Web lists-archives.com

Re: [Samba] NFSv4, homes, Kerberos...




Hi Marco,

You will hit muliple problems, most can be solved. 
Im installing a new member here with samba 4.8.5 and building new samba 4.8.6 atm. ;-).
Im (trying to ) fix this also again in this new setup. 

Below it a bit of what i know. 

> Client are in DHCP, so it is hard to use 'normal' NFSv3 mount, eg
> security by IP.
If they register ( or are registered) in the dns correctly then this is no problem.

Currently I'm using NFSv4 with sys and not kerberos, there is some bug, today i'll see if thats fixed.

For Cifs question. Add this part to the libdefaults of krb5.conf.
 
    default_tgs_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
    default_tkt_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
    permitted_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5

The "why" is, cifs with kerberos might use the wrong encryptes, so define it and you set. 
CIFS uses this, so its really adviced to set it everywhere and keep the enctypes the same. 


## NFS SERVER ## 
For NfsV4 server, with kerberos homes', that stopped working somewhere in jessie. 
You can set in the nfs server to support all settings so you can test when needed. 
In /etc/exports 

/exports         192.168.0.0/24(rw,sync,fsid=0,no_subtree_check,crossmnt,sec=sys:krb5:krb5i:krb5p)
/exports/users   192.168.0.0/24(rw,sync,no_subtree_check,sec=sys:krb5:krb5i:krb5p)

With in systemd the following : 
cat /etc/systemd/system/exports-users.mount
[Unit]
Description=NFS export (/exports/users)
Wants=network-online.target

[Mount]
What=/home/samba/users
Where=/exports/users
Type=none
Options=bind

[Install]
WantedBy=multi-user.target

And adjust above to your needs. 
Using NfsV4 with kerberos, gives also a problem that kerberos wants to read a file in users home. 
But depending on you settings you might have blocked that. 

## For the CLIENT NFS ##
You can set : ignore_k5login = true in krb5.conf [libdefaults]  to overcame that. 

And my current mount and automount in systemd 
systemctl cat home-users.automount
# /etc/systemd/system/home-users.automount
[Unit]
Description=Automount Home-Users

[Automount]
Where=/home/users

[Install]
WantedBy=multi-user.target


systemctl cat home-users.mount
# /etc/systemd/system/home-users.mount
[Unit]
Description=User Homes

[Mount]
What=hostname.internal.domain.tld:/users
Where=/home/users
Type=nfs4
Options=sec=sys
#Options=sec=krb5i

TimeoutSec=150

[Install]
WantedBy=multi-user.target


And enable it. 
systemctl enable home-users.mount
systemctl enable home-users.automount
systemctl start home-users.automount


The key here is, 
home-users.mount
home-users.automount

The part "home-user" MUST reflect the real path.
This should give you a start to start with. 

Do note.
Every client and server needs cifs/SPN nfs/SPN  so dont forget to check that. 

More questions, just ask.


Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens 
> Marco Gaiarin via samba
> Verzonden: dinsdag 9 oktober 2018 11:00
> Aan: samba@xxxxxxxxxxxxxxx
> Onderwerp: [Samba] NFSv4, homes, Kerberos...
> 
> 
> I was used to integrate some linux client in my samba network mounting
> homes with 'unix extensions = yes', and works as expected, at least
> with some old lubuntu derivatives. Client side i use 'pam_mount'.
> 
> Now i'm working on a ubuntu mate derivative, and i've not found a way
> to start the session properly in CIFS.
> If i create a plain local home (pam_mkhome), session start as 
> expected.
> 
> Client are in DHCP, so it is hard to use 'normal' NFSv3 mount, eg
> security by IP.
> 
> 
> I've looked around at NFSv4/Kerberos setup, but i've not found a
> tutorial, or some documentation, that seems clear (at least to me).
> 
> Also, for NFSv3 i use autofs. Better o use pam_mount instead?
> 
> 
> Breafly, someone can point me to some good documentation? Thanks.
> 
> -- 
> dott. Marco Gaiarin				        GNUPG 
> Key ID: 240A3D66
>   Associazione ``La Nostra Famiglia''          
> http://www.lanostrafamiglia.it/
>   Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al 
> Tagliamento (PN)
>   marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   
> f +39-0434-842797
> 
> 		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
>       http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
> 	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba