[Samba] Samba4 PDC keytab creation for NFSv4 not working
Henrik Dige Semark
hds at semark.dk
Tue Nov 4 06:49:58 MST 2014
On 2014-11-04 13:11, Rowland Penny wrote:
> On 04/11/14 11:09, Henrik Dige Semark wrote:
>> According to /samba-tool spn list JOTUNHEIM$/ I have the following SPN's
>>
>> # samba-tool spn list JOTUNHEIM$
>> jotunheim$
>> User CN=JOTUNHEIM,OU=Domain Controllers,DC=yggdrasil,DC=bittoo,DC=net
>> has the following servicePrincipalName:
>> HOST/jotunheim.yggdrasil.bittoo.net
>> HOST/jotunheim.yggdrasil.bittoo.net/YGGDRASIL
>> ldap/jotunheim.yggdrasil.bittoo.net/YGGDRASIL
>> GC/jotunheim.yggdrasil.bittoo.net/yggdrasil.bittoo.net
>> ldap/jotunheim.yggdrasil.bittoo.net
>> HOST/jotunheim.yggdrasil.bittoo.net/yggdrasil.bittoo.net
>> ldap/jotunheim.yggdrasil.bittoo.net/yggdrasil.bittoo.net
>> HOST/JOTUNHEIM
>> E3514235-4B06-11D1-AB04-00C04FC2DCD2/2350a512-9df8-4e43-b7b2-419cee958c1c/yggdrasil.bittoo.net
>>
>> ldap/2350a512-9df8-4e43-b7b2-419cee958c1c._msdcs.yggdrasil.bittoo.net
>> ldap/JOTUNHEIM
>> RestrictedKrbHost/JOTUNHEIM
>> RestrictedKrbHost/jotunheim.yggdrasil.bittoo.net
>> host/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
>> host/jotunheim.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
>> nfs/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
>> nfs/jotunheim.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
>> http/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
>> http/jotunheim.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
>> ldap/jotunheim.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
>> ldap/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
>> imap/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
>> imap/jotunheim.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
>> radius/jotunheim.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
>> radius/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
>> proxy/jotunheim.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
>> proxy/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
>>
>> Med Venlig Hilsen / Best Regards
>> Henrik Dige Semark
>> Mobil: +45 26331701
>>
>> On 2014-11-04 12:03, Rowland Penny wrote:
>>> On 04/11/14 10:01, Henrik Dige Semark wrote:
>>>> Hey Steve,
>>>>
>>>> If I run your command I get the same python error as before.
>>>>
>>>> # samba-tool domain exportkeytab /etc/krb5.keytab
>>>> --principal=nfs/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
>>>> ERROR(runtime): uncaught exception - Key table entry not found
>>>> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
>>>> line 175, in _run
>>>> return self.run(*args, **kwargs)
>>>> File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py",
>>>> line 103, in run
>>>> net.export_keytab(keytab=keytab, principal=principal)
>>>>
>>>> Med Venlig Hilsen / Best Regards
>>>> Henrik Dige Semark
>>>> Mobil: +45 26331701
>>>>
>>>> On 2014-11-03 18:12, steve wrote:
>>>>> samba-tool domain exportkeytab /etc/krb5.keytab
>>>>> --principal=nfs/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
>>>>
>>> Hi, do you actually have an SPN
>>> 'nfs/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET' in
>>> AD ?
>>>
>>> Rowland
>>>
>>
> Hi, I don't think that you read Steve's blog, see here:
> http://linuxcostablanca.blogspot.co.uk/p/samba-4.html
>
> You need a user!
>
> samba-tool user add nfs-user --random-password
> samba-tool user setexpiry --noexpiry nfs-user
> samba-tool spn add nfs/jotunheim.static.yggdrasil.bittoo.net nfs-user
> samba-tool domain exportkeytab /etc/krb5.keytab
> --principal=nfs/jotunheim.static.yggdrasil.bittoo.net
>
> Hopefully, when you run ktutil, you will get the following result
>
> ktutil
> ktutil: rkt /etc/krb5.keytab
> ktutil: l
> slot KVNO Principal
> ---- ----
> ---------------------------------------------------------------------
> 1 1 nfs/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
> 2 1 nfs/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
> 3 1 nfs/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
> ktutil: q
>
> Rowland
>
>
Hey,
Sorry I missed that in the blog.
