[Samba] Samba and kerberized NFSv4

Achim Gottinger achim at ag-web.biz
Fri Dec 2 08:08:11 UTC 2016



Am 02.12.2016 um 08:51 schrieb Matthias Kahle via samba:
> Hi Marcel
>
> thx. for your fast response. I didn't manage to follow up sooner. I had already verbose logging turned on but I don't seem to find the real reason, why the domain controller searchs for a userPrincipalName instead of servicePrincipalName.
>
> Because I wasn't sure whether it is the nfs client process or the server process that failed to get the kerberos ticket when I tried the nfs-mount locally on the server, I went to a client workstation and tried again to mount the nfs exported directory from the server.
>
> I'm attaching some more information below. Regarding the timestamps, please be informed that the server is using UTC, while the client workstation is configured to use CET (UTC+1) (Domain, client and server names are changed)
>
> /etc/krb5.keytab (created by net ads keytab create -P):
>
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Timestamp           Principal
> ---- ------------------- ------------------------------------------------------
>     2 12/02/2016 07:54:52 host/client02.domain.tld at DOMAIN.TLD (des-cbc-crc)
>     2 12/02/2016 07:54:52 host/client02.domain.tld at DOMAIN.TLD (des-cbc-md5)
>     2 12/02/2016 07:54:52 host/client02.domain.tld at DOMAIN.TLD (aes128-cts-hmac-sha1-96)
>     2 12/02/2016 07:54:52 host/client02.domain.tld at DOMAIN.TLD (aes256-cts-hmac-sha1-96)
>     2 12/02/2016 07:54:52 host/client02.domain.tld at DOMAIN.TLD (arcfour-hmac)
>     2 12/02/2016 07:54:52 host/client02 at DOMAIN.TLD (des-cbc-crc)
>     2 12/02/2016 07:54:52 host/client02 at DOMAIN.TLD (des-cbc-md5)
>     2 12/02/2016 07:54:52 host/client02 at DOMAIN.TLD (aes128-cts-hmac-sha1-96)
>     2 12/02/2016 07:54:52 host/client02 at DOMAIN.TLD (aes256-cts-hmac-sha1-96)
>     2 12/02/2016 07:54:52 host/client02 at DOMAIN.TLD (arcfour-hmac)
>     2 12/02/2016 07:54:53 nfs/client02.domain.tld at DOMAIN.TLD (des-cbc-crc)
>     2 12/02/2016 07:54:53 nfs/client02.domain.tld at DOMAIN.TLD (des-cbc-md5)
>     2 12/02/2016 07:54:53 nfs/client02.domain.tld at DOMAIN.TLD (aes128-cts-hmac-sha1-96)
>     2 12/02/2016 07:54:53 nfs/client02.domain.tld at DOMAIN.TLD (aes256-cts-hmac-sha1-96)
>     2 12/02/2016 07:54:53 nfs/client02.domain.tld at DOMAIN.TLD (arcfour-hmac)
>     2 12/02/2016 07:54:53 nfs/client02 at DOMAIN.TLD (des-cbc-crc)
>     2 12/02/2016 07:54:53 nfs/client02 at DOMAIN.TLD (des-cbc-md5)
>     2 12/02/2016 07:54:53 nfs/client02 at DOMAIN.TLD (aes128-cts-hmac-sha1-96)
>     2 12/02/2016 07:54:53 nfs/client02 at DOMAIN.TLD (aes256-cts-hmac-sha1-96)
>     2 12/02/2016 07:54:53 nfs/client02 at DOMAIN.TLD (arcfour-hmac)
>     2 12/02/2016 07:54:53 CLIENT02$@DOMAIN.TLD (des-cbc-crc)
>     2 12/02/2016 07:54:53 CLIENT02$@DOMAIN.TLD (des-cbc-md5)
>     2 12/02/2016 07:54:53 CLIENT02$@DOMAIN.TLD (aes128-cts-hmac-sha1-96)
>     2 12/02/2016 07:54:53 CLIENT02$@DOMAIN.TLD (aes256-cts-hmac-sha1-96)
>     2 12/02/2016 07:54:53 CLIENT02$@DOMAIN.TLD (arcfour-hmac)
>
> LDAP entry for client on DC:
> # client02, Computers, domain.tld
> dn: CN=client02,CN=Computers,DC=dom,DC=lab
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> objectClass: computer
> cn: client02
> instanceType: 4
> whenCreated: 20161118085936.0Z
> uSNCreated: 5667
> name: client02
> objectGUID:: ### OBFUSCATED ###
> userAccountControl: 69632
> codePage: 0
