[Samba] Samba4 unable to find SPN (Kerberos)

Marcel Ritter marcel.ritter at rrze.fau.de
Mon Aug 6 09:02:37 MDT 2012 

Hi list, hi Andrew,

sorry for the long delay, but here's what I finally figured out:

Using secure NFSv4 requires rpc.gssd on the NFS client - to
handle the kerberos stuff.

When trying to mount a NFSv4 filesystem (-t nfs4 -o sec=krb5)
rpc.gssd definitely does an AS-REQ for one of the following
principals
	HOSTNAME$@REALM
	host/hostname at REALM
	nfs/hostname at REALM
(the first one only with new versions of rpc.gssd). The principal
needs to be stored in the local (client) keytab, in order to make
the AS-REQ work.
(The behavior can be emulated by doing a
	kinit -kt /etc/krb5.keytab HOSTNAME$@REALM)

The trick is, to create an extra AD object, with an (unique)
userPrincipalName attribute (named like one of the above),
and export this principal key to the local client keytab.
That's what AD/Samba4 are looking for during an AS-REQ.

By now NFS is the only service I've tried to integrate, that
acts like this.

Bye,
   Marcel




-----Ursprüngliche Nachricht-----
Von: Andrew Bartlett [mailto:abartlet at samba.org] 
Gesendet: Sonntag, 22. Juli 2012 13:54
An: Marcel Ritter
Cc: 'samba'
Betreff: Re: [Samba] Samba4 unable to find SPN (Kerberos)

On Sat, 2012-07-21 at 07:01 +0000, Marcel Ritter wrote:
> Hi,
> 
> while trying to use Samba4 as KDC for secure NFS (once again) I found 
> something I suspect to be an error:
> 
> In order for NFS (with krb5) to work it requires a nfs/... principal, 
> so I created one using samba-tool:
> 
> samba-tool user add nfs-user
> samba-tool spn add nfs/atom.mydomain.org nfs-user samba-tool domain 
> exportkeytab /etc/krb5.keytab -principal=nfs/atom.mydomain.org
> 
> After setting up NFS, a secure mount fails (permission denied).
> 
> While trying to debug this error, I had a look at the KDC debug output 
> of samba, and all queries done while looking for the SPN are:
> 
> # Samba 4 log (during mount attempt):
> Kerberos: AS-REQ nfs/atom.mydomain.org at MYDOMAIN.ORG from 
> ipv4:192.168.1.2:43938 for krbtgt/MYDOMAIN.ORG at MYDOMAIN.ORG
> expr: 
> (&(objectClass=user)(userPrincipalName=nfs/atom.mydomain.org at MYDOMAIN.
> ORG))
> expr: (&(objectClass=user)(samAccountName=nfs/atom.mydomain.org))
> Kerberos: UNKNOWN -- nfs/atom.mydomain.org at MYDOMAIN.ORG: no such entry 
> found in hdb

> So the question is: Shouldn't there also be a query like
> expr: 
> (&(objectClass=user)(servicePrincipalName=nfs/atom.mydomain.org))
> to make SPNs usable?
> 
> Or did I miss something else here?

An AS-REQ means that something is trying to kinit with the name nfs/atom.mydomain.org (ie, as a client).  This shouldn't be needed, so work out what is doing that.  

The line for a client (user) connecting to an NFS server will be more
like:
Kerberos: TGS-REQ user at realm for nfs/atom.mydomain.org

I hope this helps you debug this further,

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba mailing list