[Samba] Samba and kerberized NFSv4
Rowland Penny
rpenny at samba.org
Fri Dec 2 11:12:50 UTC 2016
On Fri, 2 Dec 2016 11:05:50 +0100
Matthias Kahle via samba <samba at lists.samba.org> wrote:
> > Does it work if you manually add
> > userPrincipalName=CLIENT02.DOMAIN.TLD to your clients ldap entry
> > and reexport the keytab?
>
> I already thought about trying that. So by now, I tried tweaking the
> client's LDAP entry.
>
> Adding
>
> userPrincipalName=CLIENT02.DOMAIN.TLD
>
> does not succeeed, however, after reviewing the ldap filter once
> again, I added
>
> userPrincipalName=nfs/client02.domain.tld at DOMAIN.TLD
>
> to the workstation's account and finally, the mount does not return
> an error anymore. Though I can't access anything on the mounted share
> but I guess that's OK for now, because the users' home directories
> hosted there must not be accessible to the root user at all.
>
> However I don't expect that to be the right approach, not only
> because it requires a userPricipalName for a service but mainly
> because I even have to add the kerberos REALM ... or am I mistaken
> there? (please bear with me if that sounds stupid, I'm still somehow
> new to dealing with kerberos)
>
> Regards,
> Mathias
>
I don't normally use NFS, but I did try it out some time ago and I
didn't do it the way everybody else seems to be trying.
I created a user just for nfs and gave that a SPN 'nfs/FQDN', where
'FQDN' is the fully qualified name of the computer that is running the
NFS server.
This works for me, I just tried it again, mounting nfs shares from a DC
on a domain member.
Rowland
More information about the samba
mailing list