Re: [Samba] nfs4 with Samba 4
On 27/01/13 11:27, kfarrag_992 wrote: OK my proplem is: - I installed Samaba4 - I created a Domain - created users - Windows workstations Joined Domain - DNS is Bind9 Every thing is going OK for windows users. I am a windows administrator who started to convert for Linux lately so please explain a step by step please with examples for examples who did you create the principle for nfs which is a service not a user using the samba-tool command as i couldn't understand what exactly dose that mean you added it as a machine or service and if there is a different. if you can reply with the needed steps to install NFS server and configure it to authenticate using kerberos authentication from Samba4 i would be thankful. -- View this message in context: http://samba.2283325.n4.nabble.com/nfs4-with-Samba-4-tp4335728p4643339.html Sent from the Samba - General mailing list archive at Nabble.com. Hi We were using cifs/smb2 for the windows clients and nfs for our Linux clients. The method is here: http://linuxcostablanca.blogspot.com.es/p/samba-4.html Specifically to answer the nfs question, we made a user for nfs: samba-tool user add nfs.-user then created the machine principal for the fileserver: samba-tool spn add nfs/your.domain nfs-user then stick it in the keytab samba-tool domain exportkeytab /etc/krb5.keytab --principal=nfs/your.domain gss seems to expect some sort of machine principal in the keytab too so samba-tool domain exportkeytab /etc/krb5.keytab --principal=YOURSERVERHOSTNAME$ Don't forget to create the keytab on the clients too. You can do that after you join the domain: net ads join -UAdministrator then net ads keytab create You don't necessarily need a nfs principal on the clients:) HTH, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] nfs4 with Samba 4
OK my proplem is: - I installed Samaba4 - I created a Domain - created users - Windows workstations Joined Domain - DNS is Bind9 Every thing is going OK for windows users. I am a windows administrator who started to convert for Linux lately so please explain a step by step please with examples for examples who did you create the principle for nfs which is a service not a user using the samba-tool command as i couldn't understand what exactly dose that mean you added it as a machine or service and if there is a different. if you can reply with the needed steps to install NFS server and configure it to authenticate using kerberos authentication from Samba4 i would be thankful. -- View this message in context: http://samba.2283325.n4.nabble.com/nfs4-with-Samba-4-tp4335728p4643339.html Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] nfs4 with Samba 4 [solved]
On 01/31/2012 05:13 PM, steve wrote: On 01/29/2012 10:20 AM, steve wrote: On 29/01/12 08:17, steve wrote: On 29/01/12 07:32, Gémes Géza wrote: 2012-01-28 21:44 keltezéssel, steve írta: On 28/01/12 20:29, Gémes Géza wrote: 2012-01-28 18:41 keltezéssel, steve írta: On 28/01/12 12:21, steve wrote: On 28/01/12 11:03, Gémes Géza wrote: As the nfs4 is writeable without the krb5, that's why I thought it may be related to the S4 Kerbreros. Thanks for your patience, Steve Unfortunately I can't be of real help here (I don't remember anything similar from when I was using nfs4 with krb5) and it seems to be very nfs4 specific, the kerberos (samba4) part has done its job (obtaining machine ticket at mount time, and user ticket when you cd-ed into the mount. What goes on from then is nfs4s own business :-( . I would suggest to ask for help at (I don't know if there is one :-( ) a nfs4 mailing list/forum.Good Luck! Regards Geza Hi Thanks for the confirmation. There is a nfs list: linux-...@vger.kernel.org It's a high tension version of samba-technical, and there is a three headed dog guarding its entrance, but I've been courageous enough to subscribe and post there. Maybe they'll suggest I use cifs! Cheers, Steve Let's see if openSUSE can help. Must be worth a try. https://bugzilla.novell.com/show_bug.cgi?id=743976 Cheers, Steve It _must_ be a bug in openSUSE. I worked through the nfs4 stuff with Ubuntu 11.10 and it worked fine. Kerberized mounts, the lot. It looks like this: http://linuxcostablanca.blogspot.com/2012/01/important-samba-4-update.html Cheers, Steve /etc/idmapd.conf must contain Domain=your.domain NOT the fqdn, the short hostname nor the domain you specified when provisioning Samba. Duh! Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] nfs4 with Samba 4
