[Samba] Samba and kerberized NFSv4
marcel at linux-ng.de
marcel at linux-ng.de
Mon Nov 28 10:55:23 UTC 2016
Am 2016-11-28 07:14, schrieb Matthias Kahle via samba:
> Hi Folks
Hi Matthias,
> I'm trying to share user home directories hosted on a Samba-4 member
> server via NFSv4. Everything's working well with the Windows shares but
> when it comes to kerberized NFSv4 it fails. I can't even mount the
> home
> root directory via nfs on the server itself ("mount.nfsv4: access
> denied
> by server while mounting ...").
>
> As far as I have tracked it down, it appears to me that the server's is
> searching in its database for a userPrincipalName=nfs/server.dom.tld
> while I have added a servicePrincipalNamenfs/server.dom.tld with the
> samba-tool. Due to this neither the server is getting a TGT nor the
> client a TGS ...
>
> Am I doing anything wrong? Is that beahaviour intentional?
Getting NFSv4 + Kerberos to work with an $"Active Directory" KDC
can be quite tricky.
To track down the problem, you should run rpc.gssd (on client) and
rpc.svcgssd (on server) with "-v -v -v". This might give you some
more hints where to look.
You can read about the servicePrincipalNames your NFS client uses
in the man page of rpc.gssd:
<HOSTNAME>$@<REALM>
root/<hostname>@<REALM>
nfs/<hostname>@<REALM>
host/<hostname>@<REALM>
You should also check the listing of your keytab - if you're using
the wrong syntax for your principalName, samba-tool will tell you
it added an entry to the keytab (which in fact it didn't).
linux # ktutil
> rkt /etc/krb5.keytab
> list -e
> Version affacted is samba 4.2.10 from the official debian 8
> repositories
> (on DCs and the member server).
>
> Kind regards,
> Matthias
Bye,
Marcel
More information about the samba
mailing list