[Samba] Samba4 PDC keytab creation for NFSv4 not working
Rowland Penny
rowlandpenny at googlemail.com
Tue Nov 4 07:21:46 MST 2014
On 04/11/14 13:49, Henrik Dige Semark wrote:
> On 2014-11-04 13:11, Rowland Penny wrote:
>> On 04/11/14 11:09, Henrik Dige Semark wrote:
>>> According to /samba-tool spn list JOTUNHEIM$/ I have the following
>>> SPN's
>>>
>>> # samba-tool spn list JOTUNHEIM$
>>> jotunheim$
>>> User CN=JOTUNHEIM,OU=Domain
>>> Controllers,DC=yggdrasil,DC=bittoo,DC=net has the following
>>> servicePrincipalName:
>>> HOST/jotunheim.yggdrasil.bittoo.net
>>> HOST/jotunheim.yggdrasil.bittoo.net/YGGDRASIL
>>> ldap/jotunheim.yggdrasil.bittoo.net/YGGDRASIL
>>> GC/jotunheim.yggdrasil.bittoo.net/yggdrasil.bittoo.net
>>> ldap/jotunheim.yggdrasil.bittoo.net
>>> HOST/jotunheim.yggdrasil.bittoo.net/yggdrasil.bittoo.net
>>> ldap/jotunheim.yggdrasil.bittoo.net/yggdrasil.bittoo.net
>>> HOST/JOTUNHEIM
>>> E3514235-4B06-11D1-AB04-00C04FC2DCD2/2350a512-9df8-4e43-b7b2-419cee958c1c/yggdrasil.bittoo.net
>>>
>>> ldap/2350a512-9df8-4e43-b7b2-419cee958c1c._msdcs.yggdrasil.bittoo.net
>>> ldap/JOTUNHEIM
>>> RestrictedKrbHost/JOTUNHEIM
>>> RestrictedKrbHost/jotunheim.yggdrasil.bittoo.net
>>> host/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
>>> host/jotunheim.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
>>> nfs/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
>>> nfs/jotunheim.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
>>> http/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
>>> http/jotunheim.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
>>> ldap/jotunheim.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
>>> ldap/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
>>> imap/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
>>> imap/jotunheim.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
>>> radius/jotunheim.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
>>> radius/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
>>> proxy/jotunheim.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
>>> proxy/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
>>>
>>> Med Venlig Hilsen / Best Regards
>>> Henrik Dige Semark
>>> Mobil: +45 26331701
>>>
>>> On 2014-11-04 12:03, Rowland Penny wrote:
>>>> On 04/11/14 10:01, Henrik Dige Semark wrote:
>>>>> Hey Steve,
>>>>>
>>>>> If I run your command I get the same python error as before.
>>>>>
>>>>> # samba-tool domain exportkeytab /etc/krb5.keytab
>>>>> --principal=nfs/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
>>>>> ERROR(runtime): uncaught exception - Key table entry not found
>>>>> File
>>>>> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
>>>>> 175, in _run
>>>>> return self.run(*args, **kwargs)
>>>>> File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py",
>>>>> line 103, in run
>>>>> net.export_keytab(keytab=keytab, principal=principal)
>>>>>
>>>>> Med Venlig Hilsen / Best Regards
>>>>> Henrik Dige Semark
>>>>> Mobil: +45 26331701
>>>>>
>>>>> On 2014-11-03 18:12, steve wrote:
>>>>>> samba-tool domain exportkeytab /etc/krb5.keytab
>>>>>> --principal=nfs/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
>>>>>
>>>> Hi, do you actually have an SPN
>>>> 'nfs/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET' in
>>>> AD ?
>>>>
>>>> Rowland
>>>>
>>>
>> Hi, I don't think that you read Steve's blog, see here:
>> http://linuxcostablanca.blogspot.co.uk/p/samba-4.html
>>
>> You need a user!
>>
>> samba-tool user add nfs-user --random-password
>> samba-tool user setexpiry --noexpiry nfs-user
>> samba-tool spn add nfs/jotunheim.static.yggdrasil.bittoo.net nfs-user
>> samba-tool domain exportkeytab /etc/krb5.keytab
>> --principal=nfs/jotunheim.static.yggdrasil.bittoo.net
>>
>> Hopefully, when you run ktutil, you will get the following result
>>
>> ktutil
>> ktutil: rkt /etc/krb5.keytab
>> ktutil: l
>> slot KVNO Principal
>> ---- ----
>> ---------------------------------------------------------------------
>> 1 1 nfs/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
>> 2 1 nfs/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
>> 3 1 nfs/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
>> ktutil: q
>>
>> Rowland
>>
>>
> Hey,
> Sorry I missed that in the blog.
> I read through it, and thought my setup, and what I had done/tried
> before, was more or less the same - but I missed that he created a
> nfs-user and added the keytab on the user instead.