On 01/29/2012 10:20 AM, steve wrote: On 29/01/12 08:17, steve wrote: On 29/01/12 07:32, Gémes Géza wrote: 2012-01-28 21:44 keltezéssel, steve írta: On 28/01/12 20:29, Gémes Géza wrote: 2012-01-28 18:41 keltezéssel, steve írta: On 28/01/12 12:21, steve wrote: On 28/01/12 11:03, Gémes Géza wrote: As the nfs4 is writeable without the krb5, that's why I thought it may be related to the S4 Kerbreros. Thanks for your patience, Steve Unfortunately I can't be of real help here (I don't remember anything similar from when I was using nfs4 with krb5) and it seems to be very nfs4 specific, the kerberos (samba4) part has done its job (obtaining machine ticket at mount time, and user ticket when you cd-ed into the mount. What goes on from then is nfs4s own business :-( . I would suggest to ask for help at (I don't know if there is one :-( ) a nfs4 mailing list/forum.Good Luck! Regards Geza Hi Thanks for the confirmation. There is a nfs list: linux-...@vger.kernel.org It's a high tension version of samba-technical, and there is a three headed dog guarding its entrance, but I've been courageous enough to subscribe and post there. Maybe they'll suggest I use cifs! Cheers, Steve Let's see if openSUSE can help. Must be worth a try. https://bugzilla.novell.com/show_bug.cgi?id=743976 Cheers, Steve It _must_ be a bug in openSUSE. I worked through the nfs4 stuff with Ubuntu 11.10 and it worked fine. Kerberized mounts, the lot. It looks like this: http://linuxcostablanca.blogspot.com/2012/01/important-samba-4-update.html Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] nfs4 with Samba 4
On 29/01/12 08:17, steve wrote: On 29/01/12 07:32, Gémes Géza wrote: 2012-01-28 21:44 keltezéssel, steve írta: On 28/01/12 20:29, Gémes Géza wrote: 2012-01-28 18:41 keltezéssel, steve írta: On 28/01/12 12:21, steve wrote: On 28/01/12 11:03, Gémes Géza wrote: As the nfs4 is writeable without the krb5, that's why I thought it may be related to the S4 Kerbreros. Thanks for your patience, Steve Unfortunately I can't be of real help here (I don't remember anything similar from when I was using nfs4 with krb5) and it seems to be very nfs4 specific, the kerberos (samba4) part has done its job (obtaining machine ticket at mount time, and user ticket when you cd-ed into the mount. What goes on from then is nfs4s own business :-( . I would suggest to ask for help at (I don't know if there is one :-( ) a nfs4 mailing list/forum.Good Luck! Regards Geza Hi Thanks for the confirmation. There is a nfs list: linux-...@vger.kernel.org It's a high tension version of samba-technical, and there is a three headed dog guarding its entrance, but I've been courageous enough to subscribe and post there. Maybe they'll suggest I use cifs! Cheers, Steve Let's see if openSUSE can help. Must be worth a try. https://bugzilla.novell.com/show_bug.cgi?id=743976 Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] nfs4 with Samba 4
Hi everyone Version 4.0.0alpha18-GIT-bfc7481 openSUSE 12.1 Conventional nfs4 export works fine, but I'm having trouble kerberizing it for Samba 4 for my Samba 4 users. I've setup the nfs4 pseudo stuff like this: hh3:/ # mkdir /export hh3:/ # mkdir /export/home hh3:/ # mount --bind /home /export/home Here is /etc/exports: /exportgss/krb5(rw,fsid=0,insecure,no_subtree_check,async) /export/homegss/krb5(rw,nohide,insecure,no_subtree_check,async) /etc/sysconfig/nfs has: NFS_SECURITY_GSS=yes I have used samba-tool to make an nfs service principal and it responds: Kerberos: TGS-REQ HH3$@HH3.SITE from ipv4:192.168.1.3:35191 for nfs/hh3.hh3.s...@hh3.site [canonicalize, renewable] Kerberos: TGS-REQ authtime: 2012-01-28T09:31:37 starttime: 2012-01-28T09:31:37 endtime: 2012-01-28T19:31:37 renew till: 2012-01-29T09:31:37 when I: mount -t nfs4 hh3:/home /mnt -o sec=krb5 It mounts OK and mount shows: hh3:/home/ on /mnt type nfs4 (rw,relatime,vers=4,rsize=65536,wsize=65536,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=krb5,clientaddr=192.168.1.3,minorversion=0,local_lock=none,addr=192.168.1.3) Autenticated Samba 4 users get 'Permission denied when trying to cd to /mnt. Only root can enter. The permissions using ls -la are: d? ? ???? mnt You can see that /home has indeed been mounted but with strange permissions. Has anyone tried nfs with Samba 4 Kerberos? Why the permissions? What am I missing? Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] nfs4 with Samba 4
2012-01-28 10:40 keltezéssel, steve írta: Hi everyone Version 4.0.0alpha18-GIT-bfc7481 openSUSE 12.1 Conventional nfs4 export works fine, but I'm having trouble kerberizing it for Samba 4 for my Samba 4 users. I've setup the nfs4 pseudo stuff like this: hh3:/ # mkdir /export hh3:/ # mkdir /export/home hh3:/ # mount --bind /home /export/home Here is /etc/exports: /exportgss/krb5(rw,fsid=0,insecure,no_subtree_check,async) /export/homegss/krb5(rw,nohide,insecure,no_subtree_check,async) /etc/sysconfig/nfs has: NFS_SECURITY_GSS=yes I have used samba-tool to make an nfs service principal and it responds: Kerberos: TGS-REQ HH3$@HH3.SITE from ipv4:192.168.1.3:35191 for nfs/hh3.hh3.s...@hh3.site [canonicalize, renewable] Kerberos: TGS-REQ authtime: 2012-01-28T09:31:37 starttime: 2012-01-28T09:31:37 endtime: 2012-01-28T19:31:37 renew till: 2012-01-29T09:31:37 when I: mount -t nfs4 hh3:/home /mnt -o sec=krb5 It mounts OK and mount shows: hh3:/home/ on /mnt type nfs4 (rw,relatime,vers=4,rsize=65536,wsize=65536,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=krb5,clientaddr=192.168.1.3,minorversion=0,local_lock=none,addr=192.168.1.3) Autenticated Samba 4 users get 'Permission denied when trying to cd to /mnt. Only root can enter. The permissions using ls -la are: d? ? ???? mnt You can see that /home has indeed been mounted but with strange permissions. Has anyone tried nfs with Samba 4 Kerberos? Why the permissions? What am I missing? Cheers, Steve root can enter, because (you don't have no_root_squash) it is mapped to the nobody user and thus has the basic rights I would check if the user account you are trying to read/write/list/etc the /mnt dir has got the nfs tickets, with a klist Regards Geza -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] nfs4 with Samba 4
On 28/01/12 11:03, Gémes Géza wrote: 2012-01-28 10:40 keltezéssel, steve írta: Hi everyone Version 4.0.0alpha18-GIT-bfc7481 openSUSE 12.1 Conventional nfs4 export works fine, but I'm having trouble kerberizing it for Samba 4 for my Samba 4 users. I've setup the nfs4 pseudo stuff like this: hh3:/ # mkdir /export hh3:/ # mkdir /export/home hh3:/ # mount --bind /home /export/home Here is /etc/exports: /exportgss/krb5(rw,fsid=0,insecure,no_subtree_check,async) /export/homegss/krb5(rw,nohide,insecure,no_subtree_check,async) /etc/sysconfig/nfs has: NFS_SECURITY_GSS=yes I have used samba-tool to make an nfs service principal and it responds: Kerberos: TGS-REQ HH3$@HH3.SITE from ipv4:192.168.1.3:35191 for nfs/hh3.hh3.s...@hh3.site [canonicalize, renewable] Kerberos: TGS-REQ authtime: 2012-01-28T09:31:37 starttime: 2012-01-28T09:31:37 endtime: 2012-01-28T19:31:37 renew till: 2012-01-29T09:31:37 when I: mount -t nfs4 hh3:/home /mnt -o sec=krb5 It mounts OK and mount shows: hh3:/home/ on /mnt type nfs4 (rw,relatime,vers=4,rsize=65536,wsize=65536,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=krb5,clientaddr=192.168.1.3,minorversion=0,local_lock=none,addr=192.168.1.3) Autenticated Samba 4 users get 'Permission denied when trying to cd to /mnt. Only root can enter. The permissions using ls -la are: d? ? ???? mnt You can see that /home has indeed been mounted but with strange permissions. Has anyone tried nfs with Samba 4 Kerberos? Why the permissions? What am I missing? Cheers, Steve root can enter, because (you don't have no_root_squash) it is mapped to the nobody user and thus has the basic rights I would check if the user account you are trying to read/write/list/etc the /mnt dir has got the nfs tickets, with a klist Regards Geza Hi Geza, hi everyone A bit of progress: Yes, the /mnt dir got the nfs ticket when I issued the mount command. Also, authenticated Samba 4 users can enter /mnt but only if they do a kinit first. IOW they have to authenticate twice. Once in his home folder (now under /mnt) he only has read access to his files. klist looks OK: Ticket cache: FILE:/tmp/krb5cc_320 Default principal: ste...