[Samba] Samba4 PDC keytab creation for NFSv4 not working
Rowland Penny
rowlandpenny at googlemail.com
Mon Nov 3 03:03:48 MST 2014
On 03/11/14 09:22, Henrik Dige Semark wrote:
>
> Hello everybody,
>
> Fist a little about our setup.
>
> We have an Debian (7) Wheezy, now upgraded to Debian (testing) Jessie
> with Samba4 as PDC, Kerberos and LDAP - all provided through Samba4,
> and bind9 and isc-dhcp server for DDNS and DHCP, our environment is a
> mix of Linux (Debian Jessie), Mac (Maverick and Yosemite) and Windows
> 7 and 8.1 clients.
>
> The Windows clients use Samba and are all part of the domain
> (YGGDRASIL), Mac and Linux both use NFSv4, and Linux mounts homes over
> AutoFS.
>
> The past year we have used NFSv4 without Kerberos validation but
> because of new security levels in the organization we have to
> implement Kerberos for NFSv4.
> The problem that we are facing now, and have messed around with for
> the last two weeks, is that Samba wont save the previsioning for the
> Kerberos keytab.
>
> At first we found some minor problems in our bind9 configuration so
> that our reverse addresses on IPv6 were not pointing correctly, but
> IPv4 was.
> Now everything looks right but the problem still remains.
>
>
>
> # kinit Administrator
> Reports no error
>
> # klist -l
> Name Cache name Expires
> * Administrator at YGGDRASIL.BITTOO.NET FILE:/tmp/krb5cc_0 Oct 31
> 21:19:24 2014
> Looks as it should
>
> # net ads keytab add -k -S jotunheim.static.yggdrasil.bittoo.net -W
> YGGDRASIL -U Administrator nfs/jotunheim.static.yggdrasil.bittoo.net -d5
> http://pastebin.com/v3McRKnm
> But I can't add NFS as you can see above .
>
>
> # samba-tool spn add
> nfs/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET jotunheim$
> # samba-tool spn add
> host/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
> jotunheim$
> Can add the entries correctly into the LDAP database
>
>
> # samba-tool spn list JOTUNHEIM$
> jotunheim$
> User CN=JOTUNHEIM,OU=Domain Controllers,DC=yggdrasil,DC=bittoo,DC=net
> has the following servicePrincipalName:
> HOST/jotunheim.yggdrasil.bittoo.net
> HOST/jotunheim.yggdrasil.bittoo.net/YGGDRASIL
> ldap/jotunheim.yggdrasil.bittoo.net/YGGDRASIL
> GC/jotunheim.yggdrasil.bittoo.net/yggdrasil.bittoo.net
> ldap/jotunheim.yggdrasil.bittoo.net
> HOST/jotunheim.yggdrasil.bittoo.net/yggdrasil.bittoo.net
> ldap/jotunheim.yggdrasil.bittoo.net/yggdrasil.bittoo.net
> HOST/JOTUNHEIM
> E3514235-4B06-11D1-AB04-00C04FC2DCD2/2350a512-9df8-4e43-b7b2-419cee958c1c/yggdrasil.bittoo.net
>
> ldap/2350a512-9df8-4e43-b7b2-419cee958c1c._msdcs.yggdrasil.bittoo.net
> ldap/JOTUNHEIM
> RestrictedKrbHost/JOTUNHEIM
> RestrictedKrbHost/jotunheim.yggdrasil.bittoo.net
> host/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
> host/jotunheim.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
> nfs/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
> nfs/jotunheim.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
> http/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
> http/jotunheim.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
> ldap/jotunheim.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
> ldap/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
> imap/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
> imap/jotunheim.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
> radius/jotunheim.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
> radius/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
> proxy/jotunheim.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
> proxy/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
>
>
> And I can export eg. HOST and HTTP
> # samba-tool domain exportkeytab /etc/krb5.keytab --principal
> host/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
> # samba-tool domain exportkeytab /etc/krb5.keytab --principal
> http/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
>
>
> # ktutil list
> FILE:/etc/krb5.keytab:
> Vno Type Principal Aliases
> 1 des-cbc-crc
> host/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
> 1 des-cbc-md5
> host/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
> 1 arcfour-hmac-md5
> host/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
> 1 des-cbc-crc host/jotunheim.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
> 1 des-cbc-md5 host/jotunheim.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
> 1 arcfour-hmac-md5
> host/jotunheim.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
> 1 des-cbc-crc
> http/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
> 1 des-cbc-md5
> http/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
> 1 arcfour-hmac-md5
> http/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
> 1 des-cbc-crc http/jotunheim.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
> 1 des-cbc-md5 http/jotunheim.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
> 1 arcfour-hmac-md5
> http/jotunheim.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
>
> But I can't export NFS:
> # samba-tool domain exportkeytab /etc/krb5.keytab --principal
> nfs/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET -d5
> http://pastebin.com/v48G77j9
>
>
> # cat /etc/samba/smb.conf
> http://pastebin.com/gxs8Ai3G
>
> # cat /etc/krb5.conf
> http://pastebin.com/PSuB1b3P
>
> If you need any more information please don't hesitate to ask for it.
>
> Thanks for your help.
>
Hi, I think that you are going about this in the wrong way, for
instance, you are running a DC not a PDC, there are lines in your
smb.conf that shouldn't be there or are the defaults, in essence, you
are still thinking like it is a Samba 3 machine.
You are using the wrong command to export the keytab, if you run 'net
ads keytab --help', you will get this:
Warning: "kerberos method" must be set to a keytab method to use keytab
functions.
and no, don't add another line to smb.conf.
The correct command would be 'samba-tool domain exportkeytab xxxxxxxxxxxxxx'
I would suggest that your go and browse Steve's blog, he has been there,
done it and got the scars to prove it:
http://linuxcostablanca.blogspot.co.uk/
Rowland
More information about the samba
mailing list