Web lists-archives.com

Re: [Samba] Using Samba AD for NFSV4 Kerberos servers and clients




I found one of my problems was that on the client, in the /etc/krb5.conf file, the domain name was in lower case. The one on the server was upper case. Upper case'ing the client one fixed my nfs4 mount issue, but now I have another one.

The nfs4 krb5 export mounts on the remote client, but doesn't seem to recognize permissions. The mount directory is shown as owned by root and the group is 4294967294

If I mount the export using nfs4 without krb5 it works as expected and the mount directory is owned by root and the group is from Samba AD as DOMAIN\group

I suppose this has something to do with id mapping and a special requirement for nfs4 krb5. I have winbindd running, which of course is why my perms are working non-krb5.

Help?


On 02/04/2018 08:23 PM, Ken McDonald via samba wrote:
Thanks Luc,

First, can I just use the small /etc/krb5.conf suggested in Samba AD docs or do I need something more substantial on the server & client for Kerberos NFS to work?

[libdefaults]
        default_realm = SUBDOMAIN.DOMAIN.COM
        dns_lookup_realm = false
        dns_lookup_kdc = true

I understand a /etc/krb5.keytab file has to be created on both server & client. Most of the existing docs show commands to do this using a real KDC, not Samba AD. If I try to use the kadmin tool, there's a message about the krb5.conf being incomplete. I am able to use klist and ktutil

How do I generate the keytab file with the correct credentials?

nfs/server@xxxxxxxxxxxxxxxxxxxx

nfs/client@xxxxxxxxxxxxxxxxxxxx

Are these created manually by adding some account in ADUC and then use "samba-tool domain exportkeytab" to export the krb5.keytab file

https://wiki.samba.org/index.php/Generating_Keytabs

-Ken



On 02/04/2018 06:29 PM, Luc Lalonde wrote:
Hey Ken,

We’re using AD as a Kerberos server for NFSv4 in our Linux labs to automount the students home directories.

I can answer specific questions if you’ve got some.

Cheers, Luc.


Luc Lalonde, analyste
-----------------------------
Département de génie informatique:
École polytechnique de MTL
(514) 340-4711 x5049
Luc.Lalonde@xxxxxxxxxx
-----------------------------

On Feb 4, 2018, at 16:30, Ken McDonald via samba <samba@xxxxxxxxxxxxxxx> wrote:

Is it possible to use Samba AD for Kerberos KDC with NFV4 servers and then have clients connect to them?

I have Ubuntu Server for the server and Linux Mint for clients. So far, I've got a lot setup according to these instructions

https://help.ubuntu.com/community/NFSv4Howto

And seem to have adapted the keytab entries from using this Samba AD info

https://wiki.samba.org/index.php/Generating_Keytabs

But I'm kind of stuck getting the actual mount to work on a client side. I'll admit to never using Kerberos with NFS before and my Samba AD knowledge is also fairly new (but I do have working Samba AD for Windows and Linux client logins, group, POSIX & Win ACls). I can't seem to find good information or howto on implementing NFSKerberos + SambaAD

Before I post actual questions and logs, is this configuration even possible?


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba






--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba