question about service principals (samba4)

Aaron Solochek aarons-samba at
Fri Sep 24 07:52:01 MDT 2010

On 09/24/2010 01:13 AM, Andrew Bartlett wrote:
> On Thu, 2010-09-23 at 12:48 -0400, Aaron Solochek wrote:
>> Ok, well I did manage to get the host/foo keys by writing a shell script to
>> filter the net export keytab file down to what I wanted, then using ktutil from
>> heimdal to rename the FOO$ to host/foo, and gssapi key exchange for ssh now works.
> Now you just need to set the krb5keytab and servicePrinicpalName
> attributes in secrets.ldb, and we will handle the rest. 
> It would be good if you can test it, using the current tree. 

I have no idea how to do anything with the ldb files other than dump them with
tdbdump.  I'm not sure exactly what you want me to test.  As far as I can tell,
everything as far as the host/ keys is concerned is working fine.

>> For the nfs/foo service principals I repeated the above, only this time creating
>> a temporary keytab and renaming FOO$ to nfs/foo, then using the ktutil from MIT
>> krb5 to merge the two keytabs so I end up with 1 containing all the keys I care
>> about.
>> However, I seem to be running into the same issue here -- that the kdc isn't
>> finding my service principals.  I have verified that nfs/foo is a
>> servicePrincipalName in ldap, but when I try an nfs mount I see this in the logs
>> on the client:
>> rpc.gssd[29806]: Success getting keytab entry for 'nfs/foo at DOMAIN'
>> rpc.gssd[29806]: WARNING: Client 'nfs/foo at DOMAIN' not found in Kerberos database
>> while getting initial ticket for principal 'nfs/foo at DOMAIN' using keytab
>> 'WRFILE:/etc/krb5.keytab'
>> rpc.gssd[29806]: ERROR: No credentials found for connection to server bar
> I'm rather confused - is this on the NFS client or server?  On the
> client, shouldn't it be using a user's ccache, obtained with kinit?

That is on the client.  The client, foo, is attempting to get the nfs/foo key
from the kdc using it's keytab.  I'm not 100% sure, because this is my first
attempt at using nfs4, but I assume the nfs server requires that each client
have a service principal for nfs so that it can create the initial mount, and
then actual access to the files is determined by keys held in whatever PAG is
attempting the access.  Anyway, I was just following the instructions from here:

> The NFS server should then have nfs/foo at DOMAIN in it's keytab, to accept
> a connection from the client. 

the client is foo, the server is bar.  the server does have nfs/bar at DOMAIN in
it's keytab.

More information about the samba-technical mailing list