[Samba] Samba winbind and nfsv4 krb5

steve steve at steve-ss.com
Thu Feb 16 05:05:42 MST 2012


On 02/13/2012 10:48 AM, Oliver Weinmann wrote:
> Hi All,
>
> I'm struggling since weeks to get samba winbind and a kerberized nfs mount running. We have a Netapp SAN exporting the nfs share with sec=krb5 and a Linux Client Ubuntu 10.04 Server trying to access the exported share. Accessing the share without krb5 (sec=sys) works fine. The linux machine is joined to an Windows 2008R2 domain and user/group lookups login via ssh etc. work fine.
>
> I have read many articles about using winbind to aquire the Kerberos tickets on login.
>
> What I have done so far is join the linux machine to our AD:
>
> net ads join -U Administrator
>
> After this my krb5.keytab file is filled with the following:
>
> root at ubuntu100432:~# klist -kte
> Keytab name: WRFILE:/etc/krb5.keytab
> KVNO Timestamp         Principal
> ---- ----------------- --------------------------------------------------------
>     2 02/13/12 09:34:59 host/ubuntu100432.a.space.corp at A.SPACE.CORP (DES cbc mode with CRC-32)
>     2 02/13/12 09:34:59 host/ubuntu100432.a.space.corp at A.SPACE.CORP (DES cbc mode with RSA-MD5)
>     2 02/13/12 09:34:59 host/ubuntu100432.a.space.corp at A.SPACE.CORP (ArcFour with HMAC/md5)
>     2 02/13/12 09:34:59 host/ubuntu100432 at A.SPACE.CORP (DES cbc mode with CRC-32)
>     2 02/13/12 09:34:59 host/ubuntu100432 at A.SPACE.CORP (DES cbc mode with RSA-MD5)
>     2 02/13/12 09:34:59 host/ubuntu100432 at A.SPACE.CORP (ArcFour with HMAC/md5)
>     2 02/13/12 09:34:59 UBUNTU100432$@A.SPACE.CORP (DES cbc mode with CRC-32)
>     2 02/13/12 09:34:59 UBUNTU100432$@A.SPACE.CORP (DES cbc mode with RSA-MD5)
>     2 02/13/12 09:34:59 UBUNTU100432$@A.SPACE.CORP (ArcFour with HMAC/md5)
>
> Then I add the nfs principal:
>
> net ads keytab add nfs -U Administrator
>
> This adds the princ to the keytab file:
>
>     2 02/13/12 09:36:11 nfs/ubuntu100432.a.space.corp at A.SPACE.CORP (DES cbc mode with CRC-32)
>     2 02/13/12 09:36:11 nfs/ubuntu100432.a.space.corp at A.SPACE.CORP (DES cbc mode with RSA-MD5)
>     2 02/13/12 09:36:11 nfs/ubuntu100432.a.space.corp at A.SPACE.CORP (ArcFour with HMAC/md5)
>     2 02/13/12 09:36:11 nfs/ubuntu100432 at A.SPACE.CORP (DES cbc mode with CRC-32)
>     2 02/13/12 09:36:11 nfs/ubuntu100432 at A.SPACE.CORP (DES cbc mode with RSA-MD5)
>     2 02/13/12 09:36:11 nfs/ubuntu100432 at A.SPACE.CORP (ArcFour with HMAC/md5)
>
> I restart the portmap service (this restarts statd idmapd and gssd)
>
> Service portmap restart
>
> Now when I try to mount the share I always get an access denied:
>
> Looking at /var/log/daemon.log reveals:
>
> handling krb5 upcall
> Full hostname for 'ds-san-02.a.space.corp' is 'ds-san-02.a.space.corp'
> Full hostname for 'ubuntu100432.a.space.corp' is 'ubuntu100432.a.space.corp'
> Key table entry not found while getting keytab entry for 'root/ubuntu100432.a.space.corp at A.SPACE.CORP'
> Success getting keytab entry for 'nfs/ubuntu100432.a.space.corp at A.SPACE.CORP'
> WARNING: Client not found in Kerberos database while getting initial ticket for principal 'nfs/ubuntu100432.a.space.corp at A.SPACE.CORP' using keytab 'WRFILE:/etc/krb5.keytab'
> ERROR: No credentials found for connection to server ds-san-02.a.space.corp
> doing error downcall
> destroying client clnt13
> destroying client clnt12
>
> I checked the host in AD with setspn -L and this lists the following:
>
> Registered ServicePrincipalNames for CN=ubuntu100432
> ace,DC=corp:
>      NFS/ubuntu100432.a.space.corp
>      NFS/ubuntu100432
>      HOST/ubuntu100432.a.space.corp
>      HOST/UBUNTU100432
>
> So there is no principal 'nfs/ubuntu100432.a.space.corp at A.SPACE.CORP'.
>
> Is there something special about Windows 2008 R2?
>
> Regards,
> Oliver
>
>
Hi

I don't think AD supports either DES nor arcfour out of the box. We have 
the same setup with Samba 4 which does and we can mount sec=krb5.

I don't think that this will make any difference in your case, but it 
may be woth a try. as unless you're running an old distro, you don't 
need the nfs principal in the client's keytab. See the man rpc.gssd(8). 
There's an up to date copy here:
  http://linux.die.net/man/8/rpc.gssd
We also tried to produce some readable kerberized nfs4 documentation:
http://linuxcostablanca.blogspot.com/2012/02/nfsv4-myths-and-legends.html
HTH,
Steve




More information about the samba mailing list