Skip to content

NFSv4 pour les clinux

https://doc.ubuntu-fr.org/tutoriel/samba_ad_dc_nfs4_kerberized https://www-fourier.ujf-grenoble.fr/informatique/doku.php?id=samba4#nfsv4

I'll tell how I did setup NFSv4 and CIFS kerberozed mounts these days (with systemd)

I saw a lot of howto's on the internet, that are not correct or just not working. .. Ps you want cifs? Change the nfs/spn to cifs and change the mounts to cifs. After that, should be almost the same. ( note, needs to be tested, i dont use it.. yet. )

Now this is tested AND in production on my Debian Jessie/Stretch and Ubuntu 18.04 servers I hope you guys can decrypt my setup. ;-)

  • Im assuming Samba is already setup and this is a MEMBER server.

I did check if the members did have an A and PTR record in the dns.

All servers have as setup base this. hostname.int.dom.tld A + PTR (+ optional CNAME, cname for example for a webserver, Use cname www to hostname and you can use the kerberized logins on the cname.

And i use this part of samba to make this work with a samba AD backend configured. All users have primary group "Domain Users" and i did assigned a GID to it.

smb.conf needs: (again might work with different settings also, but this is what i use and i know it does work.) kerberos method = secrets and keytab dedicated keytab file = /etc/krb5.keytab winbind refresh tickets = yes winbind use default domain = yes # i use this so dont need any translation of dom\ dom\ to only username. idmap config AD-DOM : unix_primary_group = yes idmap config AD-DOM : unix_nss_info = yes

[users] # NOTE1: direct access here, on this server, for the windows clients. browseable = yes # This path could/should be normaly /home/users, that saves a mount bind... Explained below. path = /home/samba/users read only = no acl_xattr:ignore system acl = yes

I'll show my setup of NFSv4 kerberize and automounting, which is in production for 3 years now. After a lot of changes in the setup, i can now say, this as shown below, works great.

On my linux servers, where i login with ssh (SSO) kerberos, i end up in the homedir /home/users/MyUserName/ And might be done a bit better, that is for later, this is working good for now.

THE SETUP OF SAMBA and USERSHOMEDIR AND THE NFS SERVER..

  • based on Samba member apt install samba winbind samba-dsdb-modules samba-vfs-modules krb5-user acl attr libpam-krb5 libpam-winbind libnss-winbind ldb-tools bind9utils This give everything you need for samba as member.

NFS apt install nfs-kernel-server nfs4-acl-tools

Edit : /etc/default/nfs-kernel-server Set NEED_SVCGSSD="yes"

create the folder with the correct user/group/rights.

install -o nobody -g nogroup -m 1777 -d /exports install -o nobody -g nogroup -m 1777 -d /exports/users

This is NFSv3 and 4 compliant and supports all security options.

Edit /etc/exports /exports 192.168.0.0/24(rw,sync,fsid=0,no_subtree_check,crossmnt,sec=sys:krb5:krb5i:krb5p) /exports/users 192.168.0.0/24(rw,sync,no_subtree_check,sec=sys:krb5:krb5i:krb5p)

Now, this might be a bit off. Now my real users homedir on member1 is : /home/samba/users/ ( users folders here ) But i use on ALL my server /home/users as mount point, and this is set as homedir in AD. ( unix/NIS extensions) Yes, including member1

These directories are created through ADUC, where i put the user homedir in this format. Homedir: \servername.fqdn\users%username% This path is set to /home/samba/users

Howto configure this, use a domain join windows PC, configure the share as DOMIN\Administrator and folder rights and .. DONT TOUCH IT WITH CHMOD! EVER! If you do you risk losing your windows ACL's

Any other user, outside samba-ad, is in /home as normal on linux.

The mount-bind export to map /home/samba/users to /exports/users for the NFS export.

The systemd mounter for it. ( ONLY on nfs server )

/etc/systemd/system/exports-users.mount

[Unit] Description=Used for NFS (/exports/users) Wants=network-online.target

[Mount] What=/home/samba/users Where=/exports/users Type=none Options=bind

[Install] WantedBy=multi-user.target

systemctl enable export-users.mount systemctl start export-users.mount And i need the same mount bind for the homedir /home/users. Because in my UNIX extenstions i defined homedir : /home/users.

The mount for the folder, we enter after login with SSH.(the homedir)

ONLY on NFS Server, the NFS client server get bit diffent set.

/etc/systemd/system/home-users.mount

[Unit] Description=NFS export (/home/users) Wants=network-online.target

[Mount] What=/home/samba/users Where=/home/users Type=none Options=bind

[Install] WantedBy=multi-user.target

Note, above homedir setup : This can be done more easy, but when i started samba4 5 years ago,

I did not know what i know now. ;-)

you need to have the NFS SPN/UPN and root/ << this make your automounted homedir mount as user.

kinit Administrator net ads keytab add root/$(hostname -f) -k net ads keytab add nfs/$(hostname -f) -k

Now this added root and nfs to the LOCAL keytab file. You need to add these spns also in the AD. Which i do through ADUC, simple goto the computer object, tab Atribute editor. Lookup servicePrincipleName and add: root/fq.domname.tld nfs/fq.domname.tld Dont add the REALM not needed.

