[Samba] Samba and kerberized NFSv4
L.P.H. van Belle
belle at bazuin.nl
Fri Dec 2 09:28:01 UTC 2016
Hai,
Maybe not the best solution but a working workaround.
You can try adjusting you idmap.conf
Set : Local-Realm = DOMAIN.TLD
and make user you local domain is set and matches the primary dns domain.
Change this one to:
[Translation]
Method = static,nsswitch
GSS-Methods = static,nsswitch
And add
# map the computernames to user root.
[Static]
CLIENT02$/DOMAIN.TLD = root
host/client02.domain.tld at DOMAIN.TLD = root
nfs/client02.domain.tld at DOMAIN.TLD = root
now in the static, one of these fixes the mount problem.
Which i dont know and depending on you problem find which one.
Remove one at the time, reboot the server every time to make sure everything is mounted on boot.
And after you found it, then you can adjust the keytab entries.
This workaround works, i had the same problem, i just did not have time to fix it correctly.
And as pointer, here is where its going wrong.
CLIENT02.DOMAIN.TLD$@DOMAIN.TLD
A FQDN with $ @REALM which should not be there.
And last, i needed for my systemd setup this:
(nfs client side)
/etc/systemd/system/nfs-common.service.d/remote-fs-pre.conf
[Unit]
Before=remote-fs-pre.target
Wants=remote-fs-pre.target
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Matthias Kahle
> via samba
> Verzonden: vrijdag 2 december 2016 9:06
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Samba and kerberized NFSv4
>
> Just noticed in the LDAP entry I forgot to replace my test environment
> entries dom (=domain) and lab (=tld)
>
> Am 02.12.2016 um 08:51 schrieb Matthias Kahle:
> > Hi Marcel
> >
> > thx. for your fast response. I didn't manage to follow up sooner. I had
> already verbose logging turned on but I don't seem to find the real
> reason, why the domain controller searchs for a userPrincipalName instead
> of servicePrincipalName.
> >
> > Because I wasn't sure whether it is the nfs client process or the server
> process that failed to get the kerberos ticket when I tried the nfs-mount
> locally on the server, I went to a client workstation and tried again to
> mount the nfs exported directory from the server.
> >
> > I'm attaching some more information below. Regarding the timestamps,
> please be informed that the server is using UTC, while the client
> workstation is configured to use CET (UTC+1) (Domain, client and server
> names are changed)
> >
> > /etc/krb5.keytab (created by net ads keytab create -P):
> >
> > Keytab name: FILE:/etc/krb5.keytab
> > KVNO Timestamp Principal
> > ---- ------------------- -----------------------------------------------
> -------
> > 2 12/02/2016 07:54:52 host/client02.domain.tld at DOMAIN.TLD (des-cbc-
> crc)
> > 2 12/02/2016 07:54:52 host/client02.domain.tld at DOMAIN.TLD (des-cbc-
> md5)
> > 2 12/02/2016 07:54:52 host/client02.domain.tld at DOMAIN.TLD (aes128-
> cts-hmac-sha1-96)
> > 2 12/02/2016 07:54:52 host/client02.domain.tld at DOMAIN.TLD (aes256-
> cts-hmac-sha1-96)
