[Samba] latest Samba 4 does not look in keytab

steve steve at steve-ss.com
Fri Feb 10 16:37:22 MST 2012

On 02/10/2012 07:24 PM, Gémes Géza wrote:
> 2012-02-10 17:58 keltezéssel, steve írta:
>> Hi
>> After upgrading to
>> Version 4.0.0alpha18-GIT-24ed8c5 on Ubuntu 11.10, Samba 4 no longer
>> looks in the keytab for my nfs server entry:
>> mount -t nfs4 foo bar --o sec=krb5
>> Kerberos: AS-REQ nfs/hh3.hh3.site at HH3.SITE from ipv4:
>> for krbtgt/HH3.SITE at HH3.SITE
>> Kerberos: UNKNOWN -- nfs/hh3.hh3.site at HH3.SITE: no such entry found in
>> hdb
>> The nfs entry is in the keytab:
>> klist -ke /etc/krb5.keytab
>> Keytab name: WRFILE:/etc/krb5.keytab
>> KVNO Principal
>> ----
>> --------------------------------------------------------------------------
>>     1 nfs/hh3.hh3.site at HH3.SITE (des-cbc-crc)
>>     1 nfs/hh3.hh3.site at HH3.SITE (des-cbc-md5)
>>     1 nfs/hh3.hh3.site at HH3.SITE (arcfour-hmac)
>> How do I tell this new version to look in the keytab? or,
>> How do I add the nfs internally?
>> Thanks,
>> Steve
> Hi,
> First some basics, sorry if it is boring ;-)
Nope. Please keep reminding me:)
> /etc/krb5.keytab is the "password file" your nfs service is using in
> order to be able to authenticate itself with samba4's kerberos service;
> it could be on a completely different machine and would work in the same
> way.
> Samba4 stores the same "password" in its internal database (ldb) and
> when connected it looks it up there.
Yep. Got it.
> Now back on your situation:
> Have you re-provisioned after upgrade?
> If yes you need to recreate the principal and the spn for nfs, and
> reexport the keytab for it.
> If not you may need to do an upgradeprovision in order to apply the
> expected directory changes.
> Good Luck!
> Geza
Unfortunately, upgradeprovision fails. There are other issues with this 
latest git because instead of installing everything under 
/usr/local/samba it leaves stuff in samba-master which it still uses 
after it has installed. Problem is that make install messes up 
samba-master. Running make again fixes most of it but leaves the dns 
files with the wrong permissions if you are using bind9 and the samba 
dns server falls over after a restart if you provision with the 
internal. That is on Ubuntu. I keep my old checkout under openSUSE to 
fall back on. Time for a clean start on Ubuntu I think.

More information about the samba mailing list