[Samba] Samba and kerberized NFSv4

marcel at linux-ng.de marcel at linux-ng.de
Fri Dec 2 11:44:04 UTC 2016

Am 2016-12-02 12:12, schrieb Rowland Penny via samba:
> On Fri, 2 Dec 2016 11:05:50 +0100
> Matthias Kahle via samba <samba at lists.samba.org> wrote:
>> > Does it work if you manually add
>> > userPrincipalName=CLIENT02.DOMAIN.TLD to your clients ldap entry
>> > and reexport the keytab?
>> I already thought about trying that. So by now, I tried tweaking the
>> client's LDAP entry.
>> Adding
>>   userPrincipalName=CLIENT02.DOMAIN.TLD
>> does not succeeed, however, after reviewing the ldap filter once
>> again, I added
>>   userPrincipalName=nfs/client02.domain.tld at DOMAIN.TLD
>> to the workstation's account  and finally, the mount does not return
>> an error anymore. Though I can't access anything on the mounted share
>> but I guess that's OK for now, because the users' home directories
>> hosted there must not be accessible to the root user at all.
>> However I don't expect that to be the right approach, not only
>> because it requires a userPricipalName for a service but mainly
>> because I even have to add the kerberos REALM ... or am I mistaken
>> there? (please bear with me if that sounds stupid, I'm still somehow
>> new to dealing with kerberos)
>> Regards,
>> Mathias
> I don't normally use NFS, but I did try it out some time ago and I
> didn't do it the way everybody else seems to be trying.
> I created a user just for nfs and gave that a SPN 'nfs/FQDN', where
> 'FQDN' is the fully qualified name of the computer that is running the
> NFS server.
> This works for me, I just tried it again, mounting nfs shares from a DC
> on a domain member.
> Rowland

Hi Rowland,

I just wanted to make sure: Your DCs are Samba based?

After mounting the nfs share, were you able to access files?


More information about the samba mailing list