> > 2 12/02/2016 07:54:52 host/client02.domain.tld at DOMAIN.TLD (arcfour-
> hmac)
> > 2 12/02/2016 07:54:52 host/client02 at DOMAIN.TLD (des-cbc-crc)
> > 2 12/02/2016 07:54:52 host/client02 at DOMAIN.TLD (des-cbc-md5)
> > 2 12/02/2016 07:54:52 host/client02 at DOMAIN.TLD (aes128-cts-hmac-sha1-
> 96)
> > 2 12/02/2016 07:54:52 host/client02 at DOMAIN.TLD (aes256-cts-hmac-sha1-
> 96)
> > 2 12/02/2016 07:54:52 host/client02 at DOMAIN.TLD (arcfour-hmac)
> > 2 12/02/2016 07:54:53 nfs/client02.domain.tld at DOMAIN.TLD (des-cbc-
> crc)
> > 2 12/02/2016 07:54:53 nfs/client02.domain.tld at DOMAIN.TLD (des-cbc-
> md5)
> > 2 12/02/2016 07:54:53 nfs/client02.domain.tld at DOMAIN.TLD (aes128-cts-
> hmac-sha1-96)
> > 2 12/02/2016 07:54:53 nfs/client02.domain.tld at DOMAIN.TLD (aes256-cts-
> hmac-sha1-96)
> > 2 12/02/2016 07:54:53 nfs/client02.domain.tld at DOMAIN.TLD (arcfour-
> hmac)
> > 2 12/02/2016 07:54:53 nfs/client02 at DOMAIN.TLD (des-cbc-crc)
> > 2 12/02/2016 07:54:53 nfs/client02 at DOMAIN.TLD (des-cbc-md5)
> > 2 12/02/2016 07:54:53 nfs/client02 at DOMAIN.TLD (aes128-cts-hmac-sha1-
> 96)
> > 2 12/02/2016 07:54:53 nfs/client02 at DOMAIN.TLD (aes256-cts-hmac-sha1-
> 96)
> > 2 12/02/2016 07:54:53 nfs/client02 at DOMAIN.TLD (arcfour-hmac)
> > 2 12/02/2016 07:54:53 CLIENT02$@DOMAIN.TLD (des-cbc-crc)
> > 2 12/02/2016 07:54:53 CLIENT02$@DOMAIN.TLD (des-cbc-md5)
> > 2 12/02/2016 07:54:53 CLIENT02$@DOMAIN.TLD (aes128-cts-hmac-sha1-96)
> > 2 12/02/2016 07:54:53 CLIENT02$@DOMAIN.TLD (aes256-cts-hmac-sha1-96)
> > 2 12/02/2016 07:54:53 CLIENT02$@DOMAIN.TLD (arcfour-hmac)
> >
> > LDAP entry for client on DC:
> > # client02, Computers, domain.tld
> > dn: CN=client02,CN=Computers,DC=dom,DC=lab
> > objectClass: top
> > objectClass: person
> > objectClass: organizationalPerson
> > objectClass: user
> > objectClass: computer
> > cn: client02
> > instanceType: 4
> > whenCreated: 20161118085936.0Z
> > uSNCreated: 5667
> > name: client02
> > objectGUID:: ### OBFUSCATED ###
> > userAccountControl: 69632
> > codePage: 0
> > countryCode: 0
> > primaryGroupID: 515
> > objectSid:: ### OBFUSCATED ###
> > accountExpires: ### OBFUSCATED ###
> > sAMAccountName: client02$
> > sAMAccountType: 805306369
> > dNSHostName: client02.domain.tld
> > objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=dom,DC=lab
> > isCriticalSystemObject: FALSE
> > msDS-SupportedEncryptionTypes: 31
> > servicePrincipalName: HOST/CLIENT02
> > servicePrincipalName: HOST/client02.domain.tld
> > servicePrincipalName: nfs/client02.domain.tld
> > servicePrincipalName: nfs/client02
> > pwdLastSet: 131245379770000000
> > whenChanged: 20161202065456.0Z
> > uSNChanged: 5733
> > distinguishedName: CN=client02,CN=Computers,DC=dom,DC=lab
> >
> > ### mount command on client02.domain.tld:
> > # mount -t nfs4 -o sec=krb5 server01.domain.tld:/export/home /mnt
> > mount.nfs4: access denied by server while mounting
> server01.domain.tld:/export/home
> >
> >
> > ### syslog on the client:
> > Dec 2 08:01:48 client02 rpc.gssd[10462]: handling gssd upcall
