Web lists-archives.com

Re: [Samba] Again NFSv4 and Kerberos at the 'samba way'...




Good morning Marco and others. 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens 
> Marco Gaiarin via samba
> Verzonden: dinsdag 23 oktober 2018 18:58
> Aan: samba@xxxxxxxxxxxxxxx
> Onderwerp: [Samba] Again NFSv4 and Kerberos at the 'samba way'...
> 
> 
> Sorry, i come back to this topic in a different thread, because i'm
> still totally puzzled with the previuous one. Louis, sorry me. ;(
> 
Ahh, no problem at all, i'll do my best to explain better.  ;-) 


> I've tried to start with this, that seems very simple:
> 
> 	https://wiki.debian.org/NFS/Kerberos
Yes, i started there also. But that one isnt working correctly with samba.
Read it, and learn from it, then skip/dont use it. 

I've used also 
http://www.cs.rug.nl/~jurjen/ApprenticesNotes/ad_nfs4.html as base. 
This is an old one but has some good info on how things work. ( more to find on this site also ) 
Just read it and again dont use it. 
same here, some example are shown wrong. 

Then i used : 
https://help.ubuntu.com/community/NFSv4Howto#NFSv4_with_Kerberos 
Yes, its ubuntu, that does not matter, the setup and commands are all the same. 
Same here read it and dont use it. They are not using as we want it to. 


Now the problem, because of all the reading, almost nothing is up2date and almost non result in a working setup.
Due to. OS difference, differences between the kerberos MIT and HEIMDAL setups, but it also involves the packages itself and kernel versions. 
So people say its complex, but its not that complex. 

First you install samba and winbind or only winbind if you dont need smb-shares on that server.
Join the server to the domain as any member, join but dont start samba/winbind yet. ( preffered ) 
Steps todo before you continue. 

Check in the DNS if the NFS server has its A and PTR record.  ( obligated ) 
The join should have handled this. ( at least the A record ) 
NFS Client should work with A only, but i do recommend setting PTR for all the servers. 

The nfs-server needs to be able to delegate the servers with kerberos. (obligated for nfsv4 with kerberos mounts ) 
Start - ADUC, enable advanced features - goto  CN=Computers  
 get the member server's properties, tab Delegation, enable "Trust this computer for delegation to any service (kerberos only) 
 I have set this on both NFS server and NFS client, thats more because of the use of my servers. 

And obligated in smb.conf for this setup. 

    kerberos method = secrets and keytab
    dedicated keytab file = /etc/krb5.keytab

    # Renew the kerberos ticket
    winbind refresh tickets = yes

    # We strip the domain (NTDOM\username) to username
    # ! Normaly not adviced
    winbind use default domain = yes

And ofcourse a correct idmap setup. 

Now you can start samba/winbind. 

Dont ask me why i do it like this, but this always works for me and if it works, i stick to these steps.

Now you have 2 options to add the nfs spn, and the AD-DC with samba-tool or on the member using net ads. 
I preffer net ads on the member, so there is no need to export it and import it. 
# reminder note 1. this is part of the problem. 

If krb5.conf is still debian default and the setup is correct you should see: Login Adminsitrator@xxxxxxxxx 
The Debian and krb5.conf defaults are sufficient for a correct setup as base. 

I preffer the user Administrator, i do that to avoid acl problems in the AD, to make sure the ACL on the objects are set correct. 
If its not working with an other users, repeat it and check if it does with Administrator, if so, then its a acl problem. 

The base i use atm the nfsv4 mounts. 

SETUP NFS-SERVER:  
apt-get install nfs-kernel-server nfs-common nfs4-acl-tools

- Make you nfs4 root. Some say its not needed, some do, i say use it, it works. 
Debian Stretch as nfs server, other clients are possible. ( i've only tested agains wheezy jessie and stretch )

# NFS-Server -Setup nfs4 root
mkdir -p /srv/nfs4/home
chmod 1777 /srv/nfs4
chmod 1777 /srv/nfs4/home
And yes, you can remove the nfs4 folder also in this example. 

But same here experiance shows /srv ( this is a separated disk in my case ) then NEVER use it directly as /srv.
Always create a subfolder first and work in that one. 
Why, i'll explain this also sometime but not now. Google can tell it also. ;-) 

# NFSv4 Root mount
Test: mount --bind /home /srv/nfs4/users 
Test: umount /home

Enable the mount when the server starts ( i used systemd, fstab can be used also. ) 
If you use systemd, the filename .mount must reflect the path. 
######## example mount-bind systemd service file
#/etc/systemd/system/srv-nfs4-home.mount
[Unit]
Description=NFS export (/srv/nfs4/home)

[Mount]
What=/home
Where=/srv/nfs4/home
Type=none
Options=bind

[Install]
WantedBy=multi-user.target
######## example mount-bind systemd service file

And mount it. 
systemctl enable srv-nfs4-home.mount
systemctl start srv-nfs4-home.mount

My /etc/exports show. 
/srv/nfs4              192.168.0.0/24(rw,sync,fsid=0,crossmnt,no_subtree_check,sec=sys:krb5:krb5i:krb5p)
/srv/nfs4/home         192.168.0.0/24(rw,sync,no_subtree_check,sec=sys:krb5:krb5i:krb5p)
And export the settings: exportfs -rav 

Stop all nfs services. 
systemct stop nfs-*

( we are still seting up nfs-server )


> 
> And so i've done:
> 
> a) installed 'nfs-kernel-server' on server,  'nfs-common' on client.
>  Ok, this is easy.
> 
Yes, that is easy...  

> 
> b) AFAI've understood i need to create a 'principal', type 'NFS', for
>  server and client, and store the key in ''local keytab''. Debian wiki
> suggest:
> 	addpriv -randkey NFS/vdmpp1.ad.fvg.lnf.it@xxxxxxxxxxxxx
> 	ktadd NFS/vdmpp1.ad.fvg.lnf.it@xxxxxxxxxxxxx
> 
> but in 'samba' lingo the same operation can be obtained with (run in
> the client and server, with appropiate data):
> 
> 	net -U gaio ads keytab add 
> NFS/vdmpp1.ad.fvg.lnf.it@xxxxxxxxxxxxx -k
> 
> done that, effectively the file /etc/krb5.keytab on server and client
> got created, with something that seems a 'key'.

Ok, here its bit wrong, not your doing, i'll explain. 
Somethings you dont need to add the realm after the commands. 
if someone can show a nice ldapsearch on the spn/upn objects, you can see what i mean from CLI. 

Check the spn/upn in the AD with the RSAT's ADUC, this is why i do.
Start - ADUC, enable advanced features - goto  CN=Computers get the member server's properties. 
Goto the "Attribute Editor", lookup the servicePrincipalName
Check the formats there. 
HOST/
nfs/

Do note, that the CAPS and not cap are as you should use them. 
If you use an other one make sure you have CAP or not-caps correct. 
Now lookin the servicePrincipalName in ADUC, 
Correct : nfs/hostname.domain.tld
Incorrect: nfs/hostname.domain.tld@xxxxxxxxx 
Incorrect: NFS/hostname.domain.tld
Incorrect: NFS/hostname.domain.tld@xxxxxxxxx 
This needed per server where you use with NFSv4. ( or cifs or ...)  ( client and server ) 

If you dont see the SPN/UPN there, add it. ( but without the realm ) 
The realm is added automaticly on the server same way as you do kinit Administrator, through krb5.conf defaults. 

The krb5.conf you should use.
/etc/krb5.conf
[libdefaults]
        default_realm = AD.FVG.LNF.IT

; ignore k5login not being accessable in the user home dir.
        ignore_k5login = true

; for Windows 2008 with AES, needed by CIFS also. ( dont forget the cifs/spn )
        default_tgs_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
        default_tkt_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
        permitted_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
;(and all the defaults from debian are below this remove/keep, what you want.) 

Now your ready to create the nfs spn. (net ads keytab).
# reminder note 2. this is part of the problem. 
You have 2 options. 
Option 1) net ads keytab add nfs/$(hostname -f)      ( << the one i used on server and client ) 
Option 2)net ads keytab add nfs	optional, choose one of these 2 options, this also creates nfs/HOSTNAME for example.
I suggest 1., and backup you keytab and check what the difference is. 

In this case NFS is more flexible, it searches for nfs but also for HOST/.. Spn's, not only nfs/
I get the best results with the nfs/hostname.domain.tld added spn. 

The commands. 
kinit Administrator
net ads keytab add nfs/$(hostname -f)   

Test: kinit nfs/$(hostname -f) -kt /etc/krb5.keytab 
Check with : klist 
That should show : 
Default principal: nfs/hostname.internal.domain.tld@xxxxxxxxx
kdestroy

( getting closely to point of you problem marco, .. )
And this is still mostly the NFS server part. 


