[Samba] NFSv4 + Kerberos understanding

Bruno MACADRÉ bruno.macadre at univ-rouen.fr
Mon Jul 28 09:14:41 MDT 2014


Hi,

I've a SAMBA4 AD Domain that works nicely. All my W7 joined perfectly 
and all my Linux clients authenticates against kerberos part of SAMBA. 
All work perfectly, now I'm trying to secure my NFS mounts by using 
kerberos part of SAMBA.

My NFS server works and I can mount NFS4 exports without kerberos (and 
without problem ;-) ), but when I want to mount a gss/krb5 export on a 
linux client it doesn't work at all....

What I've done :

On my DC:

   - Creating a user 'nfs-client' :
         # samba-tool user add nfs-client --random-password

   - Creating a Service Principal Name for that client :
         # samba-tool spn add nfs/client.mydom.com nfs-client

   - Exporting this new principal to my client :
         # samba-tool domain exportkeytab /root/client.nfs.keytab 
--principal=nfs/client.mydomain.com

   - At last, do an scp to copy this new keytab part and merging it with 
the actual.


On the client:

When I try to mount I've always the same answer : mount.nfs4: access 
denied by server while mounting server.mydomain.com:/data

On syslog, rpc.gssd say always : WARNING: Client 
'nfs/client.mydomain.com at MYDOMAIN.COM' not found in Kerberos database 
while getting initial ticket for principal 
'nfs/client.mydomain.com at MYDOMAIN.COM' using keytab 'FILE:/etc/krb5.keytab'

/etc/krb5.conf :
[libdefaults]
     default_realm = MYDOMAIN.COM
     dns_lookup_realm = false
     dns_lookup_kdc = true

# klist -k /etc/krb5.keytab :
KVNO Principal
---- 
--------------------------------------------------------------------------
    1 client$@MYDOMAIN.COM
    1 client$@MYDOMAIN.COM
    1 client$@MYDOMAIN.COM
    1 client$@MYDOMAIN.COM
    1 client$@MYDOMAIN.COM
    1 nfs/client.mydomain.com at MYDOMAIN.COM
    1 nfs/client.mydomain.com at MYDOMAIN.COM
    1 nfs/client.mydomain.com at MYDOMAIN.COM


If anybody I've an idea,
thanks by advance,

Regards
Bruno.



-- 

Bruno MACADRE
-------------------------------------------------------------------
  Ingénieur Systèmes et Réseau     | Systems and Network Engineer
  Département Informatique         | Department of computer science
  Responsable Info SER             | SER IT Manager
  Université de Rouen              | University of Rouen
-------------------------------------------------------------------
Coordonnées / Contact :
	Université de Rouen
	Faculté des Sciences et Techniques - Madrillet
	Avenue de l'Université
	CS 70012
	76801 St Etienne du Rouvray CEDEX
	FRANCE

	Tél : +33 (0)2-32-95-51-86
	Mob : +33 (0)6-74-71-45-64
-------------------------------------------------------------------



More information about the samba mailing list