[Samba] Samba4 PDC keytab creation for NFSv4 not working
Rowland Penny
rowlandpenny at googlemail.com
Thu Nov 13 03:34:24 MST 2014
On 13/11/14 09:45, Henrik Dige Semark wrote:
> On 2014-11-05 17:13, Henrik Dige Semark wrote:
>>
>> Med Venlig Hilsen / Best Regards
>> Henrik Dige Semark
>> Mobil: +45 26331701
>>
>> On 2014-11-04 22:33, steve wrote:
>>> On 04/11/14 15:21, Rowland Penny wrote:
>>>> On 04/11/14 13:49, Henrik Dige Semark wrote:
>>>>>>
>>>>> Hey,
>>>>> Sorry I missed that in the blog.
>>>>> I read through it, and thought my setup, and what I had done/tried
>>>>> before, was more or less the same - but I missed that he created a
>>>>> nfs-user and added the keytab on the user instead.
>>>>>
>>>>> It's true, I can now add the NFS principal to the keytab but my
>>>>> clients still can't connect.
>>>>> I have also doublet and triple checked, that I do the same on the
>>>>> clients as he describe in the blog-post.
>>>>>
>>>>>
>>>>> My client (hymer$) is part of the domain - I can SSH without password
>>>>> to jotunheim, I have DNS and reverce DNS for the machine, both
>>>>> jotunheim and hymer can ping each other.
>>>
>>> So it's your nfs4 exports then. Remember that butter is bad for you
>>> again this year and so you must not export nfs4 mounts from a bind
>>> mounted fsid=0 pseudo-root. No sir. This year, we're exporting them
>>> as margarine, just like in the good old nfs3 days. If you're not
>>> sure what brand of margarine you should be using, post your
>>> /etc/exports and idmapd configs at both ends and we'll advise and
>>> rpc.idmapd -fvvv at both ends should help us nail it.
>>> José
>>>
>> Hey,
>>
>> Okay, so jotunheim is:
>>
>> # cat /etc/exports
>> #/export gss/krb5(rw,sync,fsid=0,no_subtree_check,crossmnt)
>> #/export/home gss/krb5(rw,sync,no_subtree_check)
>> /home gss/krb5(rw,sync,no_subtree_checl)
>>
>> # cat /etc/idmapd.conf
>> [General]
>> Verbosity = 0
>> Pipefs-Directory = /run/rpc_pipefs
>> # set your own domain here, if id differs from FQDN minus hostname
>> Domain = YGGDRASIL.BITTOO.NET
>>
>> [Mapping]
>> Nobody-User = nobody
>> Nobody-Group = nogroup
>>
>> # rpc.gssd -fvvv
>> beginning poll
>>
>> # rpc.idmapd -fvvv
>> rpc.idmapd: libnfsidmap: using domain: YGGDRASIL.BITTOO.NET
>> rpc.idmapd: libnfsidmap: Realms list: 'YGGDRASIL.BITTOO.NET'
>> rpc.idmapd: libnfsidmap: loaded plugin
>> /lib/x86_64-linux-gnu/libnfsidmap/nsswitch.so for method nsswitch
>>
>> rpc.idmapd: Expiration time is 600 seconds.
>> rpc.idmapd: Opened /proc/net/rpc/nfs4.nametoid/channel
>> rpc.idmapd: Opened /proc/net/rpc/nfs4.idtoname/channel
>> rpc.idmapd: New client: 0
>> rpc.idmapd: Opened /run/rpc_pipefs/nfs/clnt0/idmap
>> rpc.idmapd: New client: 1
>> rpc.idmapd: Stale client: 0
>> rpc.idmapd: -> closed /run/rpc_pipefs/nfs/clnt0/idmap
>> [warn] event_del: event has no event_base set.
>> rpc.idmapd: Stale client: 1
>> rpc.idmapd: -> closed /run/rpc_pipefs/nfs/clnt1/idmap
>> rpc.idmapd: New client: 2
>> rpc.idmapd: Opened /run/rpc_pipefs/nfs/clnt2/idmap
>> rpc.idmapd: New client: 3
>> rpc.idmapd: Stale client: 2
>> rpc.idmapd: -> closed /run/rpc_pipefs/nfs/clnt2/idmap
>> [warn] event_del: event has no event_base set.