> countryCode: 0
> primaryGroupID: 515
> objectSid:: ### OBFUSCATED ###
> accountExpires: ### OBFUSCATED ###
> sAMAccountName: client02$
> sAMAccountType: 805306369
> dNSHostName: client02.domain.tld
> objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=dom,DC=lab
> isCriticalSystemObject: FALSE
> msDS-SupportedEncryptionTypes: 31
> servicePrincipalName: HOST/CLIENT02
> servicePrincipalName: HOST/client02.domain.tld
> servicePrincipalName: nfs/client02.domain.tld
> servicePrincipalName: nfs/client02
> pwdLastSet: 131245379770000000
> whenChanged: 20161202065456.0Z
> uSNChanged: 5733
> distinguishedName: CN=client02,CN=Computers,DC=dom,DC=lab
>
> ### mount command on client02.domain.tld:
> # mount -t nfs4 -o sec=krb5 server01.domain.tld:/export/home /mnt
> mount.nfs4: access denied by server while mounting server01.domain.tld:/export/home
>
>
> ### syslog on the client:
> Dec  2 08:01:48 client02 rpc.gssd[10462]: handling gssd upcall (/run/rpc_pipefs/nfs/clnt4194)
> Dec  2 08:01:48 client02 rpc.gssd[10462]: handle_gssd_upcall: 'mech=krb5 uid=0 service=* enctypes=18,17,16,23,3,1,2 '
> Dec  2 08:01:48 client02 rpc.gssd[10462]: handling krb5 upcall (/run/rpc_pipefs/nfs/clnt4194)
> Dec  2 08:01:48 client02 rpc.gssd[10462]: process_krb5_upcall: service is '*'
> Dec  2 08:01:48 client02 rpc.gssd[10462]: Full hostname for 'server01.domain.tld' is 'server01.domain.tld'
> Dec  2 08:01:48 client02 rpc.gssd[10462]: Full hostname for 'client02.domain.tld' is 'client02.domain.tld'
> Dec  2 08:01:48 client02 rpc.gssd[10462]: No key table entry found for CLIENT02.DOMAIN.TLD$@DOMAIN.TLD while getting keytab entry for 'CLIENT02.DOMAIN.TLD$@DOMAIN.TLD'
> Dec  2 08:01:48 client02 rpc.gssd[10462]: No key table entry found for root/client02.domain.tld at DOMAIN.TLD while getting keytab entry for 'root/client02.domain.tld at DOMAIN.TLD'
> Dec  2 08:01:48 client02 rpc.gssd[10462]: Success getting keytab entry for 'nfs/client02.domain.tld at DOMAIN.TLD'
> Dec  2 08:01:49 client02 rpc.gssd[10462]: WARNING: Client 'nfs/client02.domain.tld at DOMAIN.TLD' not found in Kerberos database while getting initial ticket for principal 'nfs/client02.domain.tld at DOMAIN.TLD' using keytab 'FILE:/etc/krb5.keytab'
> Dec  2 08:01:49 client02 rpc.gssd[10462]: ERROR: No credentials found for connection to server server01.domain.tld
> Dec  2 08:01:49 client02 rpc.gssd[10462]: doing error downcall
> Dec  2 08:01:49 client02 rpc.gssd[10462]: handling gssd upcall (/run/rpc_pipefs/nfs/clnt4194)
> Dec  2 08:01:49 client02 rpc.gssd[10462]: handle_gssd_upcall: 'mech=krb5 uid=0 enctypes=18,17,16,23,3,1,2 '
> Dec  2 08:01:49 client02 rpc.gssd[10462]: handling krb5 upcall (/run/rpc_pipefs/nfs/clnt4194)
> Dec  2 08:01:49 client02 rpc.gssd[10462]: process_krb5_upcall: service is '<null>'
> Dec  2 08:01:49 client02 rpc.gssd[10462]: Full hostname for 'server01.domain.tld' is 'server01.domain.tld'
> Dec  2 08:01:49 client02 rpc.gssd[10462]: Full hostname for 'client02.domain.tld' is 'client02.domain.tld'
> Dec  2 08:01:49 client02 rpc.gssd[10462]: No key table entry found for CLIENT02.DOMAIN.TLD$@DOMAIN.TLD while getting keytab entry for 'CLIENT02.DOMAIN.TLD$@DOMAIN.TLD'
> Dec  2 08:01:49 client02 rpc.gssd[10462]: No key table entry found for root/client02.domain.tld at DOMAIN.TLD while getting keytab entry for 'root/client02.domain.tld at DOMAIN.TLD'
> Dec  2 08:01:49 client02 rpc.gssd[10462]: Success getting keytab entry for 'nfs/client02.domain.tld at DOMAIN.TLD'
