Web lists-archives.com

Re: [Samba] NFSv4, homes, Kerberos...




Hi,

just a hint. In our case it was impossible to use the rpc.svcgssd service for kerberized nfs4, due to a bug (our server OS: Debian 9). We got some kind of kernel panic on the server, when a client mounted an kerberized nfs4 export. So we are using the "gssproxy" package right now.

see https://bugs.launchpad.net/ubuntu/+source/nfs-utils/+bug/1466654

--
Regards,
Andreas Hauffe

Am 09.10.18 um 17:26 schrieb L.P.H. van Belle via samba:
Hai,

I'm getting somewhere, here you go, a snap of what i have atm.
And what works atm. Im asuming you have winbind already running.

Obligated is A+PTR record in the DNS.
You can turn or the rdns check in krb5.conf but i did not test that.

# Tested on Debian Stretch - NFSv4 SERVER
apt-get install --auto-remove nfs-kernel-server
systemctl stop nfs-*

Added in krb5.conf below the default_realm setting.
; ignore k5login not being accessable in the user home dir.
         ignore_k5login = true

; for Windows 2008 with AES, needed by CIFS also. ( dont forget the cifs/spn )
         default_tgs_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
         default_tkt_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
         permitted_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5

# Server settings for NFSv4
sed -i 's/NEED_SVCGSSD=""/NEED_SVCGSSD="yes"/g' /etc/default/nfs-kernel-server
sed -i 's/NEED_STATD=/NEED_STATD=no/g' /etc/default/nfs-common
sed -i 's/NEED_IDMAPD=/NEED_IDMAPD=yes/g' /etc/default/nfs-common
sed -i 's/NEED_GSSD=/NEED_GSSD=yes/g' /etc/default/nfs-common

Idmap.conf
Add in [general]
Domain = internal.domain.tld
Local-Realm = YOUR.REALM

kinit Administrator
net ads keytab add nfs/hostname1.internal.domain.tld@YOUR.REALM -k

# The NFS server.  /etc/exports cointains now.
/srv            192.168.0.0/24(rw,sync,fsid=0,crossmnt,no_subtree_check,sec=sys:krb5:krb5i:krb5p)
/srv/backups    192.168.0.0/24(rw,sync,no_subtree_check,sec=sys:krb5:krb5i:krb5p)


# For the Clients.
apt-get install nfs-common

kinit Administrator
# Todo on the NFSv4 client
net ads keytab add nfs/hostname2.internal.domain.tld@REALM -k

sed -i 's/NEED_STATD=/NEED_STATD=no/g' /etc/default/nfs-common
sed -i 's/NEED_IDMAPD=/NEED_IDMAPD=yes/g' /etc/default/nfs-common
sed -i 's/NEED_GSSD=/NEED_GSSD=yes/g' /etc/default/nfs-common

Test :
mount -t nfs4 -o sec=sys,vers=4.1 hostname1.internal.domain.tld:/backups /mnt -v
mount -t nfs4 -o sec=krb5,vers=4.1 hostname1.internal.domain.tld:/backups /mnt -v
mount -t nfs4 -o sec=krb5i,vers=4.1 hostname1.internal.domain.tld:/backups /mnt -v
mount -t nfs4 -o sec=krb5p,vers=4.1 hostname1.internal.domain.tld:/backups /mnt -v

For tomorrow, in looking to add nfs4acl_xattr in the share.
  man vfs_nfs4acl_xattr

For now.. Im heading home...


Greetz,

Louis


-----Oorspronkelijk bericht-----
Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens
Marco Gaiarin via samba
Verzonden: dinsdag 9 oktober 2018 11:00
Aan: samba@xxxxxxxxxxxxxxx
Onderwerp: [Samba] NFSv4, homes, Kerberos...


I was used to integrate some linux client in my samba network mounting
homes with 'unix extensions = yes', and works as expected, at least
with some old lubuntu derivatives. Client side i use 'pam_mount'.

Now i'm working on a ubuntu mate derivative, and i've not found a way
to start the session properly in CIFS.
If i create a plain local home (pam_mkhome), session start as
expected.

Client are in DHCP, so it is hard to use 'normal' NFSv3 mount, eg
security by IP.


I've looked around at NFSv4/Kerberos setup, but i've not found a
tutorial, or some documentation, that seems clear (at least to me).

Also, for NFSv3 i use autofs. Better o use pam_mount instead?


Breafly, someone can point me to some good documentation? Thanks.

--
dott. Marco Gaiarin				        GNUPG
Key ID: 240A3D66
   Associazione ``La Nostra Famiglia''
http://www.lanostrafamiglia.it/
   Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al
Tagliamento (PN)
   marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711
f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
       http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba