sec=krb5p) # Share paths /srv/nfs/home 192.168.1.0/24(rw,sync,root_squash,no_subtree_check,crossmnt,sec=krb5p) Where /srv/nfs/home is a bind-mount to /home Unfortunately I have not found a way to find some useful logging on either side. In the end I replaced sec=krb5p on both sides (exports and autofs) with sec=sys and then there is immediately access. That tells me the problem must be related to Kerberos, which was my initial suspicion due to the way it stopped working 2 days ago (nothing changed in the configurations on either side). What would be the next thing to investigate? - Kees.
Increasing Verbosity in /etc/idmapd.conf on both sides should give you some logging for id mapping. I would start with 5. I think that Debian 11 has moved to using an nfs-utils helper script, which changes some of the variables used in the systemd scripts. (I am still on Ubuntu 20.04 so I haven't played with those yet.) There ought to be variables for the options to rpc.gssd on the client side, and rpc.svcgssd on the server. If you set those options to -vvv you should get a lot of logging. Hope that helps Philippe The trouble with common sense is that it is so uncommon. <Anonymous> On Tue, Jun 14, 2022 at 5:27 PM Kees van Vloten via samba < samba at lists.samba.org> wrote:> Hi Team, > > > I have been using Kerberized nfs4 between 2 domain-members successfully > since August last year. > > All machines are Debian 11. The NFS-server and the desktop run with > stock Samba 4.13. > > Two days ago while I was working on the desktop-machine nfs stopped > communicating. After rebooting the desktop I can login with my domain > credentials on the console (not graphical as it requires home-dir > access) but the home-dir is not there. > > - wbinfo reports active connection (on all 3 items). > > - klist in my user on the desktop shows a valid ticket and if I login on > the nfsserver I get a valid ticket there as well > > - system time is in sync on both machines > > - resolving of domain users,groups,hosts through getent works fine, i.e. > winbind is working on both sides > > - On the DCs (I run Louis' 4.15.7 here) I have auditing enabled but > audit.log does not show any failures, while trying to access /home from > the desktop > > /home on the desktop gets mounted by autofs with the equivalent of: > > mount -t nfs4 -o rw,soft,sync,nodev,exec,nosuid,noatime,fsc,sec=krb5p > nfsserver.example.com:/home /home > > Exports on the nfsserver: > > # Root path > /srv/nfs > 192.168.1.0/24(rw,root_squash,no_subtree_check,fsid=0,crossmnt,sec=krb5p) > # Share paths > /srv/nfs/home > 192.168.1.0/24(rw,sync,root_squash,no_subtree_check,crossmnt,sec=krb5p) > > Where /srv/nfs/home is a bind-mount to /home > > Unfortunately I have not found a way to find some useful logging on > either side. > > In the end I replaced sec=krb5p on both sides (exports and autofs) with > sec=sys and then there is immediately access. That tells me the problem > must be related to Kerberos, which was my initial suspicion due to the > way it stopped working 2 days ago (nothing changed in the configurations > on either side). > > What would be the next thing to investigate? > > - Kees. > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
On Tue, 2022-06-14 at 23:25 +0200, Kees van Vloten via samba wrote:> Hi Team, > > > I have been using Kerberized nfs4 between 2 domain-members > successfully > since August last year. > > All machines are Debian 11. The NFS-server and the desktop run with > stock Samba 4.13.> In the end I replaced sec=krb5p on both sides (exports and autofs) > with > sec=sys and then there is immediately access. That tells me the > problem > must be related to Kerberos, which was my initial suspicion due to > the > way it stopped working 2 days ago (nothing changed in the > configurations > on either side). > > What would be the next thing to investigate?This isn't what you were looking for, and want to first say that if only administrators in your AD can create users you should be fine, but I did want to mention a security concern that hits Kerberised NFS (and other non-Samba services in an AD): I would warn you to look at the first few slides of: https://sambaxp.org/fileadmin/user_upload/sambaxp2022-Slides/Bartlett-Kerberos.pdf https://www.youtube.com/watch?v=1BnraIAcybg Name-based authorization in AD can be very dangerous, if domain users are mapping the local users without any DOM\ prefix. If this was a Windows AD then accounts can be created in the domain via machineAccountQuota that match sensitive local users, like root. As you run Samba, you are safe if you only delegate user creation to users you trust to choose 'safe' names (eg not root$ or root), but I just want to start sharing this concern a bit more broadly. Andrew, -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba Samba Development and Support, Catalyst IT - Expert Open Source Solutions