[Samba] Samba4 PDC keytab creation for NFSv4 not working

Henrik Dige Semark hds at semark.dk
Thu Nov 13 02:45:18 MST 2014 

On 2014-11-05 17:13, Henrik Dige Semark wrote:
>
> Med Venlig Hilsen / Best Regards
> Henrik Dige Semark
> Mobil: +45 26331701
>
> On 2014-11-04 22:33, steve wrote:
>> On 04/11/14 15:21, Rowland Penny wrote:
>>> On 04/11/14 13:49, Henrik Dige Semark wrote:
>>>>>
>>>> Hey,
>>>> Sorry I missed that in the blog.
>>>> I read through it, and thought my setup, and what I had done/tried
>>>> before, was more or less the same - but I missed that he created a
>>>> nfs-user and added the keytab on the user instead.
>>>>
>>>> It's true, I can now add the NFS principal to the keytab but my
>>>> clients still can't connect.
>>>> I have also doublet and triple checked, that I do the same on the
>>>> clients as he describe in the blog-post.
>>>>
>>>>
>>>> My client (hymer$) is part of the domain - I can SSH without password
>>>> to jotunheim, I have DNS and reverce DNS for the machine, both
>>>> jotunheim and hymer can ping each other.
>>
>> So it's your nfs4 exports then. Remember that butter is bad for you 
>> again this year and so you must not export nfs4 mounts from a bind 
>> mounted fsid=0 pseudo-root. No sir. This year, we're exporting them 
>> as margarine, just like in the good old nfs3 days. If you're not sure 
>> what brand of margarine you should be using, post your /etc/exports 
>> and idmapd configs at both ends and we'll advise and rpc.idmapd -fvvv 
>> at both ends should help us nail it.
>> José
>>
> Hey,
>
> Okay, so jotunheim is:
>
> # cat /etc/exports
> #/export        gss/krb5(rw,sync,fsid=0,no_subtree_check,crossmnt)
> #/export/home   gss/krb5(rw,sync,no_subtree_check)
> /home           gss/krb5(rw,sync,no_subtree_checl)
>
> # cat /etc/idmapd.conf
> [General]
> Verbosity = 0
> Pipefs-Directory = /run/rpc_pipefs
> # set your own domain here, if id differs from FQDN minus hostname
> Domain = YGGDRASIL.BITTOO.NET
>
> [Mapping]
> Nobody-User = nobody
> Nobody-Group = nogroup
>
> # rpc.gssd -fvvv
> beginning poll
>
> # rpc.idmapd -fvvv
> rpc.idmapd: libnfsidmap: using domain: YGGDRASIL.BITTOO.NET
> rpc.idmapd: libnfsidmap: Realms list: 'YGGDRASIL.BITTOO.NET'
> rpc.idmapd: libnfsidmap: loaded plugin 
> /lib/x86_64-linux-gnu/libnfsidmap/nsswitch.so for method nsswitch
>
> rpc.idmapd: Expiration time is 600 seconds.
> rpc.idmapd: Opened /proc/net/rpc/nfs4.nametoid/channel
> rpc.idmapd: Opened /proc/net/rpc/nfs4.idtoname/channel
> rpc.idmapd: New client: 0
> rpc.idmapd: Opened /run/rpc_pipefs/nfs/clnt0/idmap
> rpc.idmapd: New client: 1
> rpc.idmapd: Stale client: 0
> rpc.idmapd:     -> closed /run/rpc_pipefs/nfs/clnt0/idmap
> [warn] event_del: event has no event_base set.
> rpc.idmapd: Stale client: 1
> rpc.idmapd:     -> closed /run/rpc_pipefs/nfs/clnt1/idmap
> rpc.idmapd: New client: 2
> rpc.idmapd: Opened /run/rpc_pipefs/nfs/clnt2/idmap
> rpc.idmapd: New client: 3
> rpc.idmapd: Stale client: 2
> rpc.idmapd:     -> closed /run/rpc_pipefs/nfs/clnt2/idmap
> [warn] event_del: event has no event_base set.
> rpc.idmapd: Stale client: 3
> rpc.idmapd:     -> closed /run/rpc_pipefs/nfs/clnt3/idmap
> rpc.idmapd: New client: 4
> rpc.idmapd: Opened /run/rpc_pipefs/nfs/clnt4/idmap
> rpc.idmapd: New client: 5
> rpc.idmapd: Stale client: 4
> rpc.idmapd:     -> closed /run/rpc_pipefs/nfs/clnt4/idmap
> [warn] event_del: event has no event_base set.
> rpc.idmapd: Stale client: 5
> rpc.idmapd:     -> closed /run/rpc_pipefs/nfs/clnt5/idmap
> rpc.idmapd: New client: 6
> rpc.idmapd: Opened /run/rpc_pipefs/nfs/clnt6/idmap
> rpc.idmapd: New client: 7
> rpc.idmapd: Stale client: 6
> rpc.idmapd:     -> closed /run/rpc_pipefs/nfs/clnt6/idmap
> [warn] event_del: event has no event_base set.
> rpc.idmapd: Stale client: 7
> rpc.idmapd:     -> closed /run/rpc_pipefs/nfs/clnt7/idmap
> rpc.idmapd: New client: 8
> rpc.idmapd: Opened /run/rpc_pipefs/nfs/clnt8/idmap
> rpc.idmapd: New client: 9
> rpc.idmapd: Stale client: 8
> rpc.idmapd:     -> closed /run/rpc_pipefs/nfs/clnt8/idmap
> [warn] event_del: event has no event_base set.
> rpc.idmapd: Stale client: 9
> rpc.idmapd:     -> closed /run/rpc_pipefs/nfs/clnt9/idmap
> rpc.idmapd: New client: a
> rpc.idmapd: Opened /run/rpc_pipefs/nfs/clnta/idmap
> rpc.idmapd: New client: b
> rpc.idmapd: Stale client: a
> rpc.idmapd:     -> closed /run/rpc_pipefs/nfs/clnta/idmap
> [warn] event_del: event has no event_base set.
> rpc.idmapd: Stale client: b
> rpc.idmapd:     -> closed /run/rpc_pipefs/nfs/clntb/idmap
> rpc.idmapd: New client: c
> rpc.idmapd: Opened /run/rpc_pipefs/nfs/clntc/idmap
> rpc.idmapd: New client: d
> rpc.idmapd: Stale client: c
> rpc.idmapd:     -> closed /run/rpc_pipefs/nfs/clntc/idmap
> [warn] event_del: event has no event_base set.
> rpc.idmapd: Stale client: d
> rpc.idmapd:     -> closed /run/rpc_pipefs/nfs/clntd/idmap
>
>
>
>
> and the client (hymer)
> At the client AutoFS mounts the nfs4 - but I have tried to do it 
> manually instead.
>
> # mount -vvvv -t nfs4 -o sec=krb5 
> jotunheim.static.yggdrasil.bittoo.net:/home /home
> mount.nfs4: timeout set for Wed Nov  5 17:10:12 2014
> mount.nfs4: trying text-based options 
> 'sec=krb5,addr=2001:470:dd5b:74::1,clientaddr=2001:470:dd5b:74:1::d2'
> mount.nfs4: mount(2): Permission denied
> mount.nfs4: trying text-based options 
> 'sec=krb5,addr=192.168.116.1,clientaddr=192.168.117.106'
> mount.nfs4: mount(2): Permission denied
> mount.nfs4: access denied by server while mounting 
> jotunheim.static.yggdrasil.bittoo.net:/home
>
> # cat /etc/idmapd.conf
> [General]
> Verbosity = 0
> Pipefs-Directory = /run/rpc_pipefs
> # set your own domain here, if id differs from FQDN minus hostname
> # Domain = localdomain
> Domain = YGGDRASIL.BITTOO.NET
> [Mapping]
> Nobody-User = nobody
> Nobody-Group = nogroup
>
> # rpc.gssd -fvvvv
> beginning poll
> destroying client /run/rpc_pipefs/nfs/clnt2e
> destroying client /run/rpc_pipefs/nfs/clnt35
>
> # rpc.idmapd -fvvvvv
> rpc.idmapd: libnfsidmap: using domain: YGGDRASIL.BITTOO.NET
> rpc.idmapd: libnfsidmap: Realms list: 'YGGDRASIL.BITTOO.NET'
> rpc.idmapd: libnfsidmap: loaded plugin 
> /lib/x86_64-linux-gnu/libnfsidmap/nsswitch.so for method nsswitch
>
> rpc.idmapd: Expiration time is 600 seconds.
> rpc.idmapd: Opened /proc/net/rpc/nfs4.nametoid/channel
> rpc.idmapd: Opened /proc/net/rpc/nfs4.idtoname/channel
> rpc.idmapd: New client: 30
> rpc.idmapd: Opened /run/rpc_pipefs/nfs/clnt30/idmap
> rpc.idmapd: New client: 31
> rpc.idmapd: New client: 32
> rpc.idmapd: New client: 37
> rpc.idmapd: Opened /run/rpc_pipefs/nfs/clnt37/idmap
> rpc.idmapd: New client: 38
> rpc.idmapd: Stale client: 37
> rpc.idmapd:     -> closed /run/rpc_pipefs/nfs/clnt37/idmap
> [warn] event_del: event has no event_base set.
> rpc.idmapd: Stale client: 38
> rpc.idmapd:     -> closed /run/rpc_pipefs/nfs/clnt38/idmap
> rpc.idmapd: New client: 39
> rpc.idmapd: Opened /run/rpc_pipefs/nfs/clnt39/idmap
> rpc.idmapd: New client: 3a
> rpc.idmapd: Stale client: 39
> rpc.idmapd:     -> closed /run/rpc_pipefs/nfs/clnt39/idmap
> [warn] event_del: event has no event_base set.
> rpc.idmapd: Stale client: 3a
> rpc.idmapd:     -> closed /run/rpc_pipefs/nfs/clnt3a/idmap
Hey everybody,

So, I have gotten the NFS mount to work now, sort of that is....

It turns out that the NFS package in Debian Wheezy and Jessie still 
prefer the bind-mount method, so that my exports look like this now:
# cat /etc/exports
/export gss/krb5(rw,sync,fsid=0,no_subtree_check,crossmnt)
/export/home   gss/krb5(rw,sync,no_subtree_check)

and I needed to change "NEED_SVCGSSD" from no to yes in 
/etc/default/nfs-kernel-server

The only problem that I have now is, that the server (jotunheim) sees 
users as DOMAIN%user - and this mess up the IDmap between the clients 
and the server, since the clients only have username.
My samba.conf on the server is like this: http://pastebin.com/9Y949wuK

Thank you so much for all the help.

Med Venlig Hilsen / Best Regards
Henrik Dige Semark
Mobil: +45 26331701

More information about the samba mailing list