>
> It's true, I can now add the NFS principal to the keytab but my
> clients still can't connect.
> I have also doublet and triple checked, that I do the same on the
> clients as he describe in the blog-post.
>
>
> My client (hymer$) is part of the domain - I can SSH without password
> to jotunheim, I have DNS and reverce DNS for the machine, both
> jotunheim and hymer can ping each other.
>
> Hymer:
>
> # host hymer
> hymer.dyn.yggdrasil.bittoo.net has address 192.168.117.106
> hymer.dyn.yggdrasil.bittoo.net has IPv6 address 2001:470:dd5b:74:1::d2
>
> # ifconfig
> eth0 Link encap:Ethernet HWaddr a4:ba:db:fd:eb:15
> inet addr:192.168.117.106 Bcast:192.168.117.255
> Mask:255.255.254.0
> inet6 addr: fe80::a6ba:dbff:fefd:eb15/64 Scope:Link
> inet6 addr: 2001:470:dd5b:74:1::d2/128 Scope:Global
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:13021 errors:0 dropped:0 overruns:0 frame:0
> TX packets:2725 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:1606944 (1.5 MiB) TX bytes:419378 (409.5 KiB)
> Interrupt:16
>
> lo Link encap:Local Loopback
> inet addr:127.0.0.1 Mask:255.0.0.0
> inet6 addr: ::1/128 Scope:Host
> UP LOOPBACK RUNNING MTU:65536 Metric:1
> RX packets:97 errors:0 dropped:0 overruns:0 frame:0
> TX packets:97 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:0
> RX bytes:21054 (20.5 KiB) TX bytes:21054 (20.5 KiB)
>
> # nslookup 192.168.117.106
> Server: 192.168.116.1
> Address: 192.168.116.1#53
>
> 106.117.168.192.in-addr.arpa name = hymer.dyn.yggdrasil.bittoo.net.
>
> # nslookup 2001:470:dd5b:74:1::d2
> Server: 192.168.116.1
> Address: 192.168.116.1#53
>
> 2.d.0.0.0.0.0.0.0.0.0.0.1.0.0.0.4.7.0.0.b.5.d.d.0.7.4.0.1.0.0.2.ip6.arpa
> name = hymer.dyn.yggdrasil.bittoo.net.
>
> # ktutil list (jotunheim)
> FILE:/etc/krb5.keytab:
>
> Vno Type Principal Aliases
> 1 des-cbc-crc
> host/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
> 1 des-cbc-md5
> host/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
> 1 arcfour-hmac-md5
> host/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
> 1 des-cbc-crc host/jotunheim.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
> 1 des-cbc-md5 host/jotunheim.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
> 1 arcfour-hmac-md5
> host/jotunheim.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
> 1 des-cbc-crc
> http/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
> 1 des-cbc-md5
> http/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
> 1 arcfour-hmac-md5
> http/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
> 1 des-cbc-crc http/jotunheim.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
> 1 des-cbc-md5 http/jotunheim.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
> 1 arcfour-hmac-md5
> http/jotunheim.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
> 1 des-cbc-crc ldap/jotunheim.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
> 1 des-cbc-md5 ldap/jotunheim.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
> 1 arcfour-hmac-md5
> ldap/jotunheim.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
> 1 des-cbc-crc
> nfs/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
> 1 des-cbc-md5
> nfs/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
> 1 arcfour-hmac-md5
> nfs/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
> 1 des-cbc-crc nfs/jotunheim.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
> 1 des-cbc-md5 nfs/jotunheim.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
> 1 arcfour-hmac-md5
> nfs/jotunheim.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
> 27 des-cbc-crc HYMER$@YGGDRASIL.BITTOO.NET
> 27 des-cbc-md5 HYMER$@YGGDRASIL.BITTOO.NET
> 27 arcfour-hmac-md5 HYMER$@YGGDRASIL.BITTOO.NET
> 29 des-cbc-crc SKRYMER$@YGGDRASIL.BITTOO.NET
> 29 des-cbc-md5 SKRYMER$@YGGDRASIL.BITTOO.NET
> 29 arcfour-hmac-md5 SKRYMER$@YGGDRASIL.BITTOO.NET
> 1 des-cbc-crc JOTUNHEIM$@YGGDRASIL.BITTOO.NET
> 1 des-cbc-md5 JOTUNHEIM$@YGGDRASIL.BITTOO.NET
> 1 arcfour-hmac-md5 JOTUNHEIM$@YGGDRASIL.BITTOO.NET
>
> # ktutil list (hymer)
> FILE:/etc/krb5.keytab:
>
> Vno Type Principal
> Aliases
> 27 des-cbc-crc host/hymer.dyn.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
