[Samba] Samba and kerberized NFSv4

Achim Gottinger achim at ag-web.biz
Fri Dec 2 10:27:48 UTC 2016 


Am 02.12.2016 um 11:05 schrieb Matthias Kahle via samba:
>> Does it work if you manually add userPrincipalName=CLIENT02.DOMAIN.TLD to your clients ldap entry and reexport the keytab?
> I already thought about trying that. So by now, I tried tweaking the client's LDAP entry.
>
> Adding
>
>    userPrincipalName=CLIENT02.DOMAIN.TLD
>
> does not succeeed, however, after reviewing the ldap filter once again, I added
>
>    userPrincipalName=nfs/client02.domain.tld at DOMAIN.TLD
>
> to the workstation's account  and finally, the mount does not return an error anymore. Though I can't access anything on the mounted share but I guess that's OK for now, because the users' home directories hosted there must not be accessible to the root user at all.
>
> However I don't expect that to be the right approach, not only because it requires a userPricipalName for a service but mainly because I even have to add the kerberos REALM ... or am I mistaken there? (please bear with me if that sounds stupid, I'm still somehow new to dealing with kerberos)
>
> Regards,
> Mathias
>
Looking at the log file

Dec  2 08:01:49 client02 rpc.gssd[10462]: No key table entry found forCLIENT02.DOMAIN.TLD$@DOMAIN.TLD  while getting keytab entry for 'CLIENT02.DOMAIN.TLD$@DOMAIN.TLD'
Dec  2 08:01:49 client02 rpc.gssd[10462]: No key table entry found forroot/client02.domain.tld at DOMAIN.TLD  while getting keytab entry for 'root/client02.domain.tld at DOMAIN.TLD'
Dec  2 08:01:49 client02 rpc.gssd[10462]: Success getting keytab entry for 'nfs/client02.domain.tld at DOMAIN.TLD'
Dec  2 08:01:49 client02 rpc.gssd[10462]: WARNING: Client 'nfs/client02.domain.tld at DOMAIN.TLD' not found in Kerberos database while getting initial ticket for principal'nfs/client02.domain.tld at DOMAIN.TLD' using keytab'FILE:/etc/krb5.keytab'

At first CLIENT02.DOMAIN.TLD$ is searched. I'd try to define that as the 
clients UPN, missed the $ earlier. Also this UPN must be added to the 
keytab file. This can be achived by

samba-tool domain exportkeytab --principal=client02$ /etc/krb5.keytab


Still abit of an hack but at least the UPN looks better.

More information about the samba mailing list