[Samba] NFS4 with samba4 AD for authentication [Solved]

Lars Hanke debian at lhanke.de
Wed Sep 24 00:25:15 MDT 2014

Thanks a lot!

>>>> I'm pretty confused, which principals I'd need and how to create
>>>> them in
>>>> the samba AD.
>>> The file server needs the nfs/ principal
>>> The client needs any one of nfs/ host/ root/ or simply the MACHINE$ key
>> Okay, that seemed to have got me a step forward. I created
>> nfs/nfs4.fqdn, removed all enctypes except des-cbc-crc and added it to
>> /etc/krb5.keytab of the server.
> Our DC (4.1.6) uses arcfour-hmac-md5. It doesn't work with the weak
> enctypes unless you tell krb5.conf. Do you have an old version of nfs
> that does not recognise the strong keys?
 > Get DNS setup properly, put the proper keys back in the keytab and try
 > again.

No, just found it on several instructions on the net. After putting the 
keys back in I came out with "Operation ot permitted". Setting the 
"/etc/exports" to require gss/krb5 finally resulted in a successful 
mount. Strangely showmount lists both host based and krb based 
authentication, when /etc/exports has host based authentication selected.

Many thanks,
  - lars.

More information about the samba mailing list