[Samba] Samba and kerberized NFSv4

Matthias Kahle ir-lists-samba at gdnsc.de
Fri Dec 2 07:51:00 UTC 2016 

Hi Marcel

thx. for your fast response. I didn't manage to follow up sooner. I had already verbose logging turned on but I don't seem to find the real reason, why the domain controller searchs for a userPrincipalName instead of servicePrincipalName.

Because I wasn't sure whether it is the nfs client process or the server process that failed to get the kerberos ticket when I tried the nfs-mount locally on the server, I went to a client workstation and tried again to mount the nfs exported directory from the server.

I'm attaching some more information below. Regarding the timestamps, please be informed that the server is using UTC, while the client workstation is configured to use CET (UTC+1) (Domain, client and server names are changed)

/etc/krb5.keytab (created by net ads keytab create -P):

Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   2 12/02/2016 07:54:52 host/client02.domain.tld at DOMAIN.TLD (des-cbc-crc) 
   2 12/02/2016 07:54:52 host/client02.domain.tld at DOMAIN.TLD (des-cbc-md5) 
   2 12/02/2016 07:54:52 host/client02.domain.tld at DOMAIN.TLD (aes128-cts-hmac-sha1-96) 
   2 12/02/2016 07:54:52 host/client02.domain.tld at DOMAIN.TLD (aes256-cts-hmac-sha1-96) 
   2 12/02/2016 07:54:52 host/client02.domain.tld at DOMAIN.TLD (arcfour-hmac) 
   2 12/02/2016 07:54:52 host/client02 at DOMAIN.TLD (des-cbc-crc) 
   2 12/02/2016 07:54:52 host/client02 at DOMAIN.TLD (des-cbc-md5) 
   2 12/02/2016 07:54:52 host/client02 at DOMAIN.TLD (aes128-cts-hmac-sha1-96) 
   2 12/02/2016 07:54:52 host/client02 at DOMAIN.TLD (aes256-cts-hmac-sha1-96) 
   2 12/02/2016 07:54:52 host/client02 at DOMAIN.TLD (arcfour-hmac) 
   2 12/02/2016 07:54:53 nfs/client02.domain.tld at DOMAIN.TLD (des-cbc-crc) 
   2 12/02/2016 07:54:53 nfs/client02.domain.tld at DOMAIN.TLD (des-cbc-md5) 
   2 12/02/2016 07:54:53 nfs/client02.domain.tld at DOMAIN.TLD (aes128-cts-hmac-sha1-96) 
   2 12/02/2016 07:54:53 nfs/client02.domain.tld at DOMAIN.TLD (aes256-cts-hmac-sha1-96) 
   2 12/02/2016 07:54:53 nfs/client02.domain.tld at DOMAIN.TLD (arcfour-hmac) 
   2 12/02/2016 07:54:53 nfs/client02 at DOMAIN.TLD (des-cbc-crc) 
   2 12/02/2016 07:54:53 nfs/client02 at DOMAIN.TLD (des-cbc-md5) 
   2 12/02/2016 07:54:53 nfs/client02 at DOMAIN.TLD (aes128-cts-hmac-sha1-96) 
   2 12/02/2016 07:54:53 nfs/client02 at DOMAIN.TLD (aes256-cts-hmac-sha1-96) 
   2 12/02/2016 07:54:53 nfs/client02 at DOMAIN.TLD (arcfour-hmac) 
   2 12/02/2016 07:54:53 CLIENT02$@DOMAIN.TLD (des-cbc-crc) 
   2 12/02/2016 07:54:53 CLIENT02$@DOMAIN.TLD (des-cbc-md5) 
   2 12/02/2016 07:54:53 CLIENT02$@DOMAIN.TLD (aes128-cts-hmac-sha1-96) 
   2 12/02/2016 07:54:53 CLIENT02$@DOMAIN.TLD (aes256-cts-hmac-sha1-96) 
   2 12/02/2016 07:54:53 CLIENT02$@DOMAIN.TLD (arcfour-hmac) 

