similar to: kerberos nfs4's principals and root access

Hai Baptiste, I re-checked my setup and your totaly correct. I can not enter the nfsV4 mounted directory as root. What i've added in idmap.conf Is this : Domain = your_DNS_domain.tld [Translation] Method = nsswitch And i found this link. http://serverfault.com/questions/526762/root-access-to-kerberized-nfsv4-host-on-ubuntu im testing this now. Greetz, Louis >

Thanks you very much Louis ! I have tried your setup and I can't mount the share neither from the server itself or the client. On /var/log/syslog I have : rpc.gssd : ERROR : no credentials found for connecting to server myserver This is because the machine principal is not present in the keytab : $ klist -k 1 nfs/myclient.samdom.com at SAMDOM.COM 1 nfs/myclient.samdom.com at SAMDOM.COM 1

Hai Batiste, Ok, thanks for these, i'll test that also. And the "why" is a bit more explained here. http://www.citi.umich.edu/projects/nfsv4/crossrealm/libnfsidmap_config.html and per example, http://www.citi.umich.edu/projects/nfsv4/crossrealm/ldap_server_setup.html First my work here, but this is a good one which i also need to adjust in my scripts, so thank you for asking

You are right ! But it's possible to create a root kerberos principal like here : http://docs.oracle.com/cd/E19253-01/816-4557/fgohx/ But I can't get this work with a samba kerberos realm.... 2015-10-09 22:32 GMT+02:00 buhorojo <buhorojo.lcb at gmail.com>: > On 09/10/15 08:59, Prunk Dump wrote: >> >> >> -> on the server >> $ ls -al

Hai, I had it the other way around. Only root acces. I have scripted my setup and tested on debian. Look here https://secure.bazuin.nl/scripts/these_are_experimental_scripts/ setup-nfsv4-kerberos.sh If you get the file, setup-nfsv4-kerberos.sh and compair it to your setup. If you can read the bash script maybe you see something you missed. When i write as "root" its root and

Ok, now its clear to me. We need to set UMICH_SCHEMA in idmap.conf Read : http://linux.die.net/man/5/idmapd.conf Working on it now. Greetz, Louis > -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens L.P.H. van Belle > Verzonden: vrijdag 9 oktober 2015 13:34 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] kerberos

Hi, Sorry for this necrobump.... But I'm still can't use my local root user to browse content of my NFSv4/Krb5 share...... (others permission are checked when root use this share) So a lot of questions appeared during my tests : - Must i have same idmap.conf on both client and server ? - Why rpc.idmapd only use 'nsswitch' method even if 'static' is

Hai, Here you go.. But all my settings are scripted. https://github.com/thctlo/samba4 found here. Read the script : samba-with-nfsv4.sh Start it like ./ samba-with-nfsv4.sh (client or server) Its tested and works on debian jessie. I contains the nfs server settings and client settings. Greetz, Louis > -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at

** I truncate my initial mail below for size reason ** I've tried your tips but nothing better.... AD users can still accessing share (ouf !!), but local users not more. I can't find where it blocks.... Thanks for your help Louis, Greetz, Bruno Le 02/08/2016 à 15:33, L.P.H. van Belle a écrit : > > You keep 2 ranges. > > One for the “local (linux) users” > >

Hi everyone, I have a samba DC, let's call it dc1.ad.example.com. I have two members of the domain - server1.ad.example.com and server2.ad.example.com.?? They are not running smbd and winbind. Instead, they are running SSSD with AD backend. I want to create an NFSv4 export on server1.ad.example.com and mount it on server2.ad.example.com (say, sec=krb5). I found some instructions online

You need for the apache keytab something like Alias /webmail /usr/share/webmail # <Directory /usr/share/ webmail > AuthType Kerberos AuthName "Kerberos Login" KrbMethodNegotiate On KrbMethodK5Passwd Off KrbServiceName HTTP KrbAuthRealms EXAMPLE.COM Krb5KeyTab /etc/httpd/conf/keytab require valid-user </Directory> chmod 400 /etc/httpd/conf/keytab chown

It's ok So, if I create a httpuser and an httpgroup in my AD and use these at owner and group for my apache2 daemon, this one could access to userdirs (while permissions granting it) ? But I need to cron 'kinit' to keep valid ticket... ? My local root user always can't access to the share, but my other problem seems to be resolved. Thanks Le 02/08/2016 à 16:37, Rowland

If not done, add the server to the AD. Add the host and nfs to the COMPUTERNAME($) account. And use winbind to refresh the keytab. Stop samba, remove the keytab, create the new with the new SPN's in it, start samba. And Use the second keytab for apache with only http as upn in it. Greetz, Louis > -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at

On 01/08/16 16:16, Bruno MACADRÉ wrote: > Hi, > > Sorry for this necrobump.... But I'm still can't use my local root > user to browse content of my NFSv4/Krb5 share...... (others permission > are checked when root use this share) > > So a lot of questions appeared during my tests : > > - Must i have same idmap.conf on both client and server ? >

I'm running into an a problem with x11 forwarding over ssh I'm trying to run an application (rasmol - molecule viewing program) which when using the the default setup for x11 forwarding causes the following error: X Error of failed request: BadAccess (attempt to access private resource denied) Major opcode of failed request: 132 (MIT-SHM) Minor opcode of failed request: 1

Hi Rowland, do you maybe have any idea what could potentially cause this bug? smbclient thrwos me back a mount error(5): Input/output error when I try to mount the remote smbFS. It doesn't happen with my MacOSx and Windows 7 as client but it happens with Linux OSs and with a Konica Minolta copy machine with a scanner to samba function. The first try to mount fails with the above error.

Thanks Luc, First, can I just use the small /etc/krb5.conf suggested in Samba AD docs or do I need something more substantial on the server & client for Kerberos NFS to work? [libdefaults]         default_realm = SUBDOMAIN.DOMAIN.COM         dns_lookup_realm = false         dns_lookup_kdc = true I understand a /etc/krb5.keytab file has to be created on both server & client. Most

Depending on the OS. Below is tested/in production since samba 4.9.x and debian stretch Currently running buster with samba 4.12.5 with samba and AD-Backends. All users have UID assigned, and "Domain Users". This is really easy on any setup with systemd systems with samba and winbind. I'll show how easy this is for any debian/ubuntu related system but using systemd, maybe you

Hello, I try to install puppet on freebsd 6.X. All is well but i cannot get the certificte to install and be recognized. I run .19.3. I run the puppetd --test --waitforcert 60 then sign and then i got: err: No certificate; running with reduced functionality. info: Creating a new SSL key at /usr/local/.aqadmin/puppet/conf/ssl/private_keys/xxxxxxxxxxxxxx.pem info: Creating a new certificate

Hi, I've a SAMBA4 AD Domain that works nicely. All my W7 joined perfectly and all my Linux clients authenticates against kerberos part of SAMBA. All work perfectly, now I'm trying to secure my NFS mounts by using kerberos part of SAMBA. My NFS server works and I can mount NFS4 exports without kerberos (and without problem ;-) ), but when I want to mount a gss/krb5 export on a linux