Quantcast

Samba server with NFSV4/kerberos

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Samba server with NFSV4/kerberos

Rainer Krienke
Hello,

I am searching for a solution that I thought should be kind of standard,
but until now I was not successful finding anything. Here is the problem:

At our site we offer windows and linux, most servers (eg file, samba,
web) are linux based. User data is stored on NFS file servers. Windows
systems are part of a Windows domain with an ADS domain controller. At
the moment the linux samba server is joined to the ADS domain
(ADSREALM.UNI-KOBLENZ.DE) and uses a "secutrity=ADS" configuration.
Works great with NFSV3.

Now I would like to set up a samba server that uses NFS V4/kerberos to
access user data instead of NFS3. NFSV4 with sec=krb5 is running fine
using a MIT kerberos server for the realm (LINUXREALM.UNI-KOBLENZ.DE)
running on linux. So when I am root eg on the samba server I can access
the NFS4 mounted user directories without any problem.

Now here is the problem: When samba tries to access a directory of a
windows user say "john"  (john's home is NFS4 mounted on the samba
server) the samba process does this as the user "john" not root and gets
a permission denied, since for user "john" there is no kerberos TGT
allowing him to access the kerberized service NFS. This happens because
a windows user authenticates against the windows ADS server when he logs
in at windows and my MIT kerberos server does not know anything about this.

Does anyone have a similar setup and has a solution for the problem
described thats working?

Thanks
Rainer
--
Rainer Krienke, Uni Koblenz, Rechenzentrum, A22, Universitaetsstrasse  1
56070 Koblenz, http://userpages.uni-koblenz.de/~krienke, Tel: +49261287 1312
PGP: http://userpages.uni-koblenz.de/~krienke/mypgp.html,Fax: +49261287
1001312


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba server with NFSV4/kerberos

Luc Lalonde
Guten tag Rainer,

We use our Samba4/Win2k8 AD domain to authenticate all our Linux/Windows/OSX workstations.

The home directories are mounted using CIFS in the Windows and OSX clients and NFS4 (krb5) in our Linux labs.

Here’s our documentation (french):

https://techwiki.gi.polymtl.ca/NFSv4_Kerberos <https://techwiki.gi.polymtl.ca/NFSv4_Kerberos>

If Google translate gives you something unintelligible, I’ll be glad to clarify the translation to english…

Hope this helps!

--
Luc Lalonde, analyste
-----------------------------
Département de génie informatique:
École polytechnique de MTL
(514) 340-4711 x5049
[hidden email] <mailto:[hidden email]>
-----------------------------

> On Mar 24, 2015, at 6:18 AM, Rainer Krienke <[hidden email]> wrote:
>
> Hello,
>
> I am searching for a solution that I thought should be kind of standard,
> but until now I was not successful finding anything. Here is the problem:
>
> At our site we offer windows and linux, most servers (eg file, samba,
> web) are linux based. User data is stored on NFS file servers. Windows
> systems are part of a Windows domain with an ADS domain controller. At
> the moment the linux samba server is joined to the ADS domain
> (ADSREALM.UNI-KOBLENZ.DE) and uses a "secutrity=ADS" configuration.
> Works great with NFSV3.
>
> Now I would like to set up a samba server that uses NFS V4/kerberos to
> access user data instead of NFS3. NFSV4 with sec=krb5 is running fine
> using a MIT kerberos server for the realm (LINUXREALM.UNI-KOBLENZ.DE)
> running on linux. So when I am root eg on the samba server I can access
> the NFS4 mounted user directories without any problem.
>
> Now here is the problem: When samba tries to access a directory of a
> windows user say "john"  (john's home is NFS4 mounted on the samba
> server) the samba process does this as the user "john" not root and gets
> a permission denied, since for user "john" there is no kerberos TGT
> allowing him to access the kerberized service NFS. This happens because
> a windows user authenticates against the windows ADS server when he logs
> in at windows and my MIT kerberos server does not know anything about this.
>
> Does anyone have a similar setup and has a solution for the problem
> described thats working?
>
> Thanks
> Rainer
> --
> Rainer Krienke, Uni Koblenz, Rechenzentrum, A22, Universitaetsstrasse  1
> 56070 Koblenz, http://userpages.uni-koblenz.de/~krienke, Tel: +49261287 1312
> PGP: http://userpages.uni-koblenz.de/~krienke/mypgp.html,Fax: +49261287
> 1001312
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba server with NFSV4/kerberos

Rainer Krienke
Hello Luc,

thanks for your answer. If I understand you correctly than you are using
samba4 as windows domaincontroller and you do not have another Windows
DC? So after all you have exactly one Kerberos Server that is part of
the samba4 server?

