[Samba] Samba4 unable to find SPN (Kerberos)

Marcel Ritter marcel.ritter at rrze.fau.de
Sat Jul 21 01:01:28 MDT 2012


while trying to use Samba4 as KDC for secure NFS (once again)
I found something I suspect to be an error:

In order for NFS (with krb5) to work it requires a nfs/... principal,
so I created one using samba-tool:

samba-tool user add nfs-user
samba-tool spn add nfs/atom.mydomain.org nfs-user
samba-tool domain exportkeytab /etc/krb5.keytab -principal=nfs/atom.mydomain.org

After setting up NFS, a secure mount fails (permission denied).

While trying to debug this error, I had a look at the KDC debug
output of samba, and all queries done while looking for the
SPN are:

# Samba 4 log (during mount attempt):
Kerberos: AS-REQ nfs/atom.mydomain.org at MYDOMAIN.ORG from ipv4: for krbtgt/MYDOMAIN.ORG at MYDOMAIN.ORG
expr: (&(objectClass=user)(userPrincipalName=nfs/atom.mydomain.org at MYDOMAIN.ORG))
expr: (&(objectClass=user)(samAccountName=nfs/atom.mydomain.org))
Kerberos: UNKNOWN -- nfs/atom.mydomain.org at MYDOMAIN.ORG: no such entry found in hdb

Obviously the created computer object (s. below) does not
match any of the above queries:

# atom-nfs, Users, mydomain.org
dn: CN=atom-nfs,CN=Users,DC=mydomain,DC=org
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: atom-nfs
instanceType: 4
whenCreated: 20120720212952.0Z
uSNCreated: 4039
name: atom-nfs
objectGUID:: ZBSl4FIfvUyd6pbg4Rpy0w==
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
primaryGroupID: 513
logonCount: 0
sAMAccountName: atom-nfs
sAMAccountType: 805306368
userPrincipalName: atom-nfs at mydomain.org
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=mydomain,DC=org
pwdLastSet: 129872933920000000
userAccountControl: 66048
accountExpires: 0
servicePrincipalName: nfs/atom.mydomain.org
whenChanged: 20120720213725.0Z
uSNChanged: 4043
distinguishedName: CN=atom-nfs,CN=Users,DC=mydomain,DC=org

So the question is: Shouldn't there also be a query like
expr: (&(objectClass=user)(servicePrincipalName=nfs/atom.mydomain.org))
to make SPNs usable?

Or did I miss something else here?

Hope someone can help,

More information about the samba mailing list