similar to: FW: kerberos nfs4's principals and root access

Hai Batiste, Ok, thanks for these, i'll test that also. And the "why" is a bit more explained here. http://www.citi.umich.edu/projects/nfsv4/crossrealm/libnfsidmap_config.html and per example, http://www.citi.umich.edu/projects/nfsv4/crossrealm/ldap_server_setup.html First my work here, but this is a good one which i also need to adjust in my scripts, so thank you for asking

Hai, Here you go.. But all my settings are scripted. https://github.com/thctlo/samba4 found here. Read the script : samba-with-nfsv4.sh Start it like ./ samba-with-nfsv4.sh (client or server) Its tested and works on debian jessie. I contains the nfs server settings and client settings. Greetz, Louis > -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at

Hi, Sorry for this necrobump.... But I'm still can't use my local root user to browse content of my NFSv4/Krb5 share...... (others permission are checked when root use this share) So a lot of questions appeared during my tests : - Must i have same idmap.conf on both client and server ? - Why rpc.idmapd only use 'nsswitch' method even if 'static' is

If not done, add the server to the AD. Add the host and nfs to the COMPUTERNAME($) account. And use winbind to refresh the keytab. Stop samba, remove the keytab, create the new with the new SPN's in it, start samba. And Use the second keytab for apache with only http as upn in it. Greetz, Louis > -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at

Ok, now its clear to me. We need to set UMICH_SCHEMA in idmap.conf Read : http://linux.die.net/man/5/idmapd.conf Working on it now. Greetz, Louis > -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens L.P.H. van Belle > Verzonden: vrijdag 9 oktober 2015 13:34 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] kerberos

Thanks you very much Louis ! I have tried your setup and I can't mount the share neither from the server itself or the client. On /var/log/syslog I have : rpc.gssd : ERROR : no credentials found for connecting to server myserver This is because the machine principal is not present in the keytab : $ klist -k 1 nfs/myclient.samdom.com at SAMDOM.COM 1 nfs/myclient.samdom.com at SAMDOM.COM 1

Ah ok, you are using "public_html" from a default setup. Now i understand what you exact want. If you have the apache keytab created. Create a cron job and run : kinit -t /path/to/keytab as the www user. Dont forget het disable the password change in the AD user for the "apache Service user" account. You probely also need to export some kerberos variables like :

Hai Baptiste, I re-checked my setup and your totaly correct. I can not enter the nfsV4 mounted directory as root. What i've added in idmap.conf Is this : Domain = your_DNS_domain.tld [Translation] Method = nsswitch And i found this link. http://serverfault.com/questions/526762/root-access-to-kerberized-nfsv4-host-on-ubuntu im testing this now. Greetz, Louis >

Hai, I had it the other way around. Only root acces. I have scripted my setup and tested on debian. Look here https://secure.bazuin.nl/scripts/these_are_experimental_scripts/ setup-nfsv4-kerberos.sh If you get the file, setup-nfsv4-kerberos.sh and compair it to your setup. If you can read the bash script maybe you see something you missed. When i write as "root" its root and

It's ok So, if I create a httpuser and an httpgroup in my AD and use these at owner and group for my apache2 daemon, this one could access to userdirs (while permissions granting it) ? But I need to cron 'kinit' to keep valid ticket... ? My local root user always can't access to the share, but my other problem seems to be resolved. Thanks Le 02/08/2016 à 16:37, Rowland

You need for the apache keytab something like Alias /webmail /usr/share/webmail # <Directory /usr/share/ webmail > AuthType Kerberos AuthName "Kerberos Login" KrbMethodNegotiate On KrbMethodK5Passwd Off KrbServiceName HTTP KrbAuthRealms EXAMPLE.COM Krb5KeyTab /etc/httpd/conf/keytab require valid-user </Directory> chmod 400 /etc/httpd/conf/keytab chown

Hai marco, I left you original mail a bit intact and commented inbetween lines. > > > The nfs-server needs to be able to delegate the servers > with kerberos. (obligated for nfsv4 with kerberos mounts ) > > Start - ADUC, enable advanced features - goto CN=Computers > > get the member server's properties, tab Delegation, enable > "Trust this computer

Hi Rowland, I've already read this article, but I never find how to indicate to apache to read this file... After some research, I think I need to install mod_auth_krb5 to specify at least how to find this keytab (even if I don't need Apache authentication against Kerberos). I will try this today and comme back to say if it works ! In fact i'm stuck between my two problems (root

Hi, I've a SAMBA4 AD Domain that works nicely. All my W7 joined perfectly and all my Linux clients authenticates against kerberos part of SAMBA. All work perfectly, now I'm trying to secure my NFS mounts by using kerberos part of SAMBA. My NFS server works and I can mount NFS4 exports without kerberos (and without problem ;-) ), but when I want to mount a gss/krb5 export on a linux

Hello samba team ! I have some NFS4 exports managed by a Samba's Kerberos realm. All the standard user accesses work fine. I try now to setup an NFS4 root access to administer the share from another server (the two host are DC, one PDC and one SDC). But I have trouble understanding the kerberos/principals layer. ------------ Actually I do ------------- -> on the server I create an nfs

On Tue, 2 Aug 2016 17:05:37 +0200 Bruno MACADRÉ <bruno.macadre at univ-rouen.fr> wrote: > It's ok > > So, if I create a httpuser and an httpgroup in my AD and use these at > owner and group for my apache2 daemon, this one could access to > userdirs (while permissions granting it) ? But I need to cron 'kinit' > to keep valid ticket... ? > > My local

On 01/08/16 16:16, Bruno MACADRÉ wrote: > Hi, > > Sorry for this necrobump.... But I'm still can't use my local root > user to browse content of my NFSv4/Krb5 share...... (others permission > are checked when root use this share) > > So a lot of questions appeared during my tests : > > - Must i have same idmap.conf on both client and server ? >

On Tue, 2 Aug 2016 16:02:41 +0200 Bruno MACADRÉ <bruno.macadre at univ-rouen.fr> wrote: > ** I truncate my initial mail below for size reason ** > > I've tried your tips but nothing better.... AD users can still > accessing share (ouf !!), but local users not more. > > I can't find where it blocks.... > > Thanks for your help Louis, > > Greetz, >

Hello everyone, We have a CentOS 6.3 NFSv4 server and client, and we've run into a situation where the client is unable to list "private" (chmod 700-ed) directories, even if the current user owns the directory in question. A bit more background: we're also using Samba 3.5+Winbind to provide authentication and UID/GID mapping against a Windows 2008 R2 domain controller.

> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Rowland Penny via samba > Verzonden: woensdag 31 oktober 2018 9:51 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Again NFSv4 and Kerberos at the 'samba way'... > > On Wed, 31 Oct 2018 08:31:17 +0100 > "L.P.H. van Belle via samba" <samba at