Thursday, December 13, 2018

FreeBSD NFSv4 mount of Windows 2019 Server share with Kerberos auth

Windows part:
Step 0: Ignore this complicated bullshit here https://docs.microsoft.com/en-us/previous-versions/msp-n-p/ff649429(v=pandp.10) No reason of using SPN. It only adds some kind of proxy but no security. Go to Step 1.
Step 1: Install NFS server on Windows as described on the web, create share folder.
Step 1.1: Windows NFS server's log location is this: Event Manager, Services and Applications, Microsoft, ServicesForNFS-Server (no idea, why it's written like that)
Step 2: Use this configuration for network share

Step 3: From powershell execute this to enable mapping via AD: 
Set-NfsMappingStore -EnableADLookup $true
Step 4: Probably restart is required.

FreeBSD part:
Step 0: FQDN?
Step 1: Install pam_krb5 (linked with MIT in my case)
Step 2: Install /etc/krb5.conf (pretty ordinary, lot's of examples in the Internet, but notice tkt_enctypes). Also in FreeBSD pam section is commented because it pam ignores it by some reason anyway.
[libdefaults]                                                                                                                                                                  
    default_realm        = DOMAIN.LOCAL
    forwardable          = true
#    default_cc_name      = /tmp/krb5cc_%{uid}
    default_tkt_enctypes = aes256-cts-hmac-sha1-96
[appdefaults]
    default_realm = DOMAIN.LOCAL
#    pam = {
        forwardable      = true
        krb4_convert     = false
        debug            = true
        ccache           = FILE:/tmp/krb5cc_%u
    ticket_lifetime  = 36000
    renew_lifetime   = 36000
#    }
[realms]
    DOMAIN = {
        kdc              = sun2.domain.local:88
        kdc              = sun2.domain.local:88
        admin_server     = sun2.domain.local:749
        kpasswd_server   = sun2.domain.local:464
        kpasswd_protocol = SET_CHANGE
        default_domain   = domain.local
    }
[domain_realm]
    domain.local = DOMAIN.LOCAL
   .domain.local = DOMAIN.LOCAL
   .DOMAIN.LOCAL = DOMAIN.LOCAL
[logging]
         default FILE:/var/log/krb5lib.log
#             kdc = FILE:/var/log/krb5kdc.log
#    admin_server = FILE:/var/log/kadmind.log
#    default = SYSLOG:INFO:USER


Step 3: Check that you can get your ticket with kinit.
Step 4: Uncomment krb5 sections where you need it in /etc/pam.d/* to login. Note: that login via ssh and getting ccache file is broken on FreeBSD 11.2. Try other methods to verity that you get your ticket in the default /tmp/krb5* location.
Step 5: These services used for UNIX/AD user mapping.  Enable and start them. The last one probably isn't required.
# kerberos
gssd_enable="YES"
nfsuserd_enable="YES"
#nfscbd_enable="YES"

Step 6: 
mount -o sec=krb5,minorversion=1,nfsv4 sun3.domain.local:/nfs_share_test1 /mnt/ 



Mounted file's permissions will be shown as 'nobody:nobody' cause FreeBSD can't resole Windows users and groups on it's side. Despite this mapping the real permission still be respected and access on UNIX box checked via Kerberos ticket.
Though Windows set ownership differently depending if the user is in Domain Administrator (or Administrators?) group. It was possible to change on old Windows (pre 2008?) but not now.
So this link is irrelevant.