Web lists-archives.com

Re: [Samba] Using Samba AD for NFSV4 Kerberos servers and clients




Louis,

Thank you for your insightful response. It's a shame that once I figured this all out, I got to such a terminal problem. I suppose the NFS4 krb5 remote mount ACL issue works OK with other, non- Samba AD, KDC's? Is that the core issue of this problem, the KDC portion?

My plan was almost done: from a single bare-metal Ubuntu 16.04.3 server, setup Samba AD as the user/group directory and make a file server sharing to both Windows and Linux Mint clients using SMB and NFS4 (encrypted) with POSIX & Windows ACLs for each style. I got that implementation to work quite well all the way down to the NFS4 Kerberos ACL problem in this thread. It all works OK with non-Kerberos NFS4 and I suppose I'll have to deploy it that way for now; changing to the encrypted style should be no problem in the future.

Strangely, I did not run into the "Using the Domain Controller as a File Server" problem "Running shares with POSIX ACLs on a Samba DC is not supported" mentioned here:

https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller

I guess this works because my Linux clients connect through NFS and get POSIX ACL's that way, (even though those POSIX ACL's are making use of Samda AD users/groups through windindd (with "idmap config DOMAIN:backend = ad")?

Any other helpful comments by anyone for this particulr Samba AD file server implementation would be appreciated. I think I'll make a full step-by-step writeup once I get all this working.

-Ken


On 02/05/2018 06:00 AM, L.P.H. van Belle via samba wrote:
Hai,

NfsV4 and samba works fine but there is a big BUT and you have found it already.
The nfs4 krb5 export mounts on the remote client, but doesn't seem to
recognize permissions. The mount directory is shown as owned by root and the group is 4294967294
Yes, the nfsv4 acls and system acl over kerberos doent match anymore.
This is a know problem and i dont know when it wil be fixed.

I use atm this for for the NFS Server.

# Test all sec variable.
/exports         192.168.0.0/24(rw,sync,fsid=0,no_subtree_check,crossmnt,sec=sys:krb5:krb5i:krb5p)
/exports/users   192.168.0.0/24(rw,sync,no_subtree_check,sec=sys:krb5:krb5i:krb5p)

This gives the option to test all sec= settings.
Now if you use sys, ( not kerberos ) all right work ok and you should have a 100% match.

I've tried with one of the latest libnfsidmap files and builded it for debian stretch.
http://apt.van-belle.nl/current-packages-in-stretch-experimental-apt.txt
  stretch-experimental|main|amd64: libnfsidmap2 0.27-0.1~deb9
Since changlogs indicate that it should be fixed with 0.27 but its not,
well at least i did not get the correct acls also with kerberos mounts.
Irritation is, it did work for some time in Debian Jessie about 6-12 months ago, then it stopped there also.

See also my message to debian:
https://lists.debian.org/debian-kernel/2017/11/msg00079.html


Now about the keytab nfs generation. ( use sys for now that works fine.)
 From : https://wiki.samba.org/index.php/Generating_Keytabs

samba-tool spn add host/hostname.dom.tld "NETBIOSNAME\$"
samba-tool spn add host/hostname.dom.tld@REALM "NETBIOSNAME\$"  < i dont use this one, imo only when you use muliple REALMS.
samba-tool domain exportkeytab --principal=nfs/hostname.dom.tld ~/nfs-hostname.keytab
Copy ~/nfs-hostname.keytab to the correct server.

ktutil
rkt /etc/krb5.keytab
rkt ~/nfs-hostname.keytab
list   ... Aka check it.
wkt /etc/krb5.keytab.NEW

stop samba/winbind
cp /etc/krb5.keytab{,.backup}
cp /etc/krb5.keytab.NEW /etc/krb5.keytab
Start samba/winbind

Give it a try


Greetz,

Louis



-----Oorspronkelijk bericht-----
Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens Ken
McDonald via samba
Verzonden: maandag 5 februari 2018 6:14
Aan: samba
Onderwerp: Re: [Samba] Using Samba AD for NFSV4 Kerberos
servers and clients

I found one of my problems was that on the client, in the
/etc/krb5.conf
file, the domain name was in lower case. The one on the
server was upper
case. Upper case'ing the client one fixed my nfs4 mount
issue, but now I
have another one.

The nfs4 krb5 export mounts on the remote client, but doesn't seem to
recognize permissions. The mount directory is shown as owned
by root and
the group is 4294967294

If I mount the export using nfs4 without krb5 it works as
expected and
the mount directory is owned by root and the group is from
Samba AD as
DOMAIN\group

I suppose this has something to do with id mapping and a special
requirement for nfs4 krb5. I have winbindd running, which of
course is
why my perms are working non-krb5.

Help?


On 02/04/2018 08:23 PM, Ken McDonald via samba wrote:
Thanks Luc,

First, can I just use the small /etc/krb5.conf suggested in
Samba AD
docs or do I need something more substantial on the server & client
for Kerberos NFS to work?

[libdefaults]
         default_realm = SUBDOMAIN.DOMAIN.COM
         dns_lookup_realm = false
         dns_lookup_kdc = true

I understand a /etc/krb5.keytab file has to be created on
both server
& client. Most of the existing docs show commands to do
this using a
real KDC, not Samba AD. If I try to use the kadmin tool, there's a
message about the krb5.conf being incomplete. I am able to
use klist
and ktutil

How do I generate the keytab file with the correct credentials?

nfs/server@xxxxxxxxxxxxxxxxxxxx

nfs/client@xxxxxxxxxxxxxxxxxxxx

Are these created manually by adding some account in ADUC
and then use
"samba-tool domain exportkeytab" to export the krb5.keytab file

https://wiki.samba.org/index.php/Generating_Keytabs

-Ken



On 02/04/2018 06:29 PM, Luc Lalonde wrote:
Hey Ken,

We?re using AD as a Kerberos server for NFSv4 in our Linux labs to
automount the students home directories.

I can answer specific questions if you?ve got some.

Cheers, Luc.


Luc Lalonde, analyste
-----------------------------
Département de génie informatique:
École polytechnique de MTL
(514) 340-4711 x5049
Luc.Lalonde@xxxxxxxxxx
-----------------------------

On Feb 4, 2018, at 16:30, Ken McDonald via samba
<samba@xxxxxxxxxxxxxxx> wrote:

Is it possible to use Samba AD for Kerberos KDC with NFV4 servers
and then have clients connect to them?

I have Ubuntu Server for the server and Linux Mint for
clients. So
far, I've got a lot setup according to these instructions

https://help.ubuntu.com/community/NFSv4Howto

And seem to have adapted the keytab entries from using
this Samba AD
info

https://wiki.samba.org/index.php/Generating_Keytabs

But I'm kind of stuck getting the actual mount to work on
a client
side. I'll admit to never using Kerberos with NFS before and my
Samba AD knowledge is also fairly new (but I do have
working Samba
AD for Windows and Linux client logins, group, POSIX &
Win ACls). I
can't seem to find good information or howto on implementing
NFSKerberos + SambaAD

Before I post actual questions and logs, is this
configuration even
possible?


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba





--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba