On 28/01/12 17:12, Gémes Géza wrote:
2012-01-28 12:21 keltezéssel, steve írta:
On 28/01/12 11:03, Gémes Géza wrote:
2012-01-28 10:40 keltezéssel, steve írta:
Hi everyone
Version 4.0.0alpha18-GIT-bfc7481
openSUSE 12.1
Conventional nfs4 export works fine, but I'm having trouble
kerberizing it for Samba 4 for my Samba 4 users.
I've setup the nfs4 pseudo stuff like this:
hh3:/ # mkdir /export
hh3:/ # mkdir /export/home
hh3:/ # mount --bind /home /export/home
Here is /etc/exports:
/export gss/krb5(rw,fsid=0,insecure,no_subtree_check,async)
/export/home gss/krb5(rw,nohide,insecure,no_subtree_check,async)
/etc/sysconfig/nfs has:
NFS_SECURITY_GSS="yes"
I have used samba-tool to make an nfs service principal and it
responds:
Kerberos: TGS-REQ [email protected] from ipv4:192.168.1.3:35191 for
nfs/[email protected] [canonicalize, renewable]
Kerberos: TGS-REQ authtime: 2012-01-28T09:31:37 starttime:
2012-01-28T09:31:37 endtime: 2012-01-28T19:31:37 renew till:
2012-01-29T09:31:37
when I:
mount -t nfs4 hh3:/home /mnt -o sec=krb5
It mounts OK and mount shows:
hh3:/home/ on /mnt type nfs4
(rw,relatime,vers=4,rsize=65536,wsize=65536,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=krb5,clientaddr=192.168.1.3,minorversion=0,local_lock=none,addr=192.168.1.3)
Autenticated Samba 4 users get 'Permission denied when trying to cd to
/mnt. Only root can enter. The permissions using ls -la are:
d????????? ? ? ? ? ? mnt
You can see that /home has indeed been mounted but with strange
permissions.
Has anyone tried nfs with Samba 4 Kerberos?
Why the permissions?
What am I missing?
Cheers,
Steve
root can enter, because (you don't have no_root_squash) it is mapped to
the nobody user and thus has the basic rights
I would check if the user account you are trying to read/write/list/etc
the /mnt dir has got the nfs tickets, with a klist
Regards
Geza
Hi Geza, hi everyone
A bit of progress:
Yes, the /mnt dir got the nfs ticket when I issued the mount command.
Also, authenticated Samba 4 users can enter /mnt but only if they do a
kinit first. IOW they have to authenticate twice. Once in his home
folder (now under /mnt) he only has read access to his files.
klist looks OK:
Ticket cache: FILE:/tmp/krb5cc_3000020
Default principal: [email protected]
Valid starting Expires Service principal
01/28/12 11:57:35 01/28/12 21:57:35 krbtgt/[email protected]
renew until 01/29/12 11:57:29
01/28/12 11:57:40 01/28/12 21:57:35 nfs/[email protected]
renew until 01/29/12 11:57:29
I think I'd need root_squash to prevent root no? But no worries. Just
trying to get nfs write access for a user.
The Kerberos seems to be working in that a local user gets 'Pemission
denied when trying to cd to /mnt and gets this when ls'ing:
d????????? ? ? ? ? ? mnt
A doubly authenticated Samba 4 user gets:
drwxr-xr-x 5 root root 4096 Dec 23 00:15 mnt
but no write access to his nfs mounted home folder.
Why is the double authentication needed?
How can we get rw access to the share?
Thanks,
Steve
Hi,
It seems that your authentication scheme (pam) doesn't involve kerberos.
You can check after login with klist if you have any tickets.
If not you would probably need to setup pam in order to use kerberos for
authentication (from my memories it was pretty easy using yast)
Regards
Geza
Thanks for that.
I've got the pam stuff going now.
Next think is the write access. OK by conventional nfs4 but not with
kerberized mounts. The latter mount read only.
Steve
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
