On 28/01/12 11:03, Gémes Géza wrote:
2012-01-28 10:40 keltezéssel, steve írta:
Hi everyone
Version 4.0.0alpha18-GIT-bfc7481
openSUSE 12.1
Conventional nfs4 export works fine, but I'm having trouble
kerberizing it for Samba 4 for my Samba 4 users.
I've setup the nfs4 pseudo stuff like this:
hh3:/ # mkdir /export
hh3:/ # mkdir /export/home
hh3:/ # mount --bind /home /export/home
Here is /etc/exports:
/export gss/krb5(rw,fsid=0,insecure,no_subtree_check,async)
/export/home gss/krb5(rw,nohide,insecure,no_subtree_check,async)
/etc/sysconfig/nfs has:
NFS_SECURITY_GSS="yes"
I have used samba-tool to make an nfs service principal and it responds:
Kerberos: TGS-REQ [email protected] from ipv4:192.168.1.3:35191 for
nfs/[email protected] [canonicalize, renewable]
Kerberos: TGS-REQ authtime: 2012-01-28T09:31:37 starttime:
2012-01-28T09:31:37 endtime: 2012-01-28T19:31:37 renew till:
2012-01-29T09:31:37
when I:
mount -t nfs4 hh3:/home /mnt -o sec=krb5
It mounts OK and mount shows:
hh3:/home/ on /mnt type nfs4
(rw,relatime,vers=4,rsize=65536,wsize=65536,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=krb5,clientaddr=192.168.1.3,minorversion=0,local_lock=none,addr=192.168.1.3)
Autenticated Samba 4 users get 'Permission denied when trying to cd to
/mnt. Only root can enter. The permissions using ls -la are:
d????????? ? ? ? ? ? mnt
You can see that /home has indeed been mounted but with strange
permissions.
Has anyone tried nfs with Samba 4 Kerberos?
Why the permissions?
What am I missing?
Cheers,
Steve
root can enter, because (you don't have no_root_squash) it is mapped to
the nobody user and thus has the basic rights
I would check if the user account you are trying to read/write/list/etc
the /mnt dir has got the nfs tickets, with a klist
Regards
Geza
Hi Geza, hi everyone
A bit of progress:
Yes, the /mnt dir got the nfs ticket when I issued the mount command.
Also, authenticated Samba 4 users can enter /mnt but only if they do a
kinit first. IOW they have to authenticate twice. Once in his home
folder (now under /mnt) he only has read access to his files.
klist looks OK:
Ticket cache: FILE:/tmp/krb5cc_3000020
Default principal: [email protected]
Valid starting Expires Service principal
01/28/12 11:57:35 01/28/12 21:57:35 krbtgt/[email protected]
renew until 01/29/12 11:57:29
01/28/12 11:57:40 01/28/12 21:57:35 nfs/[email protected]
renew until 01/29/12 11:57:29
I think I'd need root_squash to prevent root no? But no worries. Just
trying to get nfs write access for a user.
The Kerberos seems to be working in that a local user gets 'Pemission
denied when trying to cd to /mnt and gets this when ls'ing:
d????????? ? ? ? ? ? mnt
A doubly authenticated Samba 4 user gets:
drwxr-xr-x 5 root root 4096 Dec 23 00:15 mnt
but no write access to his nfs mounted home folder.
Why is the double authentication needed?
How can we get rw access to the share?
Thanks,
Steve
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