@hh3.site Valid starting ExpiresService principal 01/28/12 11:57:35 01/28/12 21:57:35 krbtgt/hh3.s...@hh3.site renew until 01/29/12 11:57:29 01/28/12 11:57:40 01/28/12 21:57:35 nfs/hh3.hh3.s...@hh3.site renew until 01/29/12 11:57:29 I think I'd need root_squash to prevent root no? But no worries. Just trying to get nfs write access for a user. The Kerberos seems to be working in that a local user gets 'Pemission denied when trying to cd to /mnt and gets this when ls'ing: d? ? ???? mnt A doubly authenticated Samba 4 user gets: drwxr-xr-x 5 root root 4096 Dec 23 00:15 mnt but no write access to his nfs mounted home folder. Why is the double authentication needed? How can we get rw access to the share? Thanks, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] nfs4 with Samba 4
2012-01-28 12:21 keltezéssel, steve írta: On 28/01/12 11:03, Gémes Géza wrote: 2012-01-28 10:40 keltezéssel, steve írta: Hi everyone Version 4.0.0alpha18-GIT-bfc7481 openSUSE 12.1 Conventional nfs4 export works fine, but I'm having trouble kerberizing it for Samba 4 for my Samba 4 users. I've setup the nfs4 pseudo stuff like this: hh3:/ # mkdir /export hh3:/ # mkdir /export/home hh3:/ # mount --bind /home /export/home Here is /etc/exports: /exportgss/krb5(rw,fsid=0,insecure,no_subtree_check,async) /export/homegss/krb5(rw,nohide,insecure,no_subtree_check,async) /etc/sysconfig/nfs has: NFS_SECURITY_GSS=yes I have used samba-tool to make an nfs service principal and it responds: Kerberos: TGS-REQ HH3$@HH3.SITE from ipv4:192.168.1.3:35191 for nfs/hh3.hh3.s...@hh3.site [canonicalize, renewable] Kerberos: TGS-REQ authtime: 2012-01-28T09:31:37 starttime: 2012-01-28T09:31:37 endtime: 2012-01-28T19:31:37 renew till: 2012-01-29T09:31:37 when I: mount -t nfs4 hh3:/home /mnt -o sec=krb5 It mounts OK and mount shows: hh3:/home/ on /mnt type nfs4 (rw,relatime,vers=4,rsize=65536,wsize=65536,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=krb5,clientaddr=192.168.1.3,minorversion=0,local_lock=none,addr=192.168.1.3) Autenticated Samba 4 users get 'Permission denied when trying to cd to /mnt. Only root can enter. The permissions using ls -la are: d? ? ???? mnt You can see that /home has indeed been mounted but with strange permissions. Has anyone tried nfs with Samba 4 Kerberos? Why the permissions? What am I missing? Cheers, Steve root can enter, because (you don't have no_root_squash) it is mapped to the nobody user and thus has the basic rights I would check if the user account you are trying to read/write/list/etc the /mnt dir has got the nfs tickets, with a klist Regards Geza Hi Geza, hi everyone A bit of progress: Yes, the /mnt dir got the nfs ticket when I issued the mount command. Also, authenticated Samba 4 users can enter /mnt but only if they do a kinit first. IOW they have to authenticate twice. Once in his home folder (now under /mnt) he only has read access to his files. klist looks OK: Ticket cache: FILE:/tmp/krb5cc_320 Default principal: ste...@hh3.site Valid starting ExpiresService principal 01/28/12 11:57:35 01/28/12 21:57:35 krbtgt/hh3.s...@hh3.site renew until 01/29/12 11:57:29 01/28/12 11:57:40 01/28/12 21:57:35 nfs/hh3.hh3.s...@hh3.site renew until 01/29/12 11:57:29 I think I'd need root_squash to prevent root no? But no worries. Just trying to get nfs write access for a user. The Kerberos seems to be working in that a local user gets 'Pemission denied when trying to cd to /mnt and gets this when ls'ing: d? ? ???? mnt A doubly authenticated Samba 4 user gets: drwxr-xr-x 5 root root 4096 Dec 23 00:15 mnt but no write access to his nfs mounted home folder. Why is the double authentication needed? How can we get rw access to the share? Thanks, Steve Hi, It seems that your authentication scheme (pam) doesn't involve kerberos. You can check after login with klist if you have any tickets. If not you would probably need to setup pam in order to use kerberos for authentication (from my memories it was pretty easy using yast) Regards Geza -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] nfs4 with Samba 4