> 
> 
> c) i've enabled, as stated by wiki and you, Louis, the IDMAP 
> and GSSD/svcgssd
>  on cliend and server as requested.
> 
Good thats needed also. No comments here. 
Sofar all good. 
> 
> OK, good start. But doing that i got:
> 
> 	root@vdmpp2:~# mount -t nfs4 -o sec=krb5 vdmpp1:/home /home
> 	mount.nfs4: an incorrect mount option was specified
Ah, yes, ive seen that also, yes very annoying. You missed part, and thats not your fault. 

This is what is happening.
What i notice, that after adding the nfs/spn with net ads keytab.
The nfs/spn was NOT added to the computer object in the AD. ( see above howto check that ) 
And for NFSv4 kerberised mountes the nfs/spn MUST be available in the network and not only local. 
# reminder note 3. this is part of the problem. 

And this is due to net ads keytab and not using samba-tool. 
I will change that to samba-tool when i write the new howto.  
(but must say, i havent tested this with samba-tool yet on 4.8 and up.)
Or is someone is going to test all this, if you find improvements, point them out please. 
My goal here, is a better way of adding the member server and the spn so it get automaticly in the local keytab also. 

Here i manualy corrected the nfs/hostname, just be adding it in the AD with ADUC.
I only added : nfs/hostname.internal.domain.tld   ( check server and clients!  )

Now the last part. 
The idmap.conf file, you need this on NFS server and NFS client. 
This is the current one im working with, and im trying to remove the not default parts. 
But this is the current works setup. 
#/etc/idmap.conf 
[General]

# increase  you logging so you can see what is happening. 
Verbosity = 5
# some default settting.
Pipefs-Directory = /run/rpc_pipefs

# set your own domain here, if it differs from FQDN minus hostname
# Domain = localdomain
# Set these both you need them
Domain = ad.fvg.lnf.it
Local-Realm = AD.FVG.LNF.IT

# some default setting. 
[Mapping]
Nobody-User = nobody
Nobody-Group = nogroup

# this is getting interested. For NFS. 
[Translation]
Method = nsswitch,static
GSS-Methods = nsswitch,static

[Static]
HOSTNAME2Change$@AD.FVG.LNF.IT = root

# file ends here. 

What i did here was, i made sure that the COMPUTER$ is allowed to run as root. 
And thats needed for the kerberized automounts when a user is logging in, at least looks like it. 
But for that i need to test more and im running out of time. 
This part might need some improvement, but this works for now. 


Based on what i told above, and if you setup as shown above, it should be on the client:
mount -t nfs4 -o sec=krb5,vers=4.1 vdmpp1.ad.fvg.lnf.it:/users /home
And hureay it works ;-) and if not, mail me again.  :-( 

Last, if you see in you logs. 
lkmapd[304]: open pipe file /run/rpc_pipefs/nfs/blocklayout failed: No such file or directory
You can ignore this, its known, just wait for the bug fix, its a regresson bug in nfs.

And in reply to the new mail.

You nfs stalled, then it gets mask to prevent other errors. 

systemctl unmask nfs-common
systemctl enable nfs-common

If you keep hitting problems with the nfs server/client 
apt-get remove --auto-remove --purge nfs-common nfs-kernel-server 
Clear your nfs part in  keytab 
Start again based on above. 

Questions, you know to find me. 


Greetz, 

Louis


> 
> 
> After restarting the client, now i got:
> 
> 	root@vdmpp2:~# mount -t nfs4 -o sec=krb5 vdmpp1:/home /home
> 	mount.nfs4: access denied by server while mounting vdmpp1:/home
> 
> and in log:
> 
>  Oct 23 18:50:47 vdmpp2 kernel: [   49.414391] FS-Cache: Loaded
>  Oct 23 18:50:47 vdmpp2 kernel: [   49.453067] FS-Cache: 
> Netfs 'nfs' registered for caching
>  Oct 23 18:50:47 vdmpp2 kernel: [   49.457587] Key type 
> dns_resolver registered
>  Oct 23 18:50:47 vdmpp2 kernel: [   49.472990] NFS: 
> Registering the id_resolver key type
>  Oct 23 18:50:47 vdmpp2 kernel: [   49.472994] Key type 
> id_resolver registered
>  Oct 23 18:50:47 vdmpp2 kernel: [   49.472995] Key type 
> id_legacy registered
>  Oct 23 18:50:47 vdmpp2 rpc.gssd[696]: ERROR: 
> gssd_refresh_krb5_machine_credential: no usable keytab entry 
> found in keytab /etc/krb5.keytab for connection with host 
> vdmpp1.pp.lnf.it
>  Oct 23 18:50:47 vdmpp2 rpc.gssd[696]: ERROR: No credentials 
> found for connection to server vdmpp1.pp.lnf.it
>  Oct 23 18:50:47 vdmpp2 rpc.gssd[696]: ERROR: 
> gssd_refresh_krb5_machine_credential: no usable keytab entry 
> found in keytab /etc/krb5.keytab for connection with host 
> vdmpp1.pp.lnf.it
>  Oct 23 18:50:47 vdmpp2 rpc.gssd[696]: ERROR: No credentials 
> found for connection to server vdmpp1.pp.lnf.it
>  Oct 23 18:50:47 vdmpp2 rpc.gssd[696]: ERROR: 
> gssd_refresh_krb5_machine_credential: no usable keytab entry 
> found in keytab /etc/krb5.keytab for connection with host 
> vdmpp1.pp.lnf.it
>  Oct 23 18:50:47 vdmpp2 rpc.gssd[696]: ERROR: No credentials 
> found for connection to server vdmpp1.pp.lnf.it
>  Oct 23 18:50:47 vdmpp2 rpc.gssd[696]: ERROR: 
> gssd_refresh_krb5_machine_credential: no usable keytab entry 
> found in keytab /etc/krb5.keytab for connection with host 
> vdmpp1.pp.lnf.it
>  Oct 23 18:50:47 vdmpp2 rpc.gssd[696]: ERROR: No credentials 
> found for connection to server vdmpp1.pp.lnf.it
>  Oct 23 18:50:47 vdmpp2 rpc.gssd[696]: ERROR: 
> gssd_refresh_krb5_machine_credential: no usable keytab entry 
> found in keytab /etc/krb5.keytab for connection with host 
> vdmpp1.pp.lnf.it
>  Oct 23 18:50:47 vdmpp2 rpc.gssd[696]: ERROR: No credentials 
> found for connection to server vdmpp1.pp.lnf.it
> 
> Seems i've to fix a bit my backresolving, so i've put and entr in
> /etc/hosts, to test, and:
> 
>  Oct 23 18:56:26 vdmpp2 rpc.gssd[696]: ERROR: 
> gssd_refresh_krb5_machine_credential: no usable keytab entry 
> found in keytab /etc/krb5.keytab for connection with host 
> vdmpp1.ad.fvg.lnf.it
>  Oct 23 18:56:26 vdmpp2 rpc.gssd[696]: ERROR: No credentials 
> found for connection to server vdmpp1.ad.fvg.lnf.it
>  Oct 23 18:56:26 vdmpp2 rpc.gssd[696]: ERROR: 
> gssd_refresh_krb5_machine_credential: no usable keytab entry 
> found in keytab /etc/krb5.keytab for connection with host 
> vdmpp1.ad.fvg.lnf.it
>  Oct 23 18:56:26 vdmpp2 rpc.gssd[696]: ERROR: No credentials 
> found for connection to server vdmpp1.ad.fvg.lnf.it
>  Oct 23 18:56:26 vdmpp2 rpc.gssd[696]: ERROR: 
> gssd_refresh_krb5_machine_credential: no usable keytab entry 
> found in keytab /etc/krb5.keytab for connection with host 
> vdmpp1.ad.fvg.lnf.it
>  Oct 23 18:56:26 vdmpp2 rpc.gssd[696]: ERROR: No credentials 
> found for connection to server vdmpp1.ad.fvg.lnf.it
>  Oct 23 18:56:26 vdmpp2 rpc.gssd[696]: ERROR: 
> gssd_refresh_krb5_machine_credential: no usable keytab entry 
> found in keytab /etc/krb5.keytab for connection with host 
> vdmpp1.ad.fvg.lnf.it
>  Oct 23 18:56:26 vdmpp2 rpc.gssd[696]: ERROR: No credentials 
> found for connection to server vdmpp1.ad.fvg.lnf.it
>  Oct 23 18:56:26 vdmpp2 rpc.gssd[696]: ERROR: 
> gssd_refresh_krb5_machine_credential: no usable keytab entry 
> found in keytab /etc/krb5.keytab for connection with host 
> vdmpp1.ad.fvg.lnf.it
>  Oct 23 18:56:26 vdmpp2 rpc.gssd[696]: ERROR: No credentials 
> found for connection to server vdmpp1.ad.fvg.lnf.it
> 
> Why?! Thanks.
> 
> -- 
> dott. Marco Gaiarin				        GNUPG 
> Key ID: 240A3D66
>   Associazione ``La Nostra Famiglia''          
> http://www.lanostrafamiglia.it/
>   Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al 
> Tagliamento (PN)
>   marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   
> f +39-0434-842797
> 
> 		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
>       http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
> 	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba