Web lists-archives.com

Re: [Samba] Using Samba AD for NFSV4 Kerberos servers and clients




Hi Kevin,

Thanks for your detailed reply. Just to confirm details of your overall implementation:

1) You are using a non-Samba AD LDAP/Kerberos directory as your main source of users/groups? (the LDAP server configuration is not shown here)

2) Through some nifty scripts you synchronize users between that LDAP server and Samba AD? (because as I understand it, Samba AD will not use and external LDAP server)

3 ) Is NFS also used export file shares or are your Linux clients mount'ing SMB shares?

4) If NFS, would you post your server /etc/exports and client mount command?

Thanks for the assistance. It's been a while since I considered using Samba at customer sites (because the NT4 style was limited and required manual registry entries to reduce security on modern Windows OS's in order to join domain). Now I think with a little effort I can fully deploy Samba AD as an alternative to native Windows AD and realize the cost savings for customers. Also I find the AD tools and AD server software (whether Windows AD or Samba AD) much easier to work with than a Linux LDAP server. I never liked the fact there seemed to be little GUI tools for Linux LDAP besides paid versions or Apache Studio, which required Java...

-Ken



On 02/05/2018 08:01 AM, Luc Lalonde wrote:

Hello Kevin,

We have a  Samba/Windows20008R2 domain that's been running a few years now.

Here are the details:

  * clients auth with SSSD (ldap, kerberos, ldap_schema=rfc2307bis)
  * idmap
  * samba on clients/server for joining domain

We have scripts that automatically create users with UnixHomeDir, UID and GUID numbers within AD.

I don't know about using WInbind...  I dropped that option during testing.   I found it to be a flaky daemon.   SSSD also had more options.

Here's a sanitized version of some of some config files:

########## /etc/auto.master #################################
/users          /etc/auto.home_all --timeout=60
#############################################################

########## /etc/auto.home_all ###############################
*    -fstype=nfs4,rw,sec=krb5      server.example.com:/&
#############################################################

########## begin client /etc/samba/smb.conf ##########################
[global]
   workgroup = GIGL
   realm = example.com
   netbios name = workstation-name
   security = ADS
   password server = DOMSERVER1.EXAMPLE.COM, DOMSERVER2.EXAMPLE.COM
   client signing = yes
   client use spnego = yes
   kerberos method = secrets and keytab
   log file = /var/log/samba/%m.log
   dedicated keytab file = /etc/krb5.keytab
########## end client /etc/samba/smb.conf ############################

########## begin server /etc/samba/smb.conf ##########################
[global]
   workgroup = GIGL
   realm = example.com
   netbios name = SERVER
   security = ADS
   password server = DOMSERVER1.EXAMPLE.COM, DOMSERVER2.EXAMPLE.COM
   client signing = yes
   client use spnego = yes
   kerberos method = secrets and keytab
   log file = /var/log/samba/%m.log
   dedicated keytab file = /etc/krb5.keytab

[homes]
        comment = homes
        read only = No
        directory mask = 0700
        force directory mode = 0700
        create mask = 0600
        force create mode = 0600
        browseable = No
        valid users = %S
        follow symlinks = yes
########## end server /etc/samba/smb.conf ############################

############## begin /etc/krb5.conf ####################
[logging]
 default = SYSLOG:INFO:DAEMON
 kdc = SYSLOG:INFO:DAEMON
 admin_server = SYSLOG:INFO:DAEMON

[libdefaults]
 default_realm = EXAMPLE.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 10h
 renew_lifetime = 7d
 forwardable = true
 allow_weak_crypto = true

[realms]
 EXAMPLE.COM = {
   default_domain = example.com
   master_kdc= domserver1.example.com
   kdc=domserver1.example.com
   kdc=domserver2.example.com
   admin_server=domserver1.example.com
 }

[domain_realm]
 example.com = EXAMPLE.COM
 subnet1.example.com = EXAMPLE.COM
 .subnet1.example.com = EXAMPLE.COM
 subnet2.example.com = EXAMPLE.COM
 .subnet2.example.com = EXAMPLE.COM

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 10h
   renew_lifetime = 7d
   forwardable = true
   krb4_convert = false
   validate = true
 }
############## end /etc/krb5.conf #####################

Here's the command that I run to generate the keytab on the nfs server (after properly configuring '/etc/samba/smb.conf':