LDAP entry for client on DC:
# client02, Computers, domain.tld
dn: CN=client02,CN=Computers,DC=dom,DC=lab
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
cn: client02
instanceType: 4
whenCreated: 20161118085936.0Z
uSNCreated: 5667
name: client02
objectGUID:: ### OBFUSCATED ###
userAccountControl: 69632
codePage: 0
countryCode: 0
primaryGroupID: 515
objectSid:: ### OBFUSCATED ###
accountExpires: ### OBFUSCATED ###
sAMAccountName: client02$
sAMAccountType: 805306369
dNSHostName: client02.domain.tld
objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=dom,DC=lab
isCriticalSystemObject: FALSE
msDS-SupportedEncryptionTypes: 31
servicePrincipalName: HOST/CLIENT02
servicePrincipalName: HOST/client02.domain.tld
servicePrincipalName: nfs/client02.domain.tld
servicePrincipalName: nfs/client02
pwdLastSet: 131245379770000000
whenChanged: 20161202065456.0Z
uSNChanged: 5733
distinguishedName: CN=client02,CN=Computers,DC=dom,DC=lab

### mount command on client02.domain.tld: 
# mount -t nfs4 -o sec=krb5 server01.domain.tld:/export/home /mnt
mount.nfs4: access denied by server while mounting server01.domain.tld:/export/home


### syslog on the client:
Dec  2 08:01:48 client02 rpc.gssd[10462]: handling gssd upcall (/run/rpc_pipefs/nfs/clnt4194)
Dec  2 08:01:48 client02 rpc.gssd[10462]: handle_gssd_upcall: 'mech=krb5 uid=0 service=* enctypes=18,17,16,23,3,1,2 '
Dec  2 08:01:48 client02 rpc.gssd[10462]: handling krb5 upcall (/run/rpc_pipefs/nfs/clnt4194)
Dec  2 08:01:48 client02 rpc.gssd[10462]: process_krb5_upcall: service is '*'
Dec  2 08:01:48 client02 rpc.gssd[10462]: Full hostname for 'server01.domain.tld' is 'server01.domain.tld'
Dec  2 08:01:48 client02 rpc.gssd[10462]: Full hostname for 'client02.domain.tld' is 'client02.domain.tld'
Dec  2 08:01:48 client02 rpc.gssd[10462]: No key table entry found for CLIENT02.DOMAIN.TLD$@DOMAIN.TLD while getting keytab entry for 'CLIENT02.DOMAIN.TLD$@DOMAIN.TLD'
Dec  2 08:01:48 client02 rpc.gssd[10462]: No key table entry found for root/client02.domain.tld at DOMAIN.TLD while getting keytab entry for 'root/client02.domain.tld at DOMAIN.TLD'
Dec  2 08:01:48 client02 rpc.gssd[10462]: Success getting keytab entry for 'nfs/client02.domain.tld at DOMAIN.TLD'
Dec  2 08:01:49 client02 rpc.gssd[10462]: WARNING: Client 'nfs/client02.domain.tld at DOMAIN.TLD' not found in Kerberos database while getting initial ticket for principal 'nfs/client02.domain.tld at DOMAIN.TLD' using keytab 'FILE:/etc/krb5.keytab'
Dec  2 08:01:49 client02 rpc.gssd[10462]: ERROR: No credentials found for connection to server server01.domain.tld
Dec  2 08:01:49 client02 rpc.gssd[10462]: doing error downcall
Dec  2 08:01:49 client02 rpc.gssd[10462]: handling gssd upcall (/run/rpc_pipefs/nfs/clnt4194)
Dec  2 08:01:49 client02 rpc.gssd[10462]: handle_gssd_upcall: 'mech=krb5 uid=0 enctypes=18,17,16,23,3,1,2 '
Dec  2 08:01:49 client02 rpc.gssd[10462]: handling krb5 upcall (/run/rpc_pipefs/nfs/clnt4194)
Dec  2 08:01:49 client02 rpc.gssd[10462]: process_krb5_upcall: service is '<null>'
Dec  2 08:01:49 client02 rpc.gssd[10462]: Full hostname for 'server01.domain.tld' is 'server01.domain.tld'
Dec  2 08:01:49 client02 rpc.gssd[10462]: Full hostname for 'client02.domain.tld' is 'client02.domain.tld'
Dec  2 08:01:49 client02 rpc.gssd[10462]: No key table entry found for CLIENT02.DOMAIN.TLD$@DOMAIN.TLD while getting keytab entry for 'CLIENT02.DOMAIN.TLD$@DOMAIN.TLD'
Dec  2 08:01:49 client02 rpc.gssd[10462]: No key table entry found for root/client02.domain.tld at DOMAIN.TLD while getting keytab entry for 'root/client02.domain.tld at DOMAIN.TLD'
Dec  2 08:01:49 client02 rpc.gssd[10462]: Success getting keytab entry for 'nfs/client02.domain.tld at DOMAIN.TLD'
Dec  2 08:01:49 client02 rpc.gssd[10462]: WARNING: Client 'nfs/client02.domain.tld at DOMAIN.TLD' not found in Kerberos database while getting initial ticket for principal 'nfs/client02.domain.tld at DOMAIN.TLD' using keytab 'FILE:/etc/krb5.keytab'
Dec  2 08:01:49 client02 rpc.gssd[10462]: ERROR: No credentials found for connection to server server01.domain.tld
Dec  2 08:01:49 client02 rpc.gssd[10462]: doing error downcall
Dec  2 08:01:49 client02 rpc.gssd[10462]: Closing 'gssd' pipe for /run/rpc_pipefs/nfs/clnt4194
Dec  2 08:01:49 client02 rpc.gssd[10462]: destroying client /run/rpc_pipefs/nfs/clnt4195
Dec  2 08:01:49 client02 rpc.gssd[10462]: destroying client /run/rpc_pipefs/nfs/clnt4194


### debug log on DC:
[2016/12/02 07:01:52.138858, 10, pid=16357, effective(0, 0), real(0, 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:72(ldb_wrap_debug)
  ldb: ldb_trace_request: SEARCH
   dn: DC=dom,DC=lab
   scope: sub
   expr: (&(objectClass=user)(userPrincipalName=nfs/client02.domain.tld at DOMAIN.TLD))
   control: <NONE>
...
[2016/12/02 07:01:52.142083, 10, pid=16357, effective(0, 0), real(0, 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:72(ldb_wrap_debug)
  ldb: ldb_trace_request: SEARCH
   dn: DC=dom,DC=lab
   scope: sub
   expr: (&(objectClass=user)(samAccountName=nfs/client02.domain.tld))
   control: <NONE>



Many thanks in advance and kind regards,
Matthias

Am 28.11.2016 um 11:55 schrieb Marcel via samba:
> Am 2016-11-28 07:14, schrieb Matthias Kahle via samba:
>> Hi Folks
> 
> Hi Matthias,
> 
>> I'm trying to share user home directories hosted on a Samba-4 member
>> server via NFSv4. Everything's working well with the Windows shares but
>> when it comes to kerberized  NFSv4 it fails. I can't even mount the home
>> root directory via nfs on the server itself ("mount.nfsv4: access denied
>> by server while mounting ...").
>>
>> As far as I have tracked it down, it appears to me that the server's is
>> searching in its database for a userPrincipalName=nfs/server.dom.tld
>> while I have added a servicePrincipalNamenfs/server.dom.tld with the
>> samba-tool. Due to this neither the server is getting a TGT nor the
>> client a TGS ...
>>
>> Am I doing anything wrong? Is that beahaviour intentional?
> 
> Getting NFSv4 + Kerberos to work with an $"Active Directory" KDC
> can be quite tricky.
> 
> To track down the problem, you should run rpc.gssd (on client) and
> rpc.svcgssd (on server) with "-v -v -v". This might give you some
> more hints where to look.
> 
> You can read about the servicePrincipalNames your NFS client uses
> in the man page of rpc.gssd:
> 
>           <HOSTNAME>$@<REALM>
>           root/<hostname>@<REALM>
>           nfs/<hostname>@<REALM>
>           host/<hostname>@<REALM>
> 
> You should also check the listing of your keytab - if you're using
> the wrong syntax for your principalName, samba-tool will tell you
> it added an entry to the keytab (which in fact it didn't).
> 
> linux # ktutil
>> rkt /etc/krb5.keytab
>> list -e
> 
> 
>> Version affacted is samba 4.2.10 from the official debian 8 repositories
>> (on DCs and the member server).
>>
>> Kind regards,
>> Matthias
> 
> Bye,
>    Marcel
>

More information about the samba mailing list