>> rpc.idmapd: Stale client: 3
>> rpc.idmapd: -> closed /run/rpc_pipefs/nfs/clnt3/idmap
>> rpc.idmapd: New client: 4
>> rpc.idmapd: Opened /run/rpc_pipefs/nfs/clnt4/idmap
>> rpc.idmapd: New client: 5
>> rpc.idmapd: Stale client: 4
>> rpc.idmapd: -> closed /run/rpc_pipefs/nfs/clnt4/idmap
>> [warn] event_del: event has no event_base set.
>> rpc.idmapd: Stale client: 5
>> rpc.idmapd: -> closed /run/rpc_pipefs/nfs/clnt5/idmap
>> rpc.idmapd: New client: 6
>> rpc.idmapd: Opened /run/rpc_pipefs/nfs/clnt6/idmap
>> rpc.idmapd: New client: 7
>> rpc.idmapd: Stale client: 6
>> rpc.idmapd: -> closed /run/rpc_pipefs/nfs/clnt6/idmap
>> [warn] event_del: event has no event_base set.
>> rpc.idmapd: Stale client: 7
>> rpc.idmapd: -> closed /run/rpc_pipefs/nfs/clnt7/idmap
>> rpc.idmapd: New client: 8
>> rpc.idmapd: Opened /run/rpc_pipefs/nfs/clnt8/idmap
>> rpc.idmapd: New client: 9
>> rpc.idmapd: Stale client: 8
>> rpc.idmapd: -> closed /run/rpc_pipefs/nfs/clnt8/idmap
>> [warn] event_del: event has no event_base set.
>> rpc.idmapd: Stale client: 9
>> rpc.idmapd: -> closed /run/rpc_pipefs/nfs/clnt9/idmap
>> rpc.idmapd: New client: a
>> rpc.idmapd: Opened /run/rpc_pipefs/nfs/clnta/idmap
>> rpc.idmapd: New client: b
>> rpc.idmapd: Stale client: a
>> rpc.idmapd: -> closed /run/rpc_pipefs/nfs/clnta/idmap
>> [warn] event_del: event has no event_base set.
>> rpc.idmapd: Stale client: b
>> rpc.idmapd: -> closed /run/rpc_pipefs/nfs/clntb/idmap
>> rpc.idmapd: New client: c
>> rpc.idmapd: Opened /run/rpc_pipefs/nfs/clntc/idmap
>> rpc.idmapd: New client: d
>> rpc.idmapd: Stale client: c
>> rpc.idmapd: -> closed /run/rpc_pipefs/nfs/clntc/idmap
>> [warn] event_del: event has no event_base set.
>> rpc.idmapd: Stale client: d
>> rpc.idmapd: -> closed /run/rpc_pipefs/nfs/clntd/idmap
>>
>>
>>
>>
>> and the client (hymer)
>> At the client AutoFS mounts the nfs4 - but I have tried to do it
>> manually instead.
>>
>> # mount -vvvv -t nfs4 -o sec=krb5
>> jotunheim.static.yggdrasil.bittoo.net:/home /home
>> mount.nfs4: timeout set for Wed Nov 5 17:10:12 2014
>> mount.nfs4: trying text-based options
>> 'sec=krb5,addr=2001:470:dd5b:74::1,clientaddr=2001:470:dd5b:74:1::d2'
>> mount.nfs4: mount(2): Permission denied
>> mount.nfs4: trying text-based options
>> 'sec=krb5,addr=192.168.116.1,clientaddr=192.168.117.106'
>> mount.nfs4: mount(2): Permission denied
>> mount.nfs4: access denied by server while mounting
>> jotunheim.static.yggdrasil.bittoo.net:/home
>>
>> # cat /etc/idmapd.conf
>> [General]
>> Verbosity = 0
>> Pipefs-Directory = /run/rpc_pipefs
>> # set your own domain here, if id differs from FQDN minus hostname
>> # Domain = localdomain
>> Domain = YGGDRASIL.BITTOO.NET
>> [Mapping]
>> Nobody-User = nobody
>> Nobody-Group = nogroup
>>
>> # rpc.gssd -fvvvv
>> beginning poll
>> destroying client /run/rpc_pipefs/nfs/clnt2e
>> destroying client /run/rpc_pipefs/nfs/clnt35
>>
>> # rpc.idmapd -fvvvvv
>> rpc.idmapd: libnfsidmap: using domain: YGGDRASIL.BITTOO.NET
>> rpc.idmapd: libnfsidmap: Realms list: 'YGGDRASIL.BITTOO.NET'
>> rpc.idmapd: libnfsidmap: loaded plugin
>> /lib/x86_64-linux-gnu/libnfsidmap/nsswitch.so for method nsswitch
>>
>> rpc.idmapd: Expiration time is 600 seconds.
>> rpc.idmapd: Opened /proc/net/rpc/nfs4.nametoid/channel
>> rpc.idmapd: Opened /proc/net/rpc/nfs4.idtoname/channel
>> rpc.idmapd: New client: 30
>> rpc.idmapd: Opened /run/rpc_pipefs/nfs/clnt30/idmap
>> rpc.idmapd: New client: 31
>> rpc.idmapd: New client: 32
>> rpc.idmapd: New client: 37
>> rpc.idmapd: Opened /run/rpc_pipefs/nfs/clnt37/idmap
>> rpc.idmapd: New client: 38
>> rpc.idmapd: Stale client: 37
>> rpc.idmapd: -> closed /run/rpc_pipefs/nfs/clnt37/idmap
>> [warn] event_del: event has no event_base set.
>> rpc.idmapd: Stale client: 38
>> rpc.idmapd: -> closed /run/rpc_pipefs/nfs/clnt38/idmap
>> rpc.idmapd: New client: 39
>> rpc.idmapd: Opened /run/rpc_pipefs/nfs/clnt39/idmap
>> rpc.idmapd: New client: 3a
>> rpc.idmapd: Stale client: 39
>> rpc.idmapd: -> closed /run/rpc_pipefs/nfs/clnt39/idmap
>> [warn] event_del: event has no event_base set.
>> rpc.idmapd: Stale client: 3a
>> rpc.idmapd: -> closed /run/rpc_pipefs/nfs/clnt3a/idmap
> Hey everybody,
>
> So, I have gotten the NFS mount to work now, sort of that is....
>
> It turns out that the NFS package in Debian Wheezy and Jessie still
> prefer the bind-mount method, so that my exports look like this now:
> # cat /etc/exports
> /export gss/krb5(rw,sync,fsid=0,no_subtree_check,crossmnt)
> /export/home gss/krb5(rw,sync,no_subtree_check)
>
> and I needed to change "NEED_SVCGSSD" from no to yes in
> /etc/default/nfs-kernel-server
>
> The only problem that I have now is, that the server (jotunheim) sees
> users as DOMAIN%user - and this mess up the IDmap between the clients
> and the server, since the clients only have username.
> My samba.conf on the server is like this: http://pastebin.com/9Y949wuK
>
> Thank you so much for all the help.
>
> Med Venlig Hilsen / Best Regards
> Henrik Dige Semark
> Mobil: +45 26331701
>
>
Hi, you are hitting the problem that 'winbind' built into the samba
daemon != the standalone 'winbindd' daemon, this is one of the reasons
that it is not advisable to use the AD DC as a fileserver. As far as I
know, there is no way to remove the leading workgroup name from
usernames and you could probably remove most of your smb.conf, in my
opinion, it should look like this:
# Global parameters
[global]
workgroup = YGGDRASIL
realm = YGGDRASIL.BITTOO.NET
netbios name = JOTUNHEIM
server role = active directory domain controller
server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbind, ntp_signd, kcc, dnsupdate, smb
dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr,
netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser,
eventlog6, backupkey, dnsserver, winreg, srvsvc
server string = Debian DC - Samba %v
kerberos method = system keytab
# IDMAP's
idmap_ldb:use rfc2307 = yes
# Network-settings
####################################################
# hosts deny = ALL
# hosts allow = 192.168.116.0/23 127.
hosts allow = ALL
bind interfaces only = yes
interfaces = lo pbr0
# Various other directives ( man smb.conf )
###################################################
time server = Yes
# Windbind
##################################################
template shell = /bin/bash
template homedir = /home/%ACCOUNTNAME%
[netlogon]
path = /var/lib/samba/sysvol/yggdrasil.bittoo.net/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
One interesting thing that I did notice, you have this in your smb.conf:
idmap_ldb:use rfc2307 = yes
You also have this:
server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbind, ntp_signd, kcc, dnsupdate, smb
Because you have 'smb' instead of 's3fs', I am fairly sure that you are
using the NTVFS filesystem
Do you really want to use this filesystem???
Rowland
More information about the samba
mailing list