[Samba] Samba4 unable to find SPN (Kerberos)

Andrew Bartlett abartlet at samba.org
Sun Jul 22 05:53:36 MDT 2012

On Sat, 2012-07-21 at 07:01 +0000, Marcel Ritter wrote:
> Hi,
> while trying to use Samba4 as KDC for secure NFS (once again)
> I found something I suspect to be an error:
> In order for NFS (with krb5) to work it requires a nfs/... principal,
> so I created one using samba-tool:
> samba-tool user add nfs-user
> samba-tool spn add nfs/atom.mydomain.org nfs-user
> samba-tool domain exportkeytab /etc/krb5.keytab -principal=nfs/atom.mydomain.org
> After setting up NFS, a secure mount fails (permission denied).
> While trying to debug this error, I had a look at the KDC debug
> output of samba, and all queries done while looking for the
> SPN are:
> # Samba 4 log (during mount attempt):
> Kerberos: AS-REQ nfs/atom.mydomain.org at MYDOMAIN.ORG from ipv4: for krbtgt/MYDOMAIN.ORG at MYDOMAIN.ORG
> expr: (&(objectClass=user)(userPrincipalName=nfs/atom.mydomain.org at MYDOMAIN.ORG))
> expr: (&(objectClass=user)(samAccountName=nfs/atom.mydomain.org))
> Kerberos: UNKNOWN -- nfs/atom.mydomain.org at MYDOMAIN.ORG: no such entry found in hdb

> So the question is: Shouldn't there also be a query like
> expr: (&(objectClass=user)(servicePrincipalName=nfs/atom.mydomain.org))
> to make SPNs usable?
> Or did I miss something else here?

An AS-REQ means that something is trying to kinit with the name
nfs/atom.mydomain.org (ie, as a client).  This shouldn't be needed, so
work out what is doing that.  

The line for a client (user) connecting to an NFS server will be more
Kerberos: TGS-REQ user at realm for nfs/atom.mydomain.org

I hope this helps you debug this further,

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba mailing list