Thanks
Rainer

Am 24.03.2015 um 12:41 schrieb Luc Lalonde:

> Guten tag Rainer,
>
> We use our Samba4/Win2k8 AD domain to authenticate all our
> Linux/Windows/OSX workstations.
>
> The home directories are mounted using CIFS in the Windows and OSX
> clients and NFS4 (krb5) in our Linux labs.
>
> Here’s our documentation (french):
>
> https://techwiki.gi.polymtl.ca/NFSv4_Kerberos
>
> If Google translate gives you something unintelligible, I’ll be glad to
> clarify the translation to english…
>
> Hope this helps!
>
> --
> Luc Lalonde, analyste
> -----------------------------
> Département de génie informatique:
> École polytechnique de MTL
> (514) 340-4711 x5049
> [hidden email] <mailto:[hidden email]>
> -----------------------------
--
Rainer Krienke, Uni Koblenz, Rechenzentrum, A22, Universitaetsstrasse  1
56070 Koblenz, http://userpages.uni-koblenz.de/~krienke, Tel: +49261287 1312
PGP: http://userpages.uni-koblenz.de/~krienke/mypgp.html,Fax: +49261287
1001312


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba server with NFSV4/kerberos

Luc Lalonde
Hello Rainer,

No, I have 3 DC’s:   Two Win2k8, and one Samba4.

I use the Samba4 to inject NTLM passwords into our Active Directory infrastructure.

Bye.


> On Mar 24, 2015, at 8:01 AM, Rainer Krienke <[hidden email]> wrote:
>
> Hello Luc,
>
> thanks for your answer. If I understand you correctly than you are using
> samba4 as windows domaincontroller and you do not have another Windows
> DC? So after all you have exactly one Kerberos Server that is part of
> the samba4 server?
>
> Thanks
> Rainer
>
> Am 24.03.2015 um 12:41 schrieb Luc Lalonde:
>> Guten tag Rainer,
>>
>> We use our Samba4/Win2k8 AD domain to authenticate all our
>> Linux/Windows/OSX workstations.
>>
>> The home directories are mounted using CIFS in the Windows and OSX
>> clients and NFS4 (krb5) in our Linux labs.
>>
>> Here’s our documentation (french):
>>
>> https://techwiki.gi.polymtl.ca/NFSv4_Kerberos
>>
>> If Google translate gives you something unintelligible, I’ll be glad to
>> clarify the translation to english…
>>
>> Hope this helps!
>>
>> --
>> Luc Lalonde, analyste
>> -----------------------------
>> Département de génie informatique:
>> École polytechnique de MTL
>> (514) 340-4711 x5049
>> [hidden email] <mailto:[hidden email]>
>> -----------------------------
>
> --
> Rainer Krienke, Uni Koblenz, Rechenzentrum, A22, Universitaetsstrasse  1
> 56070 Koblenz, http://userpages.uni-koblenz.de/~krienke, Tel: +49261287 1312
> PGP: http://userpages.uni-koblenz.de/~krienke/mypgp.html,Fax: +49261287
> 1001312
>

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba server with NFSV4/kerberos

Volker Lendecke
In reply to this post by Rainer Krienke
On Tue, Mar 24, 2015 at 11:18:13AM +0100, Rainer Krienke wrote:

> Now here is the problem: When samba tries to access a directory of a
> windows user say "john"  (john's home is NFS4 mounted on the samba
> server) the samba process does this as the user "john" not root and gets
> a permission denied, since for user "john" there is no kerberos TGT
> allowing him to access the kerberized service NFS. This happens because
> a windows user authenticates against the windows ADS server when he logs
> in at windows and my MIT kerberos server does not know anything about this.
>
> Does anyone have a similar setup and has a solution for the problem
> described thats working?

We've done something very similar eons ago with AFS. Similar
problem. With the fake-kaserver Samba could create its own
tickets. Something that in modern days you definitely do NOT
want. We need to hook Samba much better into the nfsv4
client now. Somehow we need to acquire credentials for the
NFS4 service, probably to do this MIT somehow needs to trust
the AD with a cross-realm trust. If Samba has the nfsv4
ticket, we need to tell the kernel to use it when we switch
to "john". Interesting project, but none of this is done yet
unfortunately.

Volker

--
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:[hidden email]
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba server with NFSV4/kerberos

Jeremy Allison
On Tue, Mar 24, 2015 at 01:21:50PM +0100, Volker Lendecke wrote:

> On Tue, Mar 24, 2015 at 11:18:13AM +0100, Rainer Krienke wrote:
> > Now here is the problem: When samba tries to access a directory of a
> > windows user say "john"  (john's home is NFS4 mounted on the samba
> > server) the samba process does this as the user "john" not root and gets
> > a permission denied, since for user "john" there is no kerberos TGT
> > allowing him to access the kerberized service NFS. This happens because
> > a windows user authenticates against the windows ADS server when he logs
> > in at windows and my MIT kerberos server does not know anything about this.
> >
> > Does anyone have a similar setup and has a solution for the problem
> > described thats working?
>
> We've done something very similar eons ago with AFS. Similar
> problem. With the fake-kaserver Samba could create its own
> tickets. Something that in modern days you definitely do NOT
> want. We need to hook Samba much better into the nfsv4
> client now. Somehow we need to acquire credentials for the
> NFS4 service, probably to do this MIT somehow needs to trust
> the AD with a cross-realm trust. If Samba has the nfsv4
> ticket, we need to tell the kernel to use it when we switch
> to "john". Interesting project, but none of this is done yet
> unfortunately.

I have some code that does this I gave to a (large) user
site to test. It took a forwarded ticket from the Windows
client and saved it in the /tmp/krb5cc_XXXXX file so that
the NFS client redirector on Linux could use it.

I got it to work in testing, but never got good feedback
from the users so didn't finish it up.

I can dig it out again and forward port to 4.x if you
like ?

Jeremy.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba server with NFSV4/kerberos

Samba - General mailing list
> I have some code that does this I gave to a (large) user
> site to test. It took a forwarded ticket from the Windows
> client and saved it in the /tmp/krb5cc_XXXXX file so that
> the NFS client redirector on Linux could use it.
>
> I got it to work in testing, but never got good feedback
> from the users so didn't finish it up.
>
> I can dig it out again and forward port to 4.x if you
> like ?
>
> Jeremy.

I would be very much interested in this if this is still around.

--
Orion Poplawski
Technical Manager                          720-772-5637
NWRA, Boulder/CoRA Office             FAX: 303-415-9702
3380 Mitchell Lane                       [hidden email]
Boulder, CO 80301                   http://www.nwra.com

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba server with NFSV4/kerberos

Samba - General mailing list
In reply to this post by Jeremy Allison
We have a samba server that we would like to share a directory that is nfs4
sec=krb5 mounted from another machine.  However, the user has no kerberos
ticket on the samba server and so their smbd process cannot access the nfs
mount.  If the samba server process took the user's kerberos ticket and put it
where rpc.gssd could find it, then it would have access.

On 05/12/2017 03:47 AM, L.P.H. van Belle wrote:

> Hai,
>
> May i ask what the problem is? Tried to understand it from reading the threat, but i cant figure that out.
> On my debian ( samba 4.6.3 ), i use kerberos and nfsv4 almost everywhere.
> And i do reuse my client tickets.
>
> klist
> Ticket cache: FILE:/tmp/krb5cc_10002_Ki1hjqMDNM
> Default principal: username@MY_REALM
>
> Valid starting       Expires              Service principal
> 05/12/2017 09:53:19  05/12/2017 18:06:28  krbtgt/MY_REALM@MY_REALM
>         renew until 05/19/2017 08:06:28
> 05/12/2017 10:30:32  05/12/2017 18:06:28  nfs/member1.internal.domain.tld@
>         renew until 05/19/2017 08:06:28
> 05/12/2017 10:30:32  05/12/2017 18:06:28  nfs/member1.internal.domain.tld@MY_REALM
>         renew until 05/19/2017 08:06:28
>
> Or this this not what you are looking for?
>
> Greetz,
>
> Louis
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:[hidden email]] Namens
>> Orion Poplawski via samba
>> Verzonden: woensdag 10 mei 2017 21:43
>> Aan: [hidden email]; Jeremy Allison
>> Onderwerp: Re: [Samba] Samba server with NFSV4/kerberos
>>
>>> I have some code that does this I gave to a (large) user
>> site to test.
>>> It took a forwarded ticket from the Windows client and
>> saved it in the
>>> /tmp/krb5cc_XXXXX file so that the NFS client redirector on Linux
>>> could use it.
>>>
>>> I got it to work in testing, but never got good feedback from the
>>> users so didn't finish it up.
>>>
>>> I can dig it out again and forward port to 4.x if you like ?
>>>
>>> Jeremy.
>>
>> I would be very much interested in this if this is still around.
>>


--
Orion Poplawski
Technical Manager                          720-772-5637
NWRA, Boulder/CoRA Office             FAX: 303-415-9702
3380 Mitchell Lane                       [hidden email]
Boulder, CO 80301                   http://www.nwra.com

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba server with NFSV4/kerberos

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Wed, May 10, 2017 at 01:43:18PM -0600, Orion Poplawski via samba wrote:

> > I have some code that does this I gave to a (large) user
> > site to test. It took a forwarded ticket from the Windows
> > client and saved it in the /tmp/krb5cc_XXXXX file so that
> > the NFS client redirector on Linux could use it.
> >
> > I got it to work in testing, but never got good feedback
> > from the users so didn't finish it up.
> >
> > I can dig it out again and forward port to 4.x if you
> > like ?
> >
> > Jeremy.
>
> I would be very much interested in this if this is still around.
Here is the (horrible hack) I created. Appropriately
entitled "horrible hack". Won't apply to 4.x, and according
to Simo the correct way to do this is via gss_store_cred_into(),
so this code won't ever get upstream.

If you can make it work locally it might help you out though !

Jeremy.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

horrible-hack (7K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba server with NFSV4/kerberos

Samba - General mailing list
On 05/12/2017 05:22 PM, Jeremy Allison via samba wrote:

> On Wed, May 10, 2017 at 01:43:18PM -0600, Orion Poplawski via samba wrote:
>>> I have some code that does this I gave to a (large) user
>>> site to test. It took a forwarded ticket from the Windows
>>> client and saved it in the /tmp/krb5cc_XXXXX file so that
>>> the NFS client redirector on Linux could use it.
>>>
>>> I got it to work in testing, but never got good feedback
>>> from the users so didn't finish it up.
>>>
>>> I can dig it out again and forward port to 4.x if you
>>> like ?
>>>
>>> Jeremy.
>>
>> I would be very much interested in this if this is still around.
>
> Here is the (horrible hack) I created. Appropriately
> entitled "horrible hack". Won't apply to 4.x, and according
> to Simo the correct way to do this is via gss_store_cred_into(),
> so this code won't ever get upstream.
>
> If you can make it work locally it might help you out though !
>
> Jeremy.
Here's my updated version that uses gss_store_cred_into().  This seems to work
okay for me.  I needed to make sure that delegation is enabled for the server
in AD but that's it.

I added unsetting KRB5CCNAME as that is being set in smb.service and we need
to store in the user's credential cache.

I'm sure there are mistakes as well.  I'd be curious to know what else would
need to get cleaned up to try to get this into samba proper.


--
Orion Poplawski
Technical Manager                          720-772-5637
NWRA, Boulder/CoRA Office             FAX: 303-415-9702
3380 Mitchell Lane                       [hidden email]
Boulder, CO 80301                   http://www.nwra.com

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

samba-forward.patch (2K) Download Attachment
Loading...