question about service principals (samba4)

Andrew Bartlett abartlet at samba.org
Thu Sep 23 23:13:40 MDT 2010


On Thu, 2010-09-23 at 12:48 -0400, Aaron Solochek wrote:

> Ok, well I did manage to get the host/foo keys by writing a shell script to
> filter the net export keytab file down to what I wanted, then using ktutil from
> heimdal to rename the FOO$ to host/foo, and gssapi key exchange for ssh now works.

Now you just need to set the krb5keytab and servicePrinicpalName
attributes in secrets.ldb, and we will handle the rest. 

It would be good if you can test it, using the current tree. 

> For the nfs/foo service principals I repeated the above, only this time creating
> a temporary keytab and renaming FOO$ to nfs/foo, then using the ktutil from MIT
> krb5 to merge the two keytabs so I end up with 1 containing all the keys I care
> about.
> 
> However, I seem to be running into the same issue here -- that the kdc isn't
> finding my service principals.  I have verified that nfs/foo is a
> servicePrincipalName in ldap, but when I try an nfs mount I see this in the logs
> on the client:
> 
> rpc.gssd[29806]: Success getting keytab entry for 'nfs/foo at DOMAIN'
> rpc.gssd[29806]: WARNING: Client 'nfs/foo at DOMAIN' not found in Kerberos database
> while getting initial ticket for principal 'nfs/foo at DOMAIN' using keytab
> 'WRFILE:/etc/krb5.keytab'
> rpc.gssd[29806]: ERROR: No credentials found for connection to server bar

I'm rather confused - is this on the NFS client or server?  On the
client, shouldn't it be using a user's ccache, obtained with kinit?

The NFS server should then have nfs/foo at DOMAIN in it's keytab, to accept
a connection from the client. 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100924/1f1b8e18/attachment.pgp>


More information about the samba-technical mailing list