I read through it, and thought my setup, and what I had done/tried
before, was more or less the same - but I missed that he created a
nfs-user and added the keytab on the user instead.
It's true, I can now add the NFS principal to the keytab but my clients
still can't connect.
I have also doublet and triple checked, that I do the same on the
clients as he describe in the blog-post.
My client (hymer$) is part of the domain - I can SSH without password to
jotunheim, I have DNS and reverce DNS for the machine, both jotunheim
and hymer can ping each other.
Hymer:
# host hymer
hymer.dyn.yggdrasil.bittoo.net has address 192.168.117.106
hymer.dyn.yggdrasil.bittoo.net has IPv6 address 2001:470:dd5b:74:1::d2
# ifconfig
eth0 Link encap:Ethernet HWaddr a4:ba:db:fd:eb:15
inet addr:192.168.117.106 Bcast:192.168.117.255
Mask:255.255.254.0
inet6 addr: fe80::a6ba:dbff:fefd:eb15/64 Scope:Link
inet6 addr: 2001:470:dd5b:74:1::d2/128 Scope:Global
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:13021 errors:0 dropped:0 overruns:0 frame:0
TX packets:2725 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1606944 (1.5 MiB) TX bytes:419378 (409.5 KiB)
Interrupt:16
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:97 errors:0 dropped:0 overruns:0 frame:0
TX packets:97 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:21054 (20.5 KiB) TX bytes:21054 (20.5 KiB)
# nslookup 192.168.117.106
Server: 192.168.116.1
Address: 192.168.116.1#53
106.117.168.192.in-addr.arpa name = hymer.dyn.yggdrasil.bittoo.net.
# nslookup 2001:470:dd5b:74:1::d2
Server: 192.168.116.1
Address: 192.168.116.1#53
2.d.0.0.0.0.0.0.0.0.0.0.1.0.0.0.4.7.0.0.b.5.d.d.0.7.4.0.1.0.0.2.ip6.arpa
name = hymer.dyn.yggdrasil.bittoo.net.
# ktutil list (jotunheim)
FILE:/etc/krb5.keytab:
Vno Type Principal Aliases
1 des-cbc-crc
host/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
1 des-cbc-md5
host/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
1 arcfour-hmac-md5
host/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
1 des-cbc-crc host/jotunheim.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
1 des-cbc-md5 host/jotunheim.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
1 arcfour-hmac-md5
host/jotunheim.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
1 des-cbc-crc
http/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
1 des-cbc-md5
http/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
1 arcfour-hmac-md5
http/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
1 des-cbc-crc http/jotunheim.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
1 des-cbc-md5 http/jotunheim.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
1 arcfour-hmac-md5
http/jotunheim.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
1 des-cbc-crc ldap/jotunheim.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
1 des-cbc-md5 ldap/jotunheim.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
1 arcfour-hmac-md5
ldap/jotunheim.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
1 des-cbc-crc
nfs/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
1 des-cbc-md5
nfs/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
1 arcfour-hmac-md5
nfs/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
1 des-cbc-crc nfs/jotunheim.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
1 des-cbc-md5 nfs/jotunheim.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
1 arcfour-hmac-md5
nfs/jotunheim.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
27 des-cbc-crc HYMER$@YGGDRASIL.BITTOO.NET
27 des-cbc-md5 HYMER$@YGGDRASIL.BITTOO.NET
27 arcfour-hmac-md5 HYMER$@YGGDRASIL.BITTOO.NET
29 des-cbc-crc SKRYMER$@YGGDRASIL.BITTOO.NET
29 des-cbc-md5 SKRYMER$@YGGDRASIL.BITTOO.NET
29 arcfour-hmac-md5 SKRYMER$@YGGDRASIL.BITTOO.NET
1 des-cbc-crc JOTUNHEIM$@YGGDRASIL.BITTOO.NET
1 des-cbc-md5 JOTUNHEIM$@YGGDRASIL.BITTOO.NET
1 arcfour-hmac-md5 JOTUNHEIM$@YGGDRASIL.BITTOO.NET
# ktutil list (hymer)
FILE:/etc/krb5.keytab:
Vno Type Principal Aliases
27 des-cbc-crc host/hymer.dyn.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
27 des-cbc-md5 host/hymer.dyn.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
27 arcfour-hmac-md5
host/hymer.dyn.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
27 des-cbc-crc host/hymer.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
27 des-cbc-md5 host/hymer.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
27 aes128-cts-hmac-sha1-96
host/hymer.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
27 des-cbc-crc nfs/hymer.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
27 des-cbc-md5 nfs/hymer.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
27 aes128-cts-hmac-sha1-96
nfs/hymer.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
27 aes256-cts-hmac-sha1-96
nfs/hymer.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
27 arcfour-hmac-md5 nfs/hymer.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
27 des-cbc-crc nfs/hymer at YGGDRASIL.BITTOO.NET
27 des-cbc-md5 nfs/hymer at YGGDRASIL.BITTOO.NET
27 aes128-cts-hmac-sha1-96 nfs/hymer at YGGDRASIL.BITTOO.NET
27 aes256-cts-hmac-sha1-96 nfs/hymer at YGGDRASIL.BITTOO.NET
27 arcfour-hmac-md5 nfs/hymer at YGGDRASIL.BITTOO.NET
27 aes256-cts-hmac-sha1-96
host/hymer.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
27 arcfour-hmac-md5 host/hymer.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
27 des-cbc-crc host/hymer at YGGDRASIL.BITTOO.NET
27 des-cbc-md5 host/hymer at YGGDRASIL.BITTOO.NET
27 aes128-cts-hmac-sha1-96 host/hymer at YGGDRASIL.BITTOO.NET
27 aes256-cts-hmac-sha1-96 host/hymer at YGGDRASIL.BITTOO.NET
27 arcfour-hmac-md5 host/hymer at YGGDRASIL.BITTOO.NET
27 des-cbc-crc http/hymer.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
27 des-cbc-md5 http/hymer.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
27 aes128-cts-hmac-sha1-96
http/hymer.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
27 aes256-cts-hmac-sha1-96
http/hymer.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
27 arcfour-hmac-md5 http/hymer.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
27 des-cbc-crc http/hymer at YGGDRASIL.BITTOO.NET
27 des-cbc-md5 http/hymer at YGGDRASIL.BITTOO.NET
27 aes128-cts-hmac-sha1-96 http/hymer at YGGDRASIL.BITTOO.NET
27 aes256-cts-hmac-sha1-96 http/hymer at YGGDRASIL.BITTOO.NET
27 arcfour-hmac-md5 http/hymer at YGGDRASIL.BITTOO.NET
27 des-cbc-crc HYMER$@YGGDRASIL.BITTOO.NET
27 des-cbc-md5 HYMER$@YGGDRASIL.BITTOO.NET
27 aes128-cts-hmac-sha1-96 HYMER$@YGGDRASIL.BITTOO.NET
27 aes256-cts-hmac-sha1-96 HYMER$@YGGDRASIL.BITTOO.NET
27 arcfour-hmac-md5 HYMER$@YGGDRASIL.BITTOO.NET
# cat /etc/samba/smb.conf (hymer)
[global]
workgroup = YGGDRASIL
security = ADS
realm = YGGDRASIL.BITTOO.NET
encrypt passwords = yes
idmap config *:backend = tdb
# idmap config *:backend = rid
idmap config *:range = 70001-80000
idmap config YGGDRASIL:backend = ad
idmap config YGGDRASIL:schema_mode = rfc2307
idmap config YGGDRASIL:range = 10000-20000
# idmap config YGGDRASIL:base_rid = 0
# winbind nss info = rfc2307
# winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
template shell = /bin/bash
template homedir = /home/%U
kerberos method = system keytab
# mount -vvvv -t nfs4 -o sec=krb5
jotunheim.static.yggdrasil.bittoo.net:/home /home (hymer)
mount.nfs4: timeout set for Tue Nov 4 14:39:08 2014
mount.nfs4: trying text-based options
'sec=krb5,addr=2001:470:dd5b:74::1,clientaddr=2001:470:dd5b:74:1::d2'
mount.nfs4: mount(2): Permission denied
mount.nfs4: trying text-based options
'sec=krb5,addr=192.168.116.1,clientaddr=192.168.117.106'
mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting
jotunheim.static.yggdrasil.bittoo.net:/home
I have no errors in any logfils on neither server nor client.
Med Venlig Hilsen / Best Regards
Henrik Dige Semark
Mobil: +45 26331701
More information about the samba
mailing list