On 28/01/12 12:21, steve wrote: On 28/01/12 11:03, Gémes Géza wrote: Summary: 1. kerberized /etc/exports /exportgss/krb5(rw,fsid=0,insecure,no_subtree_check,async) /export/homegss/krb5(rw,nohide,insecure,no_subtree_check,async) then: mount -t nfs4 hh3:/home /mnt -o sec=krb5 no write access 2. conventional /etc/exports /export*(rw,fsid=0,insecure,no_subtree_check,async) /export/home*(rw,nohide,insecure,no_subtree_check,async) then: mount -t nfs4 hh3:/home /mnt write access OK 3. kerberized variation on /etc/exports /export *(rw,fsid=0,crossmnt,insecure,no_subtree_check,async,sec=krb5) /export/home*(rw,insecure,no_subtree_check,async,sec=krb5) then: mount -t nfs4 hh3:/home /mnt -o sec=krb5 no write access I have tried all combos of crossmnt and nohide idmapd seems to be mapping correctly and id user gives what getent gives Any ideas? Why does the kerberized mount not allow rw access? Steve Geza, do you think it's worth sticking this on samba technical? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] nfs4 with Samba 4
On 28/01/12 17:12, Gémes Géza wrote: 2012-01-28 12:21 keltezéssel, steve írta: On 28/01/12 11:03, Gémes Géza wrote: 2012-01-28 10:40 keltezéssel, steve írta: Hi everyone Version 4.0.0alpha18-GIT-bfc7481 openSUSE 12.1 Conventional nfs4 export works fine, but I'm having trouble kerberizing it for Samba 4 for my Samba 4 users. I've setup the nfs4 pseudo stuff like this: hh3:/ # mkdir /export hh3:/ # mkdir /export/home hh3:/ # mount --bind /home /export/home Here is /etc/exports: /exportgss/krb5(rw,fsid=0,insecure,no_subtree_check,async) /export/homegss/krb5(rw,nohide,insecure,no_subtree_check,async) /etc/sysconfig/nfs has: NFS_SECURITY_GSS=yes I have used samba-tool to make an nfs service principal and it responds: Kerberos: TGS-REQ HH3$@HH3.SITE from ipv4:192.168.1.3:35191 for nfs/hh3.hh3.s...@hh3.site [canonicalize, renewable] Kerberos: TGS-REQ authtime: 2012-01-28T09:31:37 starttime: 2012-01-28T09:31:37 endtime: 2012-01-28T19:31:37 renew till: 2012-01-29T09:31:37 when I: mount -t nfs4 hh3:/home /mnt -o sec=krb5 It mounts OK and mount shows: hh3:/home/ on /mnt type nfs4 (rw,relatime,vers=4,rsize=65536,wsize=65536,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=krb5,clientaddr=192.168.1.3,minorversion=0,local_lock=none,addr=192.168.1.3) Autenticated Samba 4 users get 'Permission denied when trying to cd to /mnt. Only root can enter. The permissions using ls -la are: d? ? ???? mnt You can see that /home has indeed been mounted but with strange permissions. Has anyone tried nfs with Samba 4 Kerberos? Why the permissions? What am I missing? Cheers, Steve root can enter, because (you don't have no_root_squash) it is mapped to the nobody user and thus has the basic rights I would check if the user account you are trying to read/write/list/etc the /mnt dir has got the nfs tickets, with a klist Regards Geza Hi Geza, hi everyone A bit of progress: Yes, the /mnt dir got the nfs ticket when I issued the mount command. Also, authenticated Samba 4 users can enter /mnt but only if they do a kinit first. IOW they have to authenticate twice. Once in his home folder (now under /mnt) he only has read access to his files. klist looks OK: Ticket cache: FILE:/tmp/krb5cc_320 Default principal: ste...@hh3.site Valid starting ExpiresService principal 01/28/12 11:57:35 01/28/12 21:57:35 krbtgt/hh3.s...@hh3.site renew until 01/29/12 11:57:29 01/28/12 11:57:40 01/28/12 21:57:35 nfs/hh3.hh3.s...@hh3.site renew until 01/29/12 11:57:29 I think I'd need root_squash to prevent root no? But no worries. Just trying to get nfs write access for a user. The Kerberos seems to be working in that a local user gets 'Pemission denied when trying to cd to /mnt and gets this when ls'ing: d? ? ???? mnt A doubly authenticated Samba 4 user gets: drwxr-xr-x 5 root root 4096 Dec 23 00:15 mnt but no write access to his nfs mounted home folder. Why is the double authentication needed? How can we get rw access to the share? Thanks, Steve Hi, It seems that your authentication scheme (pam) doesn't involve kerberos. You can check after login with klist if you have any tickets. If not you would probably need to setup pam in order to use kerberos for authentication (from my memories it was pretty easy using yast) Regards Geza Thanks for that. I've got the pam stuff going now. Next think is the write access. OK by conventional nfs4 but not with kerberized mounts. The latter mount read only. Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] nfs4 with Samba 4
2012-01-28 18:41 keltezéssel, steve írta: On 28/01/12 12:21, steve wrote: On 28/01/12 11:03, Gémes Géza wrote: Summary: 1. kerberized /etc/exports /exportgss/krb5(rw,fsid=0,insecure,no_subtree_check,async) /export/homegss/krb5(rw,nohide,insecure,no_subtree_check,async) then: mount -t nfs4 hh3:/home /mnt -o sec=krb5 no write access 2. conventional /etc/exports /export*(rw,fsid=0,insecure,no_subtree_check,async) /export/home*(rw,nohide,insecure,no_subtree_check,async) then: mount -t nfs4 hh3:/home /mnt write access OK 3. kerberized variation on /etc/exports /export *(rw,fsid=0,crossmnt,insecure,no_subtree_check,async,sec=krb5) /export/home*(rw,insecure,no_subtree_check,async,sec=krb5) then: mount -t nfs4 hh3:/home /mnt -o sec=krb5 no write access I have tried all combos of crossmnt and nohide idmapd seems to be mapping correctly and id user gives what getent gives Any ideas? Why does the kerberized mount not allow rw access? Steve Geza, do you think it's worth sticking this on samba technical? To me it seems an nfs4 related problem so no samba-technical is not the right place to ask In the meantime please tell us a little more about your environment: pam config idmapd config klist (of user) right after login, before trying to do anything on nfs and after (e.g an ls) I'm not an nfs4 expert myself, but before migration (a few years ago) to openafs I've had a working nfs4 gss/krb5 setup (it just kernel panic-ed every other day, until I've got fed up and migrated away from it) maybe I can remember. Regards Geza -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] nfs4 with Samba 4
On 28/01/12 20:29, Gémes Géza wrote: 2012-01-28 18:41 keltezéssel, steve írta: On 28/01/12 12:21, steve wrote: On 28/01/12 11:03, Gémes Géza wrote: Summary: 1. kerberized /etc/exports /exportgss/krb5(rw,fsid=0,insecure,no_subtree_check,async) /export/homegss/krb5(rw,nohide,insecure,no_subtree_check,async) then: mount -t nfs4 hh3:/home /mnt -o sec=krb5 no write access 2. conventional /etc/exports /export*(rw,fsid=0,insecure,no_subtree_check,async) /export/home*(rw,nohide,insecure,no_subtree_check,async) then: mount -t nfs4 hh3:/home /mnt write access OK 3. kerberized variation on /etc/exports /export *(rw,fsid=0,crossmnt,insecure,no_subtree_check,async,sec=krb5) /export/home*(rw,insecure,no_subtree_check,async,sec=krb5) then: mount -t nfs4 hh3:/home /mnt -o sec=krb5 no write access I have tried all combos of crossmnt and nohide idmapd seems to be mapping correctly and iduser gives what getent gives Any ideas? Why does the kerberized mount not allow rw access? Steve Geza, do you think it's worth sticking this on samba technical? To me it seems an nfs4 related problem so no samba-technical is not the right place to ask In the meantime please tell us a little more about your environment: pam config idmapd config klist (of user) right after login, before trying to do anything on nfs and after (e.g an ls) I'm not an nfs4 expert myself, but before migration (a few years ago) to openafs I've had a working nfs4 gss/krb5 setup (it just kernel panic-ed every other day, until I've got fed up and migrated away from it) maybe I can remember. Regards Geza Hi again The share mounts rw conventionally but olnt ro when exported gss/krb5 Here is the output and some files: /etc/pam.d/common-auth (the other pam files are OK and pam is working) authrequiredpam_env.so authoptionalpam_gnome_keyring.so authsufficientpam_unix2.so authsufficientpam_krb5.souse_first_pass authrequiredpam_deny.so /etc/idmapd.conf [General] Verbosity=0 Pipefs-Directory=/var/lib/nfs/rpc_pipefs Domain=CACTUS [Mapping] Nobody-User=nobody Nobody-Group=nobody idmapd seems to be working fine. Mappings are perfect client/server Here is some output, which looks OK except for the mount being read only. # mount -t nfs4:/home /mnt -o sec=krb5 produces a lot of activity in Samba 4 including: Kerberos: TGS-REQ HH3$@HH3.SITE from ipv4:192.168.1.3:45825 for nfs/hh3.hh3.s...