NFS wither Kerberos

pixel · December 5, 2019, 2:07pm

Hi@all,

i want to set up nfsv4 with Kerberos on my ucs 4.4.3 and follow these instructions:
https://wiki.univention.de/index.php/NFSv4_with_UCS

I am at the point “Samba 4 Domain” and here the following line is mentioned:

samba-tool spn add nfs/<nfs-server or client host>.$(hostname -d)/$(hostname -d) <nfs-server or client host>\$

I’m not quite sure how to adjust this line. the FQHN of my server (Master, Samba4, NFS) is “tux.gehr.lan”.

with best
sven

SirTux · December 5, 2019, 2:58pm

pixel · December 5, 2019, 4:36pm

Mir ist jetzt aber nicht klar wie ich vorgehen muss oder geht es gar nicht?

SirTux · December 5, 2019, 5:37pm

And what is unclear exactly? You have to execute the script create_spn_account.sh for each NFS server. You could do this on the DC Master and distribute the key tabs to the servers afterwards.

pixel · December 6, 2019, 8:35am

Pretty much everything first I go after the wiki? … well:

Creation of a “virtual root” folder

mkdir /nfs4

edit the /etc/exports

/nfs4 gss/krb5(rw,sync,fsid=0,insecure,crossmnt,no_subtree_check)

Adding a share - Inclusion of the Directory in the Exports Directory

mkdir /nfs4/test

Edit the /etc/fstab

/data/test /nfs4/test none bind 0 0

an mount the orginal in the export-dir

mount /nfs4/test

now I activate on the share (which already exists … Samba) the NFS export parameters:
grafik

Since I want to have Kerberos Authentication I write to /etc/exports:

/nfs4/test gss/krb5(rw,nohide,insecure,no_subtree_check,async)

this now contains:

/nfs4 gss/krb5(rw,sync,fsid=0,insecure,crossmnt,no_subtree_check)
"/data/test" -rw,root_squash,async,subtree_check 0.0.0.0/32 # LDAP:cn=test,cn=tux.gehr.lan,cn=shares,dc=gehr,dc=lan
/nfs4/test gss/krb5(rw,nohide,insecure,no_subtree_check,async)

I think it’s clear up to here. What’s the next step? With the command mentioned in the Wiki:

samba-tool spn add nfs/<nfs-server or client host>.$(hostname -d)/$(hostname -d) <nfs-server or client host>\$

or those in the samba wiki:

samba-tool spn add host/fdqn@KerberosRealm <sAMAccount name> 
samba-tool domain exportkeytab  <name>.keytab  --principal=[<sAMAccount name> | <SPN>]

and how to customize these commands for my case “NFS4 + Samba4 on server: tux.gehr.lan”.

SirTux · December 6, 2019, 4:57pm

No go after the linked thread!

And by the way, this is legacy syntax:

pixel · December 6, 2019, 5:06pm

what is the correct syntax?

SirTux · December 6, 2019, 5:11pm

"/home" -rw,root_squash,sync,no_subtree_check,sec=krb5p

But as said in the linked thread, you can set the option sec=krb5p via the the UMC, so you haveN’t care about the syntax.