> (/run/rpc_pipefs/nfs/clnt4194)
> > Dec 2 08:01:48 client02 rpc.gssd[10462]: handle_gssd_upcall: 'mech=krb5
> uid=0 service=* enctypes=18,17,16,23,3,1,2 '
> > Dec 2 08:01:48 client02 rpc.gssd[10462]: handling krb5 upcall
> (/run/rpc_pipefs/nfs/clnt4194)
> > Dec 2 08:01:48 client02 rpc.gssd[10462]: process_krb5_upcall: service
> is '*'
> > Dec 2 08:01:48 client02 rpc.gssd[10462]: Full hostname for
> 'server01.domain.tld' is 'server01.domain.tld'
> > Dec 2 08:01:48 client02 rpc.gssd[10462]: Full hostname for
> 'client02.domain.tld' is 'client02.domain.tld'
> > Dec 2 08:01:48 client02 rpc.gssd[10462]: No key table entry found for
> CLIENT02.DOMAIN.TLD$@DOMAIN.TLD while getting keytab entry for
> 'CLIENT02.DOMAIN.TLD$@DOMAIN.TLD'
> > Dec 2 08:01:48 client02 rpc.gssd[10462]: No key table entry found for
> root/client02.domain.tld at DOMAIN.TLD while getting keytab entry for
> 'root/client02.domain.tld at DOMAIN.TLD'
> > Dec 2 08:01:48 client02 rpc.gssd[10462]: Success getting keytab entry
> for 'nfs/client02.domain.tld at DOMAIN.TLD'
> > Dec 2 08:01:49 client02 rpc.gssd[10462]: WARNING: Client
> 'nfs/client02.domain.tld at DOMAIN.TLD' not found in Kerberos database while
> getting initial ticket for principal 'nfs/client02.domain.tld at DOMAIN.TLD'
> using keytab 'FILE:/etc/krb5.keytab'
> > Dec 2 08:01:49 client02 rpc.gssd[10462]: ERROR: No credentials found
> for connection to server server01.domain.tld
> > Dec 2 08:01:49 client02 rpc.gssd[10462]: doing error downcall
> > Dec 2 08:01:49 client02 rpc.gssd[10462]: handling gssd upcall
> (/run/rpc_pipefs/nfs/clnt4194)
> > Dec 2 08:01:49 client02 rpc.gssd[10462]: handle_gssd_upcall: 'mech=krb5
> uid=0 enctypes=18,17,16,23,3,1,2 '
> > Dec 2 08:01:49 client02 rpc.gssd[10462]: handling krb5 upcall
> (/run/rpc_pipefs/nfs/clnt4194)
> > Dec 2 08:01:49 client02 rpc.gssd[10462]: process_krb5_upcall: service
> is '<null>'
> > Dec 2 08:01:49 client02 rpc.gssd[10462]: Full hostname for
> 'server01.domain.tld' is 'server01.domain.tld'
> > Dec 2 08:01:49 client02 rpc.gssd[10462]: Full hostname for
> 'client02.domain.tld' is 'client02.domain.tld'
> > Dec 2 08:01:49 client02 rpc.gssd[10462]: No key table entry found for
> CLIENT02.DOMAIN.TLD$@DOMAIN.TLD while getting keytab entry for
> 'CLIENT02.DOMAIN.TLD$@DOMAIN.TLD'
> > Dec 2 08:01:49 client02 rpc.gssd[10462]: No key table entry found for
> root/client02.domain.tld at DOMAIN.TLD while getting keytab entry for
> 'root/client02.domain.tld at DOMAIN.TLD'
> > Dec 2 08:01:49 client02 rpc.gssd[10462]: Success getting keytab entry
> for 'nfs/client02.domain.tld at DOMAIN.TLD'
> > Dec 2 08:01:49 client02 rpc.gssd[10462]: WARNING: Client
> 'nfs/client02.domain.tld at DOMAIN.TLD' not found in Kerberos database while
> getting initial ticket for principal 'nfs/client02.domain.tld at DOMAIN.TLD'
> using keytab 'FILE:/etc/krb5.keytab'
> > Dec 2 08:01:49 client02 rpc.gssd[10462]: ERROR: No credentials found
> for connection to server server01.domain.tld
> > Dec 2 08:01:49 client02 rpc.gssd[10462]: doing error downcall
> > Dec 2 08:01:49 client02 rpc.gssd[10462]: Closing 'gssd' pipe for
> /run/rpc_pipefs/nfs/clnt4194
> > Dec 2 08:01:49 client02 rpc.gssd[10462]: destroying client
> /run/rpc_pipefs/nfs/clnt4195
> > Dec 2 08:01:49 client02 rpc.gssd[10462]: destroying client
> /run/rpc_pipefs/nfs/clnt4194
> >
> >
> > ### debug log on DC:
> > [2016/12/02 07:01:52.138858, 10, pid=16357, effective(0, 0), real(0, 0),
> class=ldb] ../lib/ldb-samba/ldb_wrap.c:72(ldb_wrap_debug)
> > ldb: ldb_trace_request: SEARCH
> > dn: DC=dom,DC=lab
> > scope: sub
> > expr:
> (&(objectClass=user)(userPrincipalName=nfs/client02.domain.tld at DOMAIN.TLD)
> )
> > control: <NONE>
> > ...
> > [2016/12/02 07:01:52.142083, 10, pid=16357, effective(0, 0), real(0, 0),
> class=ldb] ../lib/ldb-samba/ldb_wrap.c:72(ldb_wrap_debug)
> > ldb: ldb_trace_request: SEARCH
> > dn: DC=dom,DC=lab
> > scope: sub
> > expr: (&(objectClass=user)(samAccountName=nfs/client02.domain.tld))
> > control: <NONE>
> >
> >
> >
> > Many thanks in advance and kind regards,
> > Matthias
> >
> > Am 28.11.2016 um 11:55 schrieb Marcel via samba:
> >> Am 2016-11-28 07:14, schrieb Matthias Kahle via samba:
> >>> Hi Folks
> >>
> >> Hi Matthias,
> >>
> >>> I'm trying to share user home directories hosted on a Samba-4 member
> >>> server via NFSv4. Everything's working well with the Windows shares
> but
> >>> when it comes to kerberized NFSv4 it fails. I can't even mount the
> home
> >>> root directory via nfs on the server itself ("mount.nfsv4: access
> denied
> >>> by server while mounting ...").
> >>>
> >>> As far as I have tracked it down, it appears to me that the server's
> is
> >>> searching in its database for a userPrincipalName=nfs/server.dom.tld
> >>> while I have added a servicePrincipalNamenfs/server.dom.tld with the
> >>> samba-tool. Due to this neither the server is getting a TGT nor the
> >>> client a TGS ...
> >>>
> >>> Am I doing anything wrong? Is that beahaviour intentional?
> >>
> >> Getting NFSv4 + Kerberos to work with an $"Active Directory" KDC
> >> can be quite tricky.
> >>
> >> To track down the problem, you should run rpc.gssd (on client) and
> >> rpc.svcgssd (on server) with "-v -v -v". This might give you some
> >> more hints where to look.
> >>
> >> You can read about the servicePrincipalNames your NFS client uses
> >> in the man page of rpc.gssd:
> >>
> >> <HOSTNAME>$@<REALM>
> >> root/<hostname>@<REALM>
> >> nfs/<hostname>@<REALM>
> >> host/<hostname>@<REALM>
> >>
> >> You should also check the listing of your keytab - if you're using
> >> the wrong syntax for your principalName, samba-tool will tell you
> >> it added an entry to the keytab (which in fact it didn't).
> >>
> >> linux # ktutil
> >>> rkt /etc/krb5.keytab
> >>> list -e
> >>
> >>
> >>> Version affacted is samba 4.2.10 from the official debian 8
> repositories
> >>> (on DCs and the member server).
> >>>
> >>> Kind regards,
> >>> Matthias
> >>
> >> Bye,
> >> Marcel
> >>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list