NOTE ! Yes you can do this with samba-tool also, i know.
There is a BUT here.. If i add with samba tool i dont get them in /etc/krb5.keytab at least not consistantly. Thats something for later on.

systemctl restart nfs-server

Export the nfs server settings. exportfs -rv

And i always advice, to clear logs, do a reboot and check logs again. Repeat/fix untill you server is free of any error.

And your NFS SERVER/ SAMBA MEMBER server is ready END OF MEMBER1

MEMBER2 : Next NFS CLIENT / SAMBA MEMBER setup. The shorted version here, is the auth-only setup, you can add the rest yourself.. ;-) This setup covers ssh login and nfs(v4 krb5) automounted homedir.

The client setup. smb.conf , same as above. ( execpt the netbios name ofcourse thats the HOSTNAME IN CAPS. )

Note, this example give you server+ssh+kerberos+nfsclient and SSO login, samba shares, well, see wiki ;-)

apt install winbind krb5-user acl attr libpam-krb5 libpam-winbind libnss-winbind bind9utils nfs-common nfs4-acl-tools

( Do note, for shares add : samba samba-dsdb-modules samba-vfs-modules , see the line for member1, you can use that also. )

Now same as every other member, join the domain, and start winbind. kinit Administrator net ads keytab add root/$(hostname -f) -k net ads keytab add nfs/$(hostname -f) -k

Now this added root and nfs to the LOCAL keytab file. You need to add these spns also in the AD. Which i do through ADUC, simple goto the computer object, tab Atribute editor. Lookup servicePrincipleName and add: root/fq.domname.tld nfs/fq.domname.tld

First i know i need the homedir to exist. mkdir /home/users

I need nfs client to use kerberos. Edit /etc/default/nfs-common Set : NEED_GSSD=yes

I want to be able to login (sso) on ssh. Add at the end of /etc/ssh/sshd_config

Use Dns for kerberos auth

UseDNS yes

Enable kerberos GSSAPI tickets

GSSAPIAuthentication yes GSSAPICleanupCredentials yes GSSAPIStrictAcceptorCheck yes GSSAPIKeyExchange yes GSSAPIStoreCredentialsOnRekey yes

systemctl restart ssh

Now i can login, i need the homedir. Adding the Systemd mount/automount settings.

/etc/systemd/system/home-users.mount

[Unit] Description=User Homes

[Mount] What=member1.your.domain.tld:/users Where=/home/users Type=nfs4

sec options: sys krb5 krb5i krb5p

Options=sec=krb5p

Auto unmount after 2.5 min.

TimeoutSec=150

[Install] WantedBy=multi-user.target

And the automount part.

/etc/systemd/system/home-users.automount

[Unit] Description=Automount Home-Users

[Automount] Where=/home/users

[Install] WantedBy=multi-user.target

systemctl enable home-users.automount systemctl start home-users.automount

Edit /etc/default/nfs-common Set : NEED_GSSD=yes

Run : pam-auth-update --force So you can login with winbind/kerberos.

systemctl daemon-reload systemctl restart nfs-client

Test mount. And test the mount. mount member1.your.domain.tld:/users /home/users -t nfs4 -o sec=krb5 Umount /home/users Teset automount Just: ls /home/user Do you see your users. Dont get scared if you only see : root:root as user/owner, that should be fine. IF you created the homedir from within windows. Then you see this for example. drwxrwx---+ 13 root root 4096 Sep 26 2015 username

Check the "real" rights: ( which for me results in ). getfacl /home/users/username getfacl: Removing leading '/' from absolute path names

file: home/users/username

owner: username

group: root

user::rwx user:root:rwx user:username:rwx group::--- group:root:--- group:BUILTIN\134administrators:rwx mask::rwx other::--- default:user::rwx default:user:root:rwx default:user:username:rwx default:group::--- default:group:root:--- default:group:BUILTIN\134administrators:rwx default:mask::rwx default:other::---

This results in a private homedir, not even accessable for user root, but it is for BUILTIN\administrators And, keep in mind that "Domain Admins" is member of "BUILTIN\Administrators" by default So this environment (/home/user) is locked out for linux admins but allows Windows Admins.

Now, Clear logs, Reboot, check/fix reboot and its ready. And last few small notes.

For systemd and mount/automount If you homedir base is : /home/users Then you mount is : systemctl enable home-users.(auto)mount

If you homedir is : /srv/users Then you mount is : systemctl enable srv-users.(auto)mount
The path MUST reflex to the service name.

Multiple domains or $(ls /home/user) shows only nobody/nogroup. Then try edit : /etc/idmapd.conf Configure: Domain = internal.dom.tld Local-Realm = YOUR.REALM.TLD ( which is often you dnsdomain but in CAPS )

Good luck, questions, i'll probaly responce after the weekend, It kingsday tomorrow and then i probaly cant write or talk within a few hours.. :-/ << that reprecents me at that time i think. On it side..

Ow and know, im dislectis so i might have missed something above but, after 3x reread, i think its ok. If not, if you quick, im available for about 1 1/4 hours as of this mail hits the list.

Edited by denis bonnenfant