[Samba] Samba 4 and MS Windows NFS Server (2012R2) - Update

L.P.H. van Belle belle at bazuin.nl
Tue Sep 1 09:51:52 UTC 2015 

hai, 

The servers have "A and PTR" records? 
You have for both server these UPNs. 

nfs/${SETFQDN} ${SETHOSTNAME_CAPS}$
nfs/${SETFQDN}@${SAMBA_KERBEROS_REALM} ${SETHOSTNAME_CAPS}$

on the samba side the nfs spn is in you keytab file? 

and if your brave, read, * dont run it, since i did not test this with windows servers. 

https://secure.bazuin.nl/scripts/these_are_experimental_scripts/ 
check the setup-nfsv4-kerberos.sh script, tested in a samba4 only setup, on debian (wheezy and jessie)
and its not quite finished, i think.. 



Greetz, 

Louis



>-----Oorspronkelijk bericht-----
>Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
>Ritter, Marcel (RRZE)
>Verzonden: dinsdag 1 september 2015 11:25
>Aan: samba at lists.samba.org
>Onderwerp: Re: [Samba] Samba 4 and MS Windows NFS Server 
>(2012R2) - Update
>
>Hi again,
>
>I just started to debug things on the samba4 side:
>
>When trying to mount the Windows NFS share, I get the 
>following error on
>the samba4 dc (just grepping for nfs in the logs):
>
>  auth_check_password_send: Checking password for unmapped 
>user [S5DOM.TEST]\[nfs/nfsclient.mydom.test]@[]
>  map_user_info_cracknames: Mapping user 
>[MYDOM.TEST]\[nfs/nfsclient.mydom.test] from workstation []
>  auth_check_password_send: mapped user is: 
>[MYDOM]\[nfs/nfsclient.mydom.test]@[]
>   expr: (&(sAMAccountName=nfs/nfsclient.mydom.test)(objectclass=user))
>  sam_search_user: Couldn't find user 
>[nfs/nfsclient.mydom.test] in samdb, under DC=mydom,DC=test
>  auth_check_password_recv: sam_ignoredomain authentication 
>for user [S5DOM\nfs/nfsclient.mydom.test] FAILED with error 
>NT_STATUS_NO_SUCH_USER
>
>From a first search, it looks like function authsam_search_account()
>from source4/auth/ntlm/auth_sam.c does this lookup (and fails).
>
>I guess this search should look something like this:
>
>(&(|(sAMAccountName=nfs/nfsclient.mydom.test)(userPrincipalName
>=nfs/nfsclient.mydom.test at MYDOM.TEST))(objectclass=user))
>
>I'd like to give this a try, however I've no idea how to get 
>the required
>realm name from the parameters available during 
>authsam_search_account()
>call.
>
>Please, could someone more familiar with the samba code base provide me
>with the required information to do this?
>
>Bye,
>   Marcel
>
>-----Ursprüngliche Nachricht-----
>Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag 
>von Ritter, Marcel (RRZE)
>Gesendet: Montag, 31. August 2015 08:44
>An: samba at lists.samba.org
>Betreff: [Samba] Samba 4 and MS Windows NFS Server (2012R2)
>
>Hi,
>
>has anyone out there tried to get a Windows Server 2012R2 
>based NFS Server running against a Samba4 active directory?
>
>I'm currently doing some interop testing, and I cannot get a 
>Windows Server 2012R2 based NFS  server running when using samba as AD.
>
>As far as i can tell, the setup looks good:
>
>I've got Linux based NFS servers and clients  (Ubuntu + SuSE) 
>up and running fine (krb5 auth against samba DC), but trying 
>to access the Windows NFS server fails.
>
>Outside the above testbed I've tried to mount NFS shares on a 
>different Windows Server (joined against our MS AD) and access 
>from Linux clients works fine here, so I guess it's not MS NFS 
>server itself that's causing the trouble.
>
>
>The failing windows NFS Server reports lots of messages like:
>
>"Server for NFS was unable to obtain security information for 
>the GSS user account MYDOM.TEST\nfs/nfsclient.mydom.test.
>
>Check that the user account MYDOM.TEST\nfs/nfsclient.mydom.test
>is valid and meets als configured security policies. Ther may 
>be additional information in the Windows Security event log.
>
>MSV Status: 0xC000009A, Substatus: 0x0
>S4U Status: 0xC000006D, Substatus: 0x0
>"
>
>The security log reports:
>
>"An account failed to log on.
>
>Subject:
>        Security ID:            SYSTEM
>        Account Name:           WIN12$
>        Account Domain:         MYDOM
>        Logon ID:               0x3E7
>
>Logon Type:                     3
>
>Account For Which Logon Failed:
>        Security ID:            NULL SID
>        Account Name:           nfs/nfsclient.mydom.test
>        Account Domain:         MYDOM.TEST
>
>Failure Information:
>        Failure Reason:         Unknown user name or bad password.
>        Status:                 0xC000006D
>        Sub Status:             0xC0000064
>
>Process Information:
>        Caller Process ID:      0x4
>        Caller Process Name:
>
>Network Information:
>        Workstation Name:
>        Source Network Address: -
>        Source Port:            -
>
>Detailed Authentication Information:
>        Logon Process:          NfsSvr
>        Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
>        Transited Services:     -
>        Package Name (NTLM only):       -
>        Key Length:             0
>
>This event is generated when a logon request fails. It is 
>generated on the computer where access was attempted.
>
>The Subject fields indicate the account on the local system 
>which requested the logon. This is most commonly a service 
>such as the Server service, or a local process such as 
>Winlogon.exe or Services.exe.
>
>The Logon Type field indicates the kind of logon that was 
>requested. The most common types are 2 (interactive) and 3 (network).
>
>The Process Information fields indicate which account and 
>process on the system requested the logon.
>
>The Network Information fields indicate where a remote logon 
>request originated. Workstation name is not always available 
>and may be left blank in some cases.
>
>The authentication information fields provide detailed 
>information about this specific logon request.
>        - Transited services indicate which intermediate 
>services have participated in this logon request.
>        - Package name indicates which sub-protocol was used 
>among the NTLM protocols.
>        - Key length indicates the length of the generated 
>session key. This will be 0 if no session key was requested.
>"
>
>For me it looks like Windows NFS server does some 
>additional/different lookups that fail on a samba backend but 
>succeed against a Windows AD, but that's just a guess.
>
>Is there an easy way to debug LDAP lookups (and results) in 
>Samba 4 (by setting a certain log level maybe)?
>
>Any other ideas what could cause this?
>
>Marcel
>
>BTW, I've tested this with Ubuntu samba package 4.1.6, but 
>also with latest git version of samba.
>
>
>
>--
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>

More information about the samba mailing list