@hh3.site [canonicalize, renewable] Kerberos: TGS-REQ authtime: 2012-01-28T21:16:16 starttime: 2012-01-28T21:16:16 endtime: 2012-01-29T07:16:16 renew till: 2012-01-29T21:16:16 nd a ticket cache appears called krb5cc_machine_HH3.SITE and klist krb5cc_machine_HH3.SITE Ticket cache: FILE:krb5cc_machine_HH3.SITE Default principal: HH3$@HH3.SITE Valid starting ExpiresService principal 01/28/12 18:57:25 01/29/12 04:57:25 krbtgt/hh3.s...@hh3.site renew until 01/29/12 18:57:25 01/28/12 18:57:25 01/29/12 04:57:25 nfs/hh3.hh3.s...@hh3.site renew until 01/29/12 18:57:25 I got some rpc stuff during the mount: # rpc.gssd -vvvf beginning poll dir_notify_handler: sig 37 si 0xbfbd324c data 0xbfbd32cc dir_notify_handler: sig 37 si 0xbfbd324c data 0xbfbd32cc dir_notify_handler: sig 37 si 0xbfbd324c data 0xbfbd32cc dir_notify_handler: sig 37 si 0xbfbd324c data 0xbfbd32cc dir_notify_handler: sig 37 si 0xbfbd324c data 0xbfbd32cc handling gssd upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt13) handle_gssd_upcall: 'mech=krb5 uid=0 enctypes=18,17,16,23,3,1,2 ' handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt13) process_krb5_upcall: service is 'null' Full hostname for 'hh3.hh3.site' is 'hh3.hh3.site' Full hostname for 'hh3.hh3.site' is 'hh3.hh3.site' Success getting keytab entry for 'HH3$@HH3.SITE' Successfully obtained machine credentials for principal 'HH3$@HH3.SITE' stored in ccache 'FILE:/tmp/krb5cc_machine_HH3.SITE' INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_HH3.SITE' are good until 1327817776 using FILE:/tmp/krb5cc_machine_HH3.SITE as credentials cache for machine creds using environment variable to select krb5 ccache FILE:/tmp/krb5cc_machine_HH3.SITE creating context using fsuid 0 (save_uid 0) creating tcp client for server hh3.hh3.site DEBUG: port already set to 2049 creating context with server n...@hh3.hh3.site DEBUG: serialize_krb5_ctx: lucid version! prepare_krb5_rfc4121_buffer: protocol 1 prepare_krb5_rfc4121_buffer: serializing key with enctype 18 and size 32 doing downcall dir_notify_handler: sig 37 si 0xbfbd324c data 0xbfbd32cc dir_notify_handler: sig 37 si 0xbfbd324c data 0xbfbd32cc dir_notify_handler: sig 37 si 0xbfbd324c data 0xbfbd32cc destroying client /var/lib/nfs/rpc_pipefs/nfs/clnt14 user steve5 logs in: # su steve5 (passwd etc...) Kerberos: AS-REQ ste...@hh3.site from ipv4:192.168.1.3:50182 for krbtgt/hh3.s...@hh3.site Kerberos: Client sent patypes: 149 Kerberos: Looking for PKINIT pa-data -- ste...@hh3.site Kerberos: Looking for ENC-TS pa-data --
Re: [Samba] nfs4 with Samba 4
2012-01-28 21:44 keltezéssel, steve írta: On 28/01/12 20:29, Gémes Géza wrote: 2012-01-28 18:41 keltezéssel, steve írta: On 28/01/12 12:21, steve wrote: On 28/01/12 11:03, Gémes Géza wrote: Summary: 1. kerberized /etc/exports /exportgss/krb5(rw,fsid=0,insecure,no_subtree_check,async) /export/homegss/krb5(rw,nohide,insecure,no_subtree_check,async) then: mount -t nfs4 hh3:/home /mnt -o sec=krb5 no write access 2. conventional /etc/exports /export*(rw,fsid=0,insecure,no_subtree_check,async) /export/home*(rw,nohide,insecure,no_subtree_check,async) then: mount -t nfs4 hh3:/home /mnt write access OK 3. kerberized variation on /etc/exports /export *(rw,fsid=0,crossmnt,insecure,no_subtree_check,async,sec=krb5) /export/home*(rw,insecure,no_subtree_check,async,sec=krb5) then: mount -t nfs4 hh3:/home /mnt -o sec=krb5 no write access I have tried all combos of crossmnt and nohide idmapd seems to be mapping correctly and iduser gives what getent gives Any ideas? Why does the kerberized mount not allow rw access? Steve Geza, do you think it's worth sticking this on samba technical? To me it seems an nfs4 related problem so no samba-technical is not the right place to ask In the meantime please tell us a little more about your environment: pam config idmapd config klist (of user) right after login, before trying to do anything on nfs and after (e.g an ls) I'm not an nfs4 expert myself, but before migration (a few years ago) to openafs I've had a working nfs4 gss/krb5 setup (it just kernel panic-ed every other day, until I've got fed up and migrated away from it) maybe I can remember. Regards Geza Hi again The share mounts rw conventionally but olnt ro when exported gss/krb5 Here is the output and some files: /etc/pam.d/common-auth (the other pam files are OK and pam is working) authrequiredpam_env.so authoptionalpam_gnome_keyring.so authsufficientpam_unix2.so authsufficientpam_krb5.souse_first_pass authrequiredpam_deny.so /etc/idmapd.conf [General] Verbosity=0 Pipefs-Directory=/var/lib/nfs/rpc_pipefs Domain=CACTUS [Mapping] Nobody-User=nobody Nobody-Group=nobody idmapd seems to be working fine. Mappings are perfect client/server Here is some output, which looks OK except for the mount being read only. # mount -t nfs4:/home /mnt -o sec=krb5 produces a lot of activity in Samba 4 including: Kerberos: TGS-REQ HH3$@HH3.SITE from ipv4:192.168.1.3:45825 for nfs/hh3.hh3.s...@hh3.site [canonicalize, renewable] Kerberos: TGS-REQ authtime: 2012-01-28T21:16:16 starttime: 2012-01-28T21:16:16 endtime: 2012-01-29T07:16:16 renew till: 2012-01-29T21:16:16 nd a ticket cache appears called krb5cc_machine_HH3.SITE and klist krb5cc_machine_HH3.SITE Ticket cache: FILE:krb5cc_machine_HH3.SITE Default principal: HH3$@HH3.SITE Valid starting ExpiresService principal 01/28/12 18:57:25 01/29/12 04:57:25 krbtgt/hh3.s...@hh3.site renew until 01/29/12 18:57:25 01/28/12 18:57:25 01/29/12 04:57:25 nfs/hh3.hh3.s...@hh3.site renew until 01/29/12 18:57:25 I got some rpc stuff during the mount: # rpc.gssd -vvvf beginning poll dir_notify_handler: sig 37 si 0xbfbd324c data 0xbfbd32cc dir_notify_handler: sig 37 si 0xbfbd324c data 0xbfbd32cc dir_notify_handler: sig 37 si 0xbfbd324c data 0xbfbd32cc dir_notify_handler: sig 37 si 0xbfbd324c data 0xbfbd32cc dir_notify_handler: sig 37 si 0xbfbd324c data 0xbfbd32cc handling gssd upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt13) handle_gssd_upcall: 'mech=krb5 uid=0 enctypes=18,17,16,23,3,1,2 ' handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt13) process_krb5_upcall: service is 'null' Full hostname for 'hh3.hh3.site' is 'hh3.hh3.site' Full hostname for 'hh3.hh3.site' is 'hh3.hh3.site' Success getting keytab entry for 'HH3$@HH3.SITE' Successfully obtained machine credentials for principal 'HH3$@HH3.SITE' stored in ccache 'FILE:/tmp/krb5cc_machine_HH3.SITE' INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_HH3.SITE' are good until 1327817776 using FILE:/tmp/krb5cc_machine_HH3.SITE as credentials cache for machine creds using environment variable to select krb5 ccache FILE:/tmp/krb5cc_machine_HH3.SITE creating context using fsuid 0 (save_uid 0) creating tcp client for server hh3.hh3.site DEBUG: port already set to 2049 creating context with server n...@hh3.hh3.site DEBUG: serialize_krb5_ctx: lucid version! prepare_krb5_rfc4121_buffer: protocol 1 prepare_krb5_rfc4121_buffer: serializing key with enctype 18 and size 32 doing downcall dir_notify_handler: sig 37 si 0xbfbd324c data 0xbfbd32cc dir_notify_handler: sig 37 si 0xbfbd324c data 0xbfbd32cc dir_notify_handler: sig 37 si 0xbfbd324c data 0xbfbd32cc destroying client /var/lib/nfs/rpc_pipefs/nfs/clnt14 user steve5 logs in: # su steve5 (passwd etc...) Kerberos: AS-REQ ste...@hh3.site from ipv4:192.168.1.3:50182 for krbtgt/hh3.s...@hh3.site
Re: [Samba] nfs4 with Samba 4
On 29/01/12 07:32, Gémes Géza wrote: 2012-01-28 21:44 keltezéssel, steve írta: On 28/01/12 20:29, Gémes Géza wrote: 2012-01-28 18:41 keltezéssel, steve írta: On 28/01/12 12:21, steve wrote: On 28/01/12 11:03, Gémes Géza wrote: As the nfs4 is writeable without the krb5, that's why I thought it may be related to the S4 Kerbreros. Thanks for your patience, Steve Unfortunately I can't be of real help here (I don't remember anything similar from when I was using nfs4 with krb5) and it seems to be very nfs4 specific, the kerberos (samba4) part has done its job (obtaining machine ticket at mount time, and user ticket when you cd-ed into the mount. What goes on from then is nfs4s own business :-( . I would suggest to ask for help at (I don't know if there is one :-( ) a nfs4 mailing list/forum.Good Luck! Regards Geza Hi Thanks for the confirmation. There is a nfs list: linux-...@vger.kernel.org It's a high tension version of samba-technical, and there is a three headed dog guarding its entrance, but I've been courageous enough to subscribe and post there. Maybe they'll suggest I use cifs! Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba