[Samba] Samba winbind and nfsv4 krb5

Oliver Weinmann Oliver.Weinmann at vegaspace.com
Mon Feb 13 02:48:21 MST 2012


Hi All,

I'm struggling since weeks to get samba winbind and a kerberized nfs mount running. We have a Netapp SAN exporting the nfs share with sec=krb5 and a Linux Client Ubuntu 10.04 Server trying to access the exported share. Accessing the share without krb5 (sec=sys) works fine. The linux machine is joined to an Windows 2008R2 domain and user/group lookups login via ssh etc. work fine.

I have read many articles about using winbind to aquire the Kerberos tickets on login.

What I have done so far is join the linux machine to our AD:

net ads join -U Administrator

After this my krb5.keytab file is filled with the following:

root at ubuntu100432:~# klist -kte
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
   2 02/13/12 09:34:59 host/ubuntu100432.a.space.corp at A.SPACE.CORP (DES cbc mode with CRC-32)
   2 02/13/12 09:34:59 host/ubuntu100432.a.space.corp at A.SPACE.CORP (DES cbc mode with RSA-MD5)
   2 02/13/12 09:34:59 host/ubuntu100432.a.space.corp at A.SPACE.CORP (ArcFour with HMAC/md5)
   2 02/13/12 09:34:59 host/ubuntu100432 at A.SPACE.CORP (DES cbc mode with CRC-32)
   2 02/13/12 09:34:59 host/ubuntu100432 at A.SPACE.CORP (DES cbc mode with RSA-MD5)
   2 02/13/12 09:34:59 host/ubuntu100432 at A.SPACE.CORP (ArcFour with HMAC/md5)
   2 02/13/12 09:34:59 UBUNTU100432$@A.SPACE.CORP (DES cbc mode with CRC-32)
   2 02/13/12 09:34:59 UBUNTU100432$@A.SPACE.CORP (DES cbc mode with RSA-MD5)
   2 02/13/12 09:34:59 UBUNTU100432$@A.SPACE.CORP (ArcFour with HMAC/md5)

Then I add the nfs principal:

net ads keytab add nfs -U Administrator

This adds the princ to the keytab file:

   2 02/13/12 09:36:11 nfs/ubuntu100432.a.space.corp at A.SPACE.CORP (DES cbc mode with CRC-32)
   2 02/13/12 09:36:11 nfs/ubuntu100432.a.space.corp at A.SPACE.CORP (DES cbc mode with RSA-MD5)
   2 02/13/12 09:36:11 nfs/ubuntu100432.a.space.corp at A.SPACE.CORP (ArcFour with HMAC/md5)
   2 02/13/12 09:36:11 nfs/ubuntu100432 at A.SPACE.CORP (DES cbc mode with CRC-32)
   2 02/13/12 09:36:11 nfs/ubuntu100432 at A.SPACE.CORP (DES cbc mode with RSA-MD5)
   2 02/13/12 09:36:11 nfs/ubuntu100432 at A.SPACE.CORP (ArcFour with HMAC/md5)

I restart the portmap service (this restarts statd idmapd and gssd)

Service portmap restart

Now when I try to mount the share I always get an access denied:

Looking at /var/log/daemon.log reveals:

handling krb5 upcall
Full hostname for 'ds-san-02.a.space.corp' is 'ds-san-02.a.space.corp'
Full hostname for 'ubuntu100432.a.space.corp' is 'ubuntu100432.a.space.corp'
Key table entry not found while getting keytab entry for 'root/ubuntu100432.a.space.corp at A.SPACE.CORP'
Success getting keytab entry for 'nfs/ubuntu100432.a.space.corp at A.SPACE.CORP'
WARNING: Client not found in Kerberos database while getting initial ticket for principal 'nfs/ubuntu100432.a.space.corp at A.SPACE.CORP' using keytab 'WRFILE:/etc/krb5.keytab'
ERROR: No credentials found for connection to server ds-san-02.a.space.corp
doing error downcall
destroying client clnt13
destroying client clnt12

I checked the host in AD with setspn -L and this lists the following:

Registered ServicePrincipalNames for CN=ubuntu100432
ace,DC=corp:
    NFS/ubuntu100432.a.space.corp
    NFS/ubuntu100432
    HOST/ubuntu100432.a.space.corp
    HOST/UBUNTU100432

So there is no principal 'nfs/ubuntu100432.a.space.corp at A.SPACE.CORP'.

Is there something special about Windows 2008 R2?

Regards,
Oliver




More information about the samba mailing list