> Dec  2 08:01:49 client02 rpc.gssd[10462]: WARNING: Client 'nfs/client02.domain.tld at DOMAIN.TLD' not found in Kerberos database while getting initial ticket for principal 'nfs/client02.domain.tld at DOMAIN.TLD' using keytab 'FILE:/etc/krb5.keytab'
> Dec  2 08:01:49 client02 rpc.gssd[10462]: ERROR: No credentials found for connection to server server01.domain.tld
> Dec  2 08:01:49 client02 rpc.gssd[10462]: doing error downcall
> Dec  2 08:01:49 client02 rpc.gssd[10462]: Closing 'gssd' pipe for /run/rpc_pipefs/nfs/clnt4194
> Dec  2 08:01:49 client02 rpc.gssd[10462]: destroying client /run/rpc_pipefs/nfs/clnt4195
> Dec  2 08:01:49 client02 rpc.gssd[10462]: destroying client /run/rpc_pipefs/nfs/clnt4194
>
>
> ### debug log on DC:
> [2016/12/02 07:01:52.138858, 10, pid=16357, effective(0, 0), real(0, 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:72(ldb_wrap_debug)
>    ldb: ldb_trace_request: SEARCH
>     dn: DC=dom,DC=lab
>     scope: sub
>     expr: (&(objectClass=user)(userPrincipalName=nfs/client02.domain.tld at DOMAIN.TLD))
>     control: <NONE>
> ...
> [2016/12/02 07:01:52.142083, 10, pid=16357, effective(0, 0), real(0, 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:72(ldb_wrap_debug)
>    ldb: ldb_trace_request: SEARCH
>     dn: DC=dom,DC=lab
>     scope: sub
>     expr: (&(objectClass=user)(samAccountName=nfs/client02.domain.tld))
>     control: <NONE>
>
>
>
> Many thanks in advance and kind regards,
> Matthias
>
> Am 28.11.2016 um 11:55 schrieb Marcel via samba:
>> Am 2016-11-28 07:14, schrieb Matthias Kahle via samba:
>>> Hi Folks
>> Hi Matthias,
>>
>>> I'm trying to share user home directories hosted on a Samba-4 member
>>> server via NFSv4. Everything's working well with the Windows shares but
>>> when it comes to kerberized  NFSv4 it fails. I can't even mount the home
>>> root directory via nfs on the server itself ("mount.nfsv4: access denied
>>> by server while mounting ...").
>>>
>>> As far as I have tracked it down, it appears to me that the server's is
>>> searching in its database for a userPrincipalName=nfs/server.dom.tld
>>> while I have added a servicePrincipalNamenfs/server.dom.tld with the
>>> samba-tool. Due to this neither the server is getting a TGT nor the
>>> client a TGS ...
>>>
>>> Am I doing anything wrong? Is that beahaviour intentional?
>> Getting NFSv4 + Kerberos to work with an $"Active Directory" KDC
>> can be quite tricky.
>>
>> To track down the problem, you should run rpc.gssd (on client) and
>> rpc.svcgssd (on server) with "-v -v -v". This might give you some
>> more hints where to look.
>>
>> You can read about the servicePrincipalNames your NFS client uses
>> in the man page of rpc.gssd:
>>
>>            <HOSTNAME>$@<REALM>
>>            root/<hostname>@<REALM>
>>            nfs/<hostname>@<REALM>
>>            host/<hostname>@<REALM>
>>
>> You should also check the listing of your keytab - if you're using
>> the wrong syntax for your principalName, samba-tool will tell you
>> it added an entry to the keytab (which in fact it didn't).
>>
>> linux # ktutil
>>> rkt /etc/krb5.keytab
>>> list -e
>>
>>> Version affacted is samba 4.2.10 from the official debian 8 repositories
>>> (on DCs and the member server).
>>>
>>> Kind regards,
>>> Matthias
>> Bye,
>>     Marcel
>>
Does it work if you manually add userPrincipalName=CLIENT02.DOMAIN.TLD 
to your clients ldap entry and reexport the keytab?




More information about the samba mailing list