[Samba] NFS4 with samba4 AD for authentication
debian at lhanke.de
Tue Sep 23 15:36:47 MDT 2014
>> I'm pretty confused, which principals I'd need and how to create them in
>> the samba AD.
> The file server needs the nfs/ principal
> The client needs any one of nfs/ host/ root/ or simply the MACHINE$ key
Okay, that seemed to have got me a step forward. I created
nfs/nfs4.fqdn, removed all enctypes except des-cbc-crc and added it to
/etc/krb5.keytab of the server.
I retried the mount, but it still fails, but with a new error message:
mount.nfs4: access denied by server while mounting nfs4:/
I captured the network trace on the second attempt, and it didn't
contain any Kerberos requests. Checking the credential cache
/tmp/krbcc_machine_AD.MICROSULT.DE I see that it acquired a ticket for
nfs/nfs4.ad.microsult.de at AD.MICROSULT.DE.
The client gssd log is identical to the one, with the Kerberos issue
before. The server does not produce any gssd log. The server has no
ticket cache, except for uid 0, which doesn't hold any ticket beyond krbtgt.
The network trace shows 3 NULL requests, of which only the first is
answered by a NULL Reply. The other two are killed by FIN,ACK packets.
I enabled -vvv for rpc.svcgssd on the server and "--debug all" for
rpc.mountd. In /var/log/syslog I see svcgssd handle the NULL request. It
produces an error, which boils down to "Wrong principal in request".
Unfortunately it doesn't tell which it got and which it expected.
I appreciate any idea to troubleshoot the issue further - including
hints to a more appropriate mailing list.
Thanks for your time,
More information about the samba