Archive for September 2025
Encrypted NFS
Posted on Thu, Sep 04, 2025 at 17:04 by Hubertus A. Haniel
After joining AD we can use kerberos to encrypt nfs traffic as well - Obviously the NFS server must be joined to the same AD domain.
To this we need to add a SPN on the server side (already explained in the previously mentioned blog) to the NFS server nfs/<server name>
It needs to be visible in the keytab with klist -ke.
Then we add the export to the exports file womething like:
/TEST *.localnet.lan(rw,sec=krb5:krb5i:krb5p,no_root_squash)
We only really want krb5p as that is fully encrypted.
Then we need to set the domain in /etc/idmapd.conf - It should be returned when you run "nfsidmap -d" - In my case this is localnet.lan.
Most problems are about this SPN - so my SPN is nfs/server.localnet.lan but and the server name is the same but my kerberos realm is upnor.localnet.lan so I had to add this to my /etc/krb5.conf file that is mentioned in the other blog.
[domain_realm] .localnet.lan = UPNOR.LOCALNET.LAN localnet.lan = UPNOR.LOCALNET.LAN .upnor.localnet.lan = UPNOR.LOCALNET.LAN upnor.localnet.lan = UPNOR.LOCALNET.LAN
I also added allow_weak_crypto - I am not sure it is required but in the
redhat manuals it does tell you to do that so for completeness my config
is now:
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
spake_preauth_groups = edwards25519
default_realm = UPNOR.LOCALNET.LAN
default_ccache_name = KEYRING:persistent:%{uid}
allow_weak_crypto = true
[realms]
UPNOR.LOCALNET.LAN = {
kdc = 192.168.0.10
}
[domain_realm]
.localnet.lan = UPNOR.LOCALNET.LAN
localnet.lan = UPNOR.LOCALNET.LAN
.upnor.localnet.lan = UPNOR.LOCALNET.LAN
upnor.localnet.lan = UPNOR.LOCALNET.LAN
If we have done this all correctly we should be able to mount this export with something like "mount -t nfs -o nfsvers=4,sec=krb5p,proto=tcp" - We want krb5p as that fully encrypts all traffic while krb5 and krb5i only encrypt certain parts of the protocol which may be to insecure in some environments.
Edited on: Thu, Sep 04, 2025 17:27
Posted in HowTo (RSS), System - Linux (RSS)
Enable krb5 authentication for SSH
Posted on Thu, Sep 04, 2025 at 14:49 by Hubertus A. Haniel
After joining an AD it is very simple to enable kerberos authentication for SSH assuning your Windows ID and Unix ID match. - All you need to do is add the following 2 lines to /etc/ssh/sshd_config
GSSAPIAuthentication yes
GSSAPIKeyExchange yes
Al you then have to do is enable these options on your ssh client and you should be able to login to your linux systems with the credentials on the windows machine joined to the same domain.
Edited on: Thu, Sep 04, 2025 15:03
Posted in HowTo (RSS), System - Linux (RSS)
Linux AD intigration and computer account password rotation pitfalls
Posted on Thu, Sep 04, 2025 at 14:31 by Hubertus A. Haniel
When running samba and/or trying to use kerberos for basic authentication and/or encryption and possibly running a samba server in most larger environments the most easy route is joining a Windows based AD domain which provides the central authentication for users already and it is reasonably trivial to do this with out having to stand up your own ldap/kerberos etc services.
I have already described here how adcli can be used to join a domain to enable kerberos but there may be some considerations to make when having samba running already on the server in which case it may already be joined to the domain anyway and if we want to add sssd to the mix because nscd is being deprecated and no longer present in RHEL10
I have come across articles with reports of issues with Computer Account Password rotation where samba or other parts may stop functioning when samba and sssd are running on the same machine where they will clash or not update all the correct files. Some threads even suggest that computer accounts could expire but it is my understanding that this is not actually the case by looking at Microsoft Documentation and also at the attributes for a computer object compared to a user object. The way computer account rotation is handled in Windows is via the Group Policy which has a definition of the maximum age before rotation (the default is 30 days). Windows will look at the pwdLastSet attribute of its account and rotate the password according to the group policy definition.
When using adcli to join a domain just to perform simple kerberos authentication and encryption there is really no concern when neither samba or sssd are running as nothing that would interfere with the credentials.
Samba obviously does not look at the group policy so the way it is handled in samba according to the man pages is with the "machine password timeout" parameter in smb.conf which apparently by default is 604800 seconds (1 week) - I have however observed in AD that RHEL8 machines do not seem to do this by default as I have found computer accounts that have not been rotated since they where joined into the domain - I have a couple of Debian based machines where both of them the password has been changed within the last week which is the expected behavior from the man page. I also have very little concern that samba will break basic kerberos authentication and encryption since samba should update all the correct files.
So on a samba machine if I force the update with "net ads changetrustpw" - I can see that it does correctly update the local secrets database in /var/lib/samba and /etc/krb5.keytab file. After that running "adcli testjoin" or "net ads testjoin" both report positively that everything is still OK. However running "adcli update" will actually break samba as it will only update /etc/krb5.keytab so "net ads testjoin" will now report everything is OK but it will also throw up errors like "kerberos_kinit_password VM-RHEL8$@UPNOR.LOCALNET.LAN failed: Preauthentication failed". It gets worse when I try to use other commands like "net ads changetrustpw" again which is actually completely broken now. I will have to rejoin the domain with samba as samba and kerberos have come out of sync. If samba is running we need to make sure that the data that samba keeps in /var/lib/samba and /etc/krb5.keytab are in sync so adcli has to be run with the --add-samba-data flag. I also recommend running with the "-v --computer-password-lifetime=0" as adcli may actually do nothing if it thinks the password is not out of date and you will not see that without "-v" flag.
I yet have to dig into how sssd will interact with this mix which is on my todo list but I have a suspicion if sssd is in the mix it will not take care of the stuff in /var/lib/samba and this is where the various articles across various forums emerge from. - They suggest to prevent the clash is to do the following:
- add "ad_maximum_machine_account_password_age = 0" to /etc/sssd/sssd.conf (Needs to be tested as I can not find that setting in the man pages even on RHEL10 and another article suggests that this setting is upstream from RHEL8)
- add "machine password timeout = 0" to /etc/samba/smb.conf
- Create a cron job that runs something like "adcli update --computer-password-lifetime=0 --add-samba-data -D 2>&1 | /usr/bin/logger -t adcli"
One note of caution - If you do end up having to rejoin your domain it is very likely that any SPN's you may have will get destroyed and stop working so it is advisable to remove /etc/krb5..keytab and start from scratch.
Edited on: Thu, Sep 04, 2025 17:49
Posted in HowTo (RSS), System - Linux (RSS)
