Strange kerberos-nfs-gssapi problem

Fredrik Olofsson olufsson at hotmail.com
Thu Nov 1 19:04:17 UTC 2018


Hello,
I'm a new user of FreeBSD - I recently installed FreeBSD 11.2 p4, and I use it as a backup- and fileserver using Samba48 and bacula. I also play around with it.

I've joined the machine to a Samba domain and can log in as domain users with winbind, using GSSAPI under ssh or passwords from a console or with ssh . NFSv4 with kerberos also works, after I created spns and upns using msktutil on the DC (running debian on a Raspberry Pi3). I mount the ad-users homedirectories using nfsv4 and kerberos from an Ubuntu server, also connected to the domain.

However, logging in from sshd with GSS and mounting of  a kerberized nfs-share  (other than the users homedirs) works ONLY if I also has a have a kerberos ticket as Administrator issued to root at the FreeBSD machine. I can actually mount the share, only I can't do anything with it. (Not even ls works - it behaves quite like the problem described in the handbook. But restarting mountd doesn't work). I can still login, however not using GSS, only with password. And I said above, mounting of /home/* works, but not /media/*

It is quite baffling - I've tried using heimdal kerberos, mit kerberos, locked my self out of the system by messing up /etc/pam.d/ etc. etc. Nothing other than "su - ; kinit Administrator at DOMAIN.AD<mailto:Administrator at DOMAIN.AD>" remedies the situation.

My krb5.conf:

[libdefaults]
        default_realm = DOMAIN.AD
        dns_lookup_realm = false
        dns_lookup_kdc = true
        ticket_lifetime = 24h
        renew_lifetime = 7d
        forwardable = yes
        allow_weak_crypto = true

/etc/pam.d/sshd

#
# $FreeBSD: releng/11.2/etc/pam.d/sshd 197769 2009-10-05 09:28:54Z des $
#
# PAM configuration for the "sshd" service
#

# auth
auth            sufficient      pam_opie.so             no_warn no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn allow_local
#auth           sufficient      pam_krb5.so             no_warn try_first_pass
auth            sufficient      /usr/local/lib/pam_winbind.so krb5_auth krb5_ccache_type=FILE try_first_pass
#auth           sufficient      pam_ssh.so              no_warn try_first_pass
auth            required        pam_unix.so             no_warn try_first_pass

# account
account         required        pam_nologin.so
#account                required        pam_krb5.so
account         sufficient      /usr/local/lib/pam_winbind.so krb5_auth krb5_ccache_type=FILE try_first_pass
account         required        pam_login_access.so
account         required        pam_unix.so

# session
#session        optional        pam_ssh.so              want_agent
session         required        pam_permit.so

# password
#password       sufficicient    pam_krb5.so             no_warn try_first_pass
password         sufficient      /usr/local/lib/pam_winbind.so krb5_auth krb5_ccache_type=FILE try_first_pass
password        required        pam_unix.so             no_warn try_first_pass

In /usr/local/etc/smb4.conf I have:

        winbind nss info = rfc2307
        winbind enum users = yes
        winbind enum groups = yes
        winbind use default domain = yes
        winbind nested groups = yes
        winbind refresh tickets = yes
        template homedir = /home/%U
        template shell = /usr/local/bin/bash

        client use spnego = yes
        client ntlmv2 auth = yes
        encrypt passwords = yes
        restrict anonymous = 2
        log file = /var/log/samba4/log.%m
        max log size = 50

        kerberos method = secrets and keytab
        dedicated keytab file = /etc/krb5.keytab

/etc/auto_master:
# $FreeBSD: releng/11.2/etc/auto_master 310007 2016-12-13 04:44:06Z dteske $
#
# Automounter master map, see auto_master(5) for details.
#
/net            -hosts          -nobrowse,nosuid,intr
# When using the -media special map, make sure to edit devd.conf(5)
# to move the call to "automount -c" out of the comments section.
/media          /etc/auto_media         noatime
#/-             -noauto
/home           /etc/auto_home

(I’m not using devd.conf, it’s just a regular directory to me.

/etc/auto_media

*  -intr,nfsv4,sec=krb5 fileserver.domain.ad:/Media/&


Obviously, both kerberos and nfs works - as does winbind-integration. I
I wonder if anyone has encountered anything like this and can point me in the right direction?

Best regards,
Fredrik



More information about the freebsd-questions mailing list