> 27 des-cbc-md5 host/hymer.dyn.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
> 27 arcfour-hmac-md5
> host/hymer.dyn.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
> 27 des-cbc-crc host/hymer.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
> 27 des-cbc-md5 host/hymer.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
> 27 aes128-cts-hmac-sha1-96
> host/hymer.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
> 27 des-cbc-crc nfs/hymer.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
> 27 des-cbc-md5 nfs/hymer.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
> 27 aes128-cts-hmac-sha1-96
> nfs/hymer.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
> 27 aes256-cts-hmac-sha1-96
> nfs/hymer.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
> 27 arcfour-hmac-md5 nfs/hymer.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
> 27 des-cbc-crc nfs/hymer at YGGDRASIL.BITTOO.NET
> 27 des-cbc-md5 nfs/hymer at YGGDRASIL.BITTOO.NET
> 27 aes128-cts-hmac-sha1-96 nfs/hymer at YGGDRASIL.BITTOO.NET
> 27 aes256-cts-hmac-sha1-96 nfs/hymer at YGGDRASIL.BITTOO.NET
> 27 arcfour-hmac-md5 nfs/hymer at YGGDRASIL.BITTOO.NET
> 27 aes256-cts-hmac-sha1-96
> host/hymer.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
> 27 arcfour-hmac-md5
> host/hymer.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
> 27 des-cbc-crc host/hymer at YGGDRASIL.BITTOO.NET
> 27 des-cbc-md5 host/hymer at YGGDRASIL.BITTOO.NET
> 27 aes128-cts-hmac-sha1-96 host/hymer at YGGDRASIL.BITTOO.NET
> 27 aes256-cts-hmac-sha1-96 host/hymer at YGGDRASIL.BITTOO.NET
> 27 arcfour-hmac-md5 host/hymer at YGGDRASIL.BITTOO.NET
> 27 des-cbc-crc http/hymer.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
> 27 des-cbc-md5 http/hymer.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
> 27 aes128-cts-hmac-sha1-96
> http/hymer.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
> 27 aes256-cts-hmac-sha1-96
> http/hymer.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
> 27 arcfour-hmac-md5
> http/hymer.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
> 27 des-cbc-crc http/hymer at YGGDRASIL.BITTOO.NET
> 27 des-cbc-md5 http/hymer at YGGDRASIL.BITTOO.NET
> 27 aes128-cts-hmac-sha1-96 http/hymer at YGGDRASIL.BITTOO.NET
> 27 aes256-cts-hmac-sha1-96 http/hymer at YGGDRASIL.BITTOO.NET
> 27 arcfour-hmac-md5 http/hymer at YGGDRASIL.BITTOO.NET
> 27 des-cbc-crc HYMER$@YGGDRASIL.BITTOO.NET
> 27 des-cbc-md5 HYMER$@YGGDRASIL.BITTOO.NET
> 27 aes128-cts-hmac-sha1-96 HYMER$@YGGDRASIL.BITTOO.NET
> 27 aes256-cts-hmac-sha1-96 HYMER$@YGGDRASIL.BITTOO.NET
> 27 arcfour-hmac-md5 HYMER$@YGGDRASIL.BITTOO.NET
>
> # cat /etc/samba/smb.conf (hymer)
> [global]
> workgroup = YGGDRASIL
> security = ADS
> realm = YGGDRASIL.BITTOO.NET
> encrypt passwords = yes
>
> idmap config *:backend = tdb
> # idmap config *:backend = rid
> idmap config *:range = 70001-80000
> idmap config YGGDRASIL:backend = ad
> idmap config YGGDRASIL:schema_mode = rfc2307
> idmap config YGGDRASIL:range = 10000-20000
> # idmap config YGGDRASIL:base_rid = 0
>
> # winbind nss info = rfc2307
> # winbind trusted domains only = no
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
>
> template shell = /bin/bash
> template homedir = /home/%U
>
> kerberos method = system keytab
>
>
> # mount -vvvv -t nfs4 -o sec=krb5
> jotunheim.static.yggdrasil.bittoo.net:/home /home (hymer)
> mount.nfs4: timeout set for Tue Nov 4 14:39:08 2014
> mount.nfs4: trying text-based options
> 'sec=krb5,addr=2001:470:dd5b:74::1,clientaddr=2001:470:dd5b:74:1::d2'
> mount.nfs4: mount(2): Permission denied
> mount.nfs4: trying text-based options
> 'sec=krb5,addr=192.168.116.1,clientaddr=192.168.117.106'
> mount.nfs4: mount(2): Permission denied
> mount.nfs4: access denied by server while mounting
> jotunheim.static.yggdrasil.bittoo.net:/home
>
> I have no errors in any logfils on neither server nor client.
>
> Med Venlig Hilsen / Best Regards
> Henrik Dige Semark
> Mobil: +45 26331701
>
Hi, I think that you must still be missing something, can you connect to
the share other than by nfs ?
I get the feeling that Steve is going to have to talk you through this
step by step, he is IMHO the expert here.
Rowland
More information about the samba
mailing list