[Samba] NFSv4 + Kerberos understanding

Bruno MACADRÉ bruno.macadre at univ-rouen.fr
Mon Jul 28 10:30:29 MDT 2014


After some tries, the only way I've getting this worked, is when I use 
the -n option on rpc.gssd daemon and do a kinit 
Administrator at MYDOMAIN.COM as root. With this, the mount is OK....

But this is not a solution 'cause my NFS must be mounted at boot (so no 
kinit needed)....



Le 28/07/2014 17:14, Bruno MACADRÉ a écrit :
> Hi,
>
> I've a SAMBA4 AD Domain that works nicely. All my W7 joined perfectly 
> and all my Linux clients authenticates against kerberos part of SAMBA. 
> All work perfectly, now I'm trying to secure my NFS mounts by using 
> kerberos part of SAMBA.
>
> My NFS server works and I can mount NFS4 exports without kerberos (and 
> without problem ;-) ), but when I want to mount a gss/krb5 export on a 
> linux client it doesn't work at all....
>
> What I've done :
>
> On my DC:
>
>   - Creating a user 'nfs-client' :
>         # samba-tool user add nfs-client --random-password
>
>   - Creating a Service Principal Name for that client :
>         # samba-tool spn add nfs/client.mydom.com nfs-client
>
>   - Exporting this new principal to my client :
>         # samba-tool domain exportkeytab /root/client.nfs.keytab 
> --principal=nfs/client.mydomain.com
>
>   - At last, do an scp to copy this new keytab part and merging it 
> with the actual.
>
>
> On the client:
>
> When I try to mount I've always the same answer : mount.nfs4: access 
> denied by server while mounting server.mydomain.com:/data
>
> On syslog, rpc.gssd say always : WARNING: Client 
> 'nfs/client.mydomain.com at MYDOMAIN.COM' not found in Kerberos database 
> while getting initial ticket for principal 
> 'nfs/client.mydomain.com at MYDOMAIN.COM' using keytab 
> 'FILE:/etc/krb5.keytab'
>
> /etc/krb5.conf :
> [libdefaults]
>     default_realm = MYDOMAIN.COM
>     dns_lookup_realm = false
>     dns_lookup_kdc = true
>
> # klist -k /etc/krb5.keytab :
> KVNO Principal
> ---- 
> --------------------------------------------------------------------------
>    1 client$@MYDOMAIN.COM
>    1 client$@MYDOMAIN.COM
>    1 client$@MYDOMAIN.COM
>    1 client$@MYDOMAIN.COM
>    1 client$@MYDOMAIN.COM
>    1 nfs/client.mydomain.com at MYDOMAIN.COM
>    1 nfs/client.mydomain.com at MYDOMAIN.COM
>    1 nfs/client.mydomain.com at MYDOMAIN.COM
>
>
> If anybody I've an idea,
> thanks by advance,
>
> Regards
> Bruno.
>
>
>

-- 

Bruno MACADRE
-------------------------------------------------------------------
  Ingénieur Systèmes et Réseau     | Systems and Network Engineer
  Département Informatique         | Department of computer science
  Responsable Info SER             | SER IT Manager
  Université de Rouen              | University of Rouen
-------------------------------------------------------------------
Coordonnées / Contact :
	Université de Rouen
	Faculté des Sciences et Techniques - Madrillet
	Avenue de l'Université
	CS 70012
	76801 St Etienne du Rouvray CEDEX
	FRANCE

	Tél : +33 (0)2-32-95-51-86
	Mob : +33 (0)6-74-71-45-64
-------------------------------------------------------------------



More information about the samba mailing list