[Samba] NFS4 with samba4 AD for authentication

Lars Hanke debian at lhanke.de
Tue Sep 23 15:36:47 MDT 2014

>> I'm pretty confused, which principals I'd need and how to create them in
>> the samba AD.
> The file server needs the nfs/ principal
> The client needs any one of nfs/ host/ root/ or simply the MACHINE$ key

Okay, that seemed to have got me a step forward. I created 
nfs/nfs4.fqdn, removed all enctypes except des-cbc-crc and added it to 
/etc/krb5.keytab of the server.

I retried the mount, but it still fails, but with a new error message:

mount.nfs4: access denied by server while mounting nfs4:/

I captured the network trace on the second attempt, and it didn't 
contain any Kerberos requests. Checking the credential cache 
/tmp/krbcc_machine_AD.MICROSULT.DE I see that it acquired a ticket for 
nfs/nfs4.ad.microsult.de at AD.MICROSULT.DE.

The client gssd log is identical to the one, with the Kerberos issue 
before. The server does not produce any gssd log. The server has no 
ticket cache, except for uid 0, which doesn't hold any ticket beyond krbtgt.

The network trace shows 3 NULL requests, of which only the first is 
answered by a NULL Reply. The other two are killed by FIN,ACK packets.

I enabled -vvv for rpc.svcgssd on the server and "--debug all" for 
rpc.mountd. In /var/log/syslog I see svcgssd handle the NULL request. It 
produces an error, which boils down to "Wrong principal in request". 
Unfortunately it doesn't tell which it got and which it expected.

I appreciate any idea to troubleshoot the issue further - including 
hints to a more appropriate mailing list.

Thanks for your time,
- lars.

More information about the samba mailing list