[Samba] Samba and kerberized NFSv4

Rowland Penny rpenny at samba.org
Fri Dec 2 11:12:50 UTC 2016

On Fri, 2 Dec 2016 11:05:50 +0100
Matthias Kahle via samba <samba at lists.samba.org> wrote:

> > Does it work if you manually add
> > userPrincipalName=CLIENT02.DOMAIN.TLD to your clients ldap entry
> > and reexport the keytab?
> I already thought about trying that. So by now, I tried tweaking the
> client's LDAP entry.
> Adding
>   userPrincipalName=CLIENT02.DOMAIN.TLD
> does not succeeed, however, after reviewing the ldap filter once
> again, I added
>   userPrincipalName=nfs/client02.domain.tld at DOMAIN.TLD
> to the workstation's account  and finally, the mount does not return
> an error anymore. Though I can't access anything on the mounted share
> but I guess that's OK for now, because the users' home directories
> hosted there must not be accessible to the root user at all.
> However I don't expect that to be the right approach, not only
> because it requires a userPricipalName for a service but mainly
> because I even have to add the kerberos REALM ... or am I mistaken
> there? (please bear with me if that sounds stupid, I'm still somehow
> new to dealing with kerberos)
> Regards,
> Mathias

I don't normally use NFS, but I did try it out some time ago and I
didn't do it the way everybody else seems to be trying.
I created a user just for nfs and gave that a SPN 'nfs/FQDN', where
'FQDN' is the fully qualified name of the computer that is running the
NFS server.

This works for me, I just tried it again, mounting nfs shares from a DC
on a domain member.


More information about the samba mailing list