Samba ADDC and NFS

steve steve at
Sun May 25 12:56:55 MDT 2014

On Sun, 2014-05-25 at 11:53 -0600, Zane Zakraisek wrote:
> I'm having some difficulty understanding the process for getting NFS to use
> the samba DC kerberos for authentication.
> I have a Samba 4.1 server running as an ADDC and a bunch of windows and
> Linux machines joined to it. The Linux machines are joined with samba and
> winbind.
> One of my Linux servers runs samba 3.6 and servers files using Samba for
> the windows clients and NFS for the Linux ones. I would simply like to make
> it so that NFS uses samba for authentication instead of just trusting UIDs.
> The nfs configuration is fairly simply, but I'm not understanding the
> kerberos configuration.
> Here is what I think is correct, but would love somebody to verify...
> 1. Change the NFS configuration to use kerberos for security
> 2. Generate SPNs for Linux clients that will be connecting to the NFS
> server? Or do I create an nfs-server user account and then generate SPN for
> that account?
> 3. Export these and place them in /etc/krb5.keytab on the client computers
> using samba-tool domain exportkeytab
> 4. Do I then add the line in the smb.conf on the client computers to point
> to the keytab file?

Only the NFS server needs the nfs/domain spn. Create it on the DC and
then transfer to your nfs server. Merge it with your default keytab
samba-tool spn add nfs/your.domain zane
samba-tool domain exportkeytab /tmp/nfs.keytab
use ktutil to merge when you have done the transfer

All the clients need are a suitable key in the keytab. nfs mounts go
fine with MACHINE$ or host keys you get just by joining them to the
domain wit a minimal smb.conf.

More information about the samba-technical mailing list