[Samba] Samba4 PDC keytab creation for NFSv4 not working

Henrik Dige Semark hds at semark.dk
Mon Nov 3 02:22:33 MST 2014 

Hello everybody,

Fist a little about our setup.

We have an Debian (7) Wheezy, now upgraded to Debian (testing) Jessie 
with Samba4 as PDC, Kerberos and LDAP - all provided through Samba4, and 
bind9 and isc-dhcp server for DDNS and DHCP, our environment is a mix of 
Linux (Debian Jessie), Mac (Maverick and Yosemite) and Windows 7 and 8.1 
clients.

The Windows clients use Samba and are all part of the domain 
(YGGDRASIL), Mac and Linux both use NFSv4, and Linux mounts homes over 
AutoFS.

The past year we have used NFSv4 without Kerberos validation but because 
of new security levels in the organization we have to implement Kerberos 
for NFSv4.
The problem that we are facing now, and have messed around with for the 
last two weeks, is that Samba wont save the previsioning for the 
Kerberos keytab.

At first we found some minor problems in our bind9 configuration so that 
our reverse addresses on IPv6 were not pointing correctly, but IPv4 was.
Now everything looks right but the problem still remains.



# kinit Administrator
Reports no error

# klist -l
     Name Cache name                 Expires
* Administrator at YGGDRASIL.BITTOO.NET   FILE:/tmp/krb5cc_0   Oct 31 
21:19:24 2014
Looks as it should

# net ads keytab add -k -S jotunheim.static.yggdrasil.bittoo.net -W 
YGGDRASIL -U Administrator nfs/jotunheim.static.yggdrasil.bittoo.net -d5
http://pastebin.com/v3McRKnm
But I can't add NFS as you can see above .


# samba-tool spn add 
nfs/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET jotunheim$
# samba-tool spn add 
host/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET jotunheim$
Can add the entries correctly into the LDAP database


# samba-tool spn list JOTUNHEIM$
jotunheim$
User CN=JOTUNHEIM,OU=Domain Controllers,DC=yggdrasil,DC=bittoo,DC=net 
has the following servicePrincipalName:
          HOST/jotunheim.yggdrasil.bittoo.net
          HOST/jotunheim.yggdrasil.bittoo.net/YGGDRASIL
          ldap/jotunheim.yggdrasil.bittoo.net/YGGDRASIL
          GC/jotunheim.yggdrasil.bittoo.net/yggdrasil.bittoo.net
          ldap/jotunheim.yggdrasil.bittoo.net
          HOST/jotunheim.yggdrasil.bittoo.net/yggdrasil.bittoo.net
          ldap/jotunheim.yggdrasil.bittoo.net/yggdrasil.bittoo.net
          HOST/JOTUNHEIM
E3514235-4B06-11D1-AB04-00C04FC2DCD2/2350a512-9df8-4e43-b7b2-419cee958c1c/yggdrasil.bittoo.net
ldap/2350a512-9df8-4e43-b7b2-419cee958c1c._msdcs.yggdrasil.bittoo.net
          ldap/JOTUNHEIM
          RestrictedKrbHost/JOTUNHEIM
          RestrictedKrbHost/jotunheim.yggdrasil.bittoo.net
host/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
          host/jotunheim.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
nfs/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
          nfs/jotunheim.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
http/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
          http/jotunheim.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
          ldap/jotunheim.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
ldap/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
imap/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
          imap/jotunheim.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
          radius/jotunheim.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
radius/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
          proxy/jotunheim.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
proxy/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET


And I can export eg. HOST and HTTP
# samba-tool domain exportkeytab /etc/krb5.keytab --principal 
host/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
# samba-tool domain exportkeytab /etc/krb5.keytab --principal 
http/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET


# ktutil list
FILE:/etc/krb5.keytab:
Vno  Type Principal Aliases
   1  des-cbc-crc 
host/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
   1  des-cbc-md5 
host/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
   1  arcfour-hmac-md5 
host/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
   1  des-cbc-crc host/jotunheim.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
   1  des-cbc-md5 host/jotunheim.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
   1  arcfour-hmac-md5 
host/jotunheim.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
   1  des-cbc-crc 
http/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
   1  des-cbc-md5 
http/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
   1  arcfour-hmac-md5 
http/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
   1  des-cbc-crc http/jotunheim.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
   1  des-cbc-md5 http/jotunheim.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
   1  arcfour-hmac-md5 
http/jotunheim.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET

But I can't export NFS:
# samba-tool domain exportkeytab /etc/krb5.keytab --principal 
nfs/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET -d5
http://pastebin.com/v48G77j9


# cat /etc/samba/smb.conf
http://pastebin.com/gxs8Ai3G

# cat /etc/krb5.conf
http://pastebin.com/PSuB1b3P

If you need any more information please don't hesitate to ask for it.

Thanks for your help.

-- 
Med Venlig Hilsen / Best Regards
Henrik Dige Semark
Mobil: +45 26331701

More information about the samba mailing list