[Samba] NFSv4 + Kerberos understanding
Bruno MACADRÉ
bruno.macadre at univ-rouen.fr
Mon Jul 28 09:14:41 MDT 2014
Hi,
I've a SAMBA4 AD Domain that works nicely. All my W7 joined perfectly
and all my Linux clients authenticates against kerberos part of SAMBA.
All work perfectly, now I'm trying to secure my NFS mounts by using
kerberos part of SAMBA.
My NFS server works and I can mount NFS4 exports without kerberos (and
without problem ;-) ), but when I want to mount a gss/krb5 export on a
linux client it doesn't work at all....
What I've done :
On my DC:
- Creating a user 'nfs-client' :
# samba-tool user add nfs-client --random-password
- Creating a Service Principal Name for that client :
# samba-tool spn add nfs/client.mydom.com nfs-client
- Exporting this new principal to my client :
# samba-tool domain exportkeytab /root/client.nfs.keytab
--principal=nfs/client.mydomain.com
- At last, do an scp to copy this new keytab part and merging it with
the actual.
On the client:
When I try to mount I've always the same answer : mount.nfs4: access
denied by server while mounting server.mydomain.com:/data
On syslog, rpc.gssd say always : WARNING: Client
'nfs/client.mydomain.com at MYDOMAIN.COM' not found in Kerberos database
while getting initial ticket for principal
'nfs/client.mydomain.com at MYDOMAIN.COM' using keytab 'FILE:/etc/krb5.keytab'
/etc/krb5.conf :
[libdefaults]
default_realm = MYDOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = true
# klist -k /etc/krb5.keytab :
KVNO Principal
----
--------------------------------------------------------------------------
1 client$@MYDOMAIN.COM
1 client$@MYDOMAIN.COM
1 client$@MYDOMAIN.COM
1 client$@MYDOMAIN.COM
1 client$@MYDOMAIN.COM
1 nfs/client.mydomain.com at MYDOMAIN.COM
1 nfs/client.mydomain.com at MYDOMAIN.COM
1 nfs/client.mydomain.com at MYDOMAIN.COM
If anybody I've an idea,
thanks by advance,
Regards
Bruno.
--
Bruno MACADRE
-------------------------------------------------------------------
Ingénieur Systèmes et Réseau | Systems and Network Engineer
Département Informatique | Department of computer science
Responsable Info SER | SER IT Manager
Université de Rouen | University of Rouen
-------------------------------------------------------------------
Coordonnées / Contact :
Université de Rouen
Faculté des Sciences et Techniques - Madrillet
Avenue de l'Université
CS 70012
76801 St Etienne du Rouvray CEDEX
FRANCE
Tél : +33 (0)2-32-95-51-86
Mob : +33 (0)6-74-71-45-64
-------------------------------------------------------------------
More information about the samba
mailing list