#############
kinit Administrator@xxxxxxxxxxx
rm -rf /etc/krb5.keytab;
msktutil --delegation --dont-expire-password \
--no-pac --computer-name server \
--enctypes 0x1F -b "OU=Services" \
-k /etc/krb5.keytab -h server.example.com \
-s nfs/server.example.com \
--upn nfs/server.example.com  --verbose

rm -rf /etc/krb5.keytab
net ads join -k -UAdministrator
#############

Also, don't forget that you need the 'ServicePrincipalNames' enabled for your NFS service.  I don't know the command on Samba, but here's the command on Windows2008R2 (I keep these in the OU=Services):

#############

setspn -A nfs/server.example.com example
setspn -A nfs/server server
setspn -L server
Registered ServicePrincipalNames for CN=server,OU=Services,DC=example,DC=com:
        nfs/server
        nfs/server.example.com
        HOST/server.example.com
        HOST/server

#############


And on the client:

#############
kinit Administrator@xxxxxxxxxxx
rm -rf /etc/krb5.keytab;
msktutil --server domserver1.example.com --delegation \
--dont-expire-password --no-pac --computer-name workstation-client-nfs \
--enctypes 0x1F -b "OU=Services" -k /etc/krb5.keytab \
-h workstation-client.example.com \
-s nfs/workstation-client.example.com \
--upn nfs/workstation-client.example.com  --verbose
#############

There are more details... too much to put in this email. Hopefully, this can get you on the right path.   Maybe I should take the time to document this on the Samba Wiki.

Bye.

On 2018-02-05 12:13 AM, Ken McDonald via samba wrote:
I found one of my problems was that on the client, in the /etc/krb5.conf file, the domain name was in lower case. The one on the server was upper case. Upper case'ing the client one fixed my nfs4 mount issue, but now I have another one.

The nfs4 krb5 export mounts on the remote client, but doesn't seem to recognize permissions. The mount directory is shown as owned by root and the group is 4294967294

If I mount the export using nfs4 without krb5 it works as expected and the mount directory is owned by root and the group is from Samba AD as DOMAIN\group

I suppose this has something to do with id mapping and a special requirement for nfs4 krb5. I have winbindd running, which of course is why my perms are working non-krb5.

Help?


On 02/04/2018 08:23 PM, Ken McDonald via samba wrote:
Thanks Luc,

First, can I just use the small /etc/krb5.conf suggested in Samba AD docs or do I need something more substantial on the server & client for Kerberos NFS to work?

[libdefaults]
        default_realm = SUBDOMAIN.DOMAIN.COM
        dns_lookup_realm = false
        dns_lookup_kdc = true

I understand a /etc/krb5.keytab file has to be created on both server & client. Most of the existing docs show commands to do this using a real KDC, not Samba AD. If I try to use the kadmin tool, there's a message about the krb5.conf being incomplete. I am able to use klist and ktutil

How do I generate the keytab file with the correct credentials?

nfs/server@xxxxxxxxxxxxxxxxxxxx

nfs/client@xxxxxxxxxxxxxxxxxxxx

Are these created manually by adding some account in ADUC and then use "samba-tool domain exportkeytab" to export the krb5.keytab file

https://wiki.samba.org/index.php/Generating_Keytabs

-Ken



On 02/04/2018 06:29 PM, Luc Lalonde wrote:
Hey Ken,

We’re using AD as a Kerberos server for NFSv4 in our Linux labs to automount the students home directories.

I can answer specific questions if you’ve got some.

Cheers, Luc.


Luc Lalonde, analyste
-----------------------------
Département de génie informatique:
École polytechnique de MTL
(514) 340-4711 x5049
Luc.Lalonde@xxxxxxxxxx
-----------------------------

On Feb 4, 2018, at 16:30, Ken McDonald via samba <samba@xxxxxxxxxxxxxxx> wrote:

Is it possible to use Samba AD for Kerberos KDC with NFV4 servers and then have clients connect to them?

I have Ubuntu Server for the server and Linux Mint for clients. So far, I've got a lot setup according to these instructions

https://help.ubuntu.com/community/NFSv4Howto

And seem to have adapted the keytab entries from using this Samba AD info

https://wiki.samba.org/index.php/Generating_Keytabs

But I'm kind of stuck getting the actual mount to work on a client side. I'll admit to never using Kerberos with NFS before and my Samba AD knowledge is also fairly new (but I do have working Samba AD for Windows and Linux client logins, group, POSIX & Win ACls). I can't seem to find good information or howto on implementing NFSKerberos + SambaAD

Before I post actual questions and logs, is this configuration even possible?


--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba








--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba