Strange kerberos-nfs-gssapi problem
Fredrik Olofsson
olufsson at hotmail.com
Thu Nov 1 19:04:17 UTC 2018
Hello,
I'm a new user of FreeBSD - I recently installed FreeBSD 11.2 p4, and I use it as a backup- and fileserver using Samba48 and bacula. I also play around with it.
I've joined the machine to a Samba domain and can log in as domain users with winbind, using GSSAPI under ssh or passwords from a console or with ssh . NFSv4 with kerberos also works, after I created spns and upns using msktutil on the DC (running debian on a Raspberry Pi3). I mount the ad-users homedirectories using nfsv4 and kerberos from an Ubuntu server, also connected to the domain.
However, logging in from sshd with GSS and mounting of a kerberized nfs-share (other than the users homedirs) works ONLY if I also has a have a kerberos ticket as Administrator issued to root at the FreeBSD machine. I can actually mount the share, only I can't do anything with it. (Not even ls works - it behaves quite like the problem described in the handbook. But restarting mountd doesn't work). I can still login, however not using GSS, only with password. And I said above, mounting of /home/* works, but not /media/*
It is quite baffling - I've tried using heimdal kerberos, mit kerberos, locked my self out of the system by messing up /etc/pam.d/ etc. etc. Nothing other than "su - ; kinit Administrator at DOMAIN.AD<mailto:Administrator at DOMAIN.AD>" remedies the situation.
My krb5.conf:
[libdefaults]
default_realm = DOMAIN.AD
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = yes
allow_weak_crypto = true
/etc/pam.d/sshd
#
# $FreeBSD: releng/11.2/etc/pam.d/sshd 197769 2009-10-05 09:28:54Z des $
#
# PAM configuration for the "sshd" service
#
# auth
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
#auth sufficient pam_krb5.so no_warn try_first_pass
auth sufficient /usr/local/lib/pam_winbind.so krb5_auth krb5_ccache_type=FILE try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass
# account
account required pam_nologin.so
#account required pam_krb5.so
account sufficient /usr/local/lib/pam_winbind.so krb5_auth krb5_ccache_type=FILE try_first_pass
account required pam_login_access.so
account required pam_unix.so
# session
#session optional pam_ssh.so want_agent
session required pam_permit.so
# password
#password sufficicient pam_krb5.so no_warn try_first_pass
password sufficient /usr/local/lib/pam_winbind.so krb5_auth krb5_ccache_type=FILE try_first_pass
password required pam_unix.so no_warn try_first_pass
In /usr/local/etc/smb4.conf I have:
winbind nss info = rfc2307
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind nested groups = yes
winbind refresh tickets = yes
template homedir = /home/%U
template shell = /usr/local/bin/bash
client use spnego = yes
client ntlmv2 auth = yes
encrypt passwords = yes
restrict anonymous = 2
log file = /var/log/samba4/log.%m
max log size = 50
kerberos method = secrets and keytab
dedicated keytab file = /etc/krb5.keytab
/etc/auto_master:
# $FreeBSD: releng/11.2/etc/auto_master 310007 2016-12-13 04:44:06Z dteske $
#
# Automounter master map, see auto_master(5) for details.
#
/net -hosts -nobrowse,nosuid,intr
# When using the -media special map, make sure to edit devd.conf(5)
# to move the call to "automount -c" out of the comments section.
/media /etc/auto_media noatime
#/- -noauto
/home /etc/auto_home
(I’m not using devd.conf, it’s just a regular directory to me.
/etc/auto_media
* -intr,nfsv4,sec=krb5 fileserver.domain.ad:/Media/&
Obviously, both kerberos and nfs works - as does winbind-integration. I
I wonder if anyone has encountered anything like this and can point me in the right direction?
Best regards,
Fredrik
More information about the freebsd-questions
mailing list