[Samba] Samba winbind and nfsv4 krb5
steve
steve at steve-ss.com
Thu Feb 16 05:05:42 MST 2012
On 02/13/2012 10:48 AM, Oliver Weinmann wrote:
> Hi All,
>
> I'm struggling since weeks to get samba winbind and a kerberized nfs mount running. We have a Netapp SAN exporting the nfs share with sec=krb5 and a Linux Client Ubuntu 10.04 Server trying to access the exported share. Accessing the share without krb5 (sec=sys) works fine. The linux machine is joined to an Windows 2008R2 domain and user/group lookups login via ssh etc. work fine.
>
> I have read many articles about using winbind to aquire the Kerberos tickets on login.
>
> What I have done so far is join the linux machine to our AD:
>
> net ads join -U Administrator
>
> After this my krb5.keytab file is filled with the following:
>
> root at ubuntu100432:~# klist -kte
> Keytab name: WRFILE:/etc/krb5.keytab
> KVNO Timestamp Principal
> ---- ----------------- --------------------------------------------------------
> 2 02/13/12 09:34:59 host/ubuntu100432.a.space.corp at A.SPACE.CORP (DES cbc mode with CRC-32)
> 2 02/13/12 09:34:59 host/ubuntu100432.a.space.corp at A.SPACE.CORP (DES cbc mode with RSA-MD5)
> 2 02/13/12 09:34:59 host/ubuntu100432.a.space.corp at A.SPACE.CORP (ArcFour with HMAC/md5)
> 2 02/13/12 09:34:59 host/ubuntu100432 at A.SPACE.CORP (DES cbc mode with CRC-32)
> 2 02/13/12 09:34:59 host/ubuntu100432 at A.SPACE.CORP (DES cbc mode with RSA-MD5)
> 2 02/13/12 09:34:59 host/ubuntu100432 at A.SPACE.CORP (ArcFour with HMAC/md5)
> 2 02/13/12 09:34:59 UBUNTU100432$@A.SPACE.CORP (DES cbc mode with CRC-32)
> 2 02/13/12 09:34:59 UBUNTU100432$@A.SPACE.CORP (DES cbc mode with RSA-MD5)
> 2 02/13/12 09:34:59 UBUNTU100432$@A.SPACE.CORP (ArcFour with HMAC/md5)
>
> Then I add the nfs principal:
>
> net ads keytab add nfs -U Administrator
>
> This adds the princ to the keytab file:
>
> 2 02/13/12 09:36:11 nfs/ubuntu100432.a.space.corp at A.SPACE.CORP (DES cbc mode with CRC-32)
> 2 02/13/12 09:36:11 nfs/ubuntu100432.a.space.corp at A.SPACE.CORP (DES cbc mode with RSA-MD5)
> 2 02/13/12 09:36:11 nfs/ubuntu100432.a.space.corp at A.SPACE.CORP (ArcFour with HMAC/md5)
> 2 02/13/12 09:36:11 nfs/ubuntu100432 at A.SPACE.CORP (DES cbc mode with CRC-32)
> 2 02/13/12 09:36:11 nfs/ubuntu100432 at A.SPACE.CORP (DES cbc mode with RSA-MD5)
> 2 02/13/12 09:36:11 nfs/ubuntu100432 at A.SPACE.CORP (ArcFour with HMAC/md5)
>
> I restart the portmap service (this restarts statd idmapd and gssd)
>
> Service portmap restart
>
> Now when I try to mount the share I always get an access denied:
>
> Looking at /var/log/daemon.log reveals:
>
> handling krb5 upcall
> Full hostname for 'ds-san-02.a.space.corp' is 'ds-san-02.a.space.corp'
> Full hostname for 'ubuntu100432.a.space.corp' is 'ubuntu100432.a.space.corp'
> Key table entry not found while getting keytab entry for 'root/ubuntu100432.a.space.corp at A.SPACE.CORP'
> Success getting keytab entry for 'nfs/ubuntu100432.a.space.corp at A.SPACE.CORP'
> WARNING: Client not found in Kerberos database while getting initial ticket for principal 'nfs/ubuntu100432.a.space.corp at A.SPACE.CORP' using keytab 'WRFILE:/etc/krb5.keytab'
> ERROR: No credentials found for connection to server ds-san-02.a.space.corp
> doing error downcall
> destroying client clnt13
> destroying client clnt12
>
> I checked the host in AD with setspn -L and this lists the following:
>
> Registered ServicePrincipalNames for CN=ubuntu100432
> ace,DC=corp:
> NFS/ubuntu100432.a.space.corp
> NFS/ubuntu100432
> HOST/ubuntu100432.a.space.corp
> HOST/UBUNTU100432
>
> So there is no principal 'nfs/ubuntu100432.a.space.corp at A.SPACE.CORP'.
>
> Is there something special about Windows 2008 R2?
>
> Regards,
> Oliver
>
>
Hi
I don't think AD supports either DES nor arcfour out of the box. We have
the same setup with Samba 4 which does and we can mount sec=krb5.
I don't think that this will make any difference in your case, but it
may be woth a try. as unless you're running an old distro, you don't
need the nfs principal in the client's keytab. See the man rpc.gssd(8).
There's an up to date copy here:
http://linux.die.net/man/8/rpc.gssd
We also tried to produce some readable kerberized nfs4 documentation:
http://linuxcostablanca.blogspot.com/2012/02/nfsv4-myths-and-legends.html
HTH,
Steve
More information about the samba
mailing list