[Samba] Samba4 unable to find SPN (Kerberos)
Andrew Bartlett
abartlet at samba.org
Sun Jul 22 05:53:36 MDT 2012
On Sat, 2012-07-21 at 07:01 +0000, Marcel Ritter wrote:
> Hi,
>
> while trying to use Samba4 as KDC for secure NFS (once again)
> I found something I suspect to be an error:
>
> In order for NFS (with krb5) to work it requires a nfs/... principal,
> so I created one using samba-tool:
>
> samba-tool user add nfs-user
> samba-tool spn add nfs/atom.mydomain.org nfs-user
> samba-tool domain exportkeytab /etc/krb5.keytab -principal=nfs/atom.mydomain.org
>
> After setting up NFS, a secure mount fails (permission denied).
>
> While trying to debug this error, I had a look at the KDC debug
> output of samba, and all queries done while looking for the
> SPN are:
>
> # Samba 4 log (during mount attempt):
> Kerberos: AS-REQ nfs/atom.mydomain.org at MYDOMAIN.ORG from ipv4:192.168.1.2:43938 for krbtgt/MYDOMAIN.ORG at MYDOMAIN.ORG
> expr: (&(objectClass=user)(userPrincipalName=nfs/atom.mydomain.org at MYDOMAIN.ORG))
> expr: (&(objectClass=user)(samAccountName=nfs/atom.mydomain.org))
> Kerberos: UNKNOWN -- nfs/atom.mydomain.org at MYDOMAIN.ORG: no such entry found in hdb
> So the question is: Shouldn't there also be a query like
> expr: (&(objectClass=user)(servicePrincipalName=nfs/atom.mydomain.org))
> to make SPNs usable?
>
> Or did I miss something else here?
An AS-REQ means that something is trying to kinit with the name
nfs/atom.mydomain.org (ie, as a client). This shouldn't be needed, so
work out what is doing that.
The line for a client (user) connecting to an NFS server will be more
like:
Kerberos: TGS-REQ user at realm for nfs/atom.mydomain.org
I hope this helps you debug this further,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba
mailing list