[Samba] Samba4 unable to find SPN (Kerberos)
steve
steve at steve-ss.com
Sat Jul 21 02:25:19 MDT 2012
On 07/21/2012 09:01 AM, Marcel Ritter wrote:
> Hi,
>
> while trying to use Samba4 as KDC for secure NFS (once again)
> I found something I suspect to be an error:
>
> In order for NFS (with krb5) to work it requires a nfs/... principal,
> so I created one using samba-tool:
>
> samba-tool user add nfs-user
> samba-tool spn add nfs/atom.mydomain.org nfs-user
> samba-tool domain exportkeytab /etc/krb5.keytab -principal=nfs/atom.mydomain.org
>
> After setting up NFS, a secure mount fails (permission denied).
>
Hi Marcel
The client doesn't need a nfs principal. e.g. we just use the machine$
principal.
From man rpc.gssd(8)
<quote>
Previous versions of rpc.gssd used only "nfs/*" keys found within the
keytab. To be more consistent with other implementations, we now look
for specific keytab entries. The search order for keytabs to be used for
"machine credentials" is now:
<HOSTNAME>$@<REALM>
root/<hostname>@<REALM>
nfs/<hostname>@<REALM>
host/<hostname>@<REALM>
root/<anyname>@<REALM>
nfs/<anyname>@<REALM>
host/<anyname>@<REALM>
</quote>
There are lots of misunderstandings about nfs and Kerberos. We tried to
collect them:
http://linuxcostablanca.blogspot.com.es/2012/02/nfsv4-myths-and-legends.html
HTH,
Steve
More information about the samba
mailing list