[Samba] Samba and kerberized NFSv4
marcel at linux-ng.de
marcel at linux-ng.de
Fri Dec 2 11:44:04 UTC 2016
Am 2016-12-02 12:12, schrieb Rowland Penny via samba:
> On Fri, 2 Dec 2016 11:05:50 +0100
> Matthias Kahle via samba <samba at lists.samba.org> wrote:
>
>> > Does it work if you manually add
>> > userPrincipalName=CLIENT02.DOMAIN.TLD to your clients ldap entry
>> > and reexport the keytab?
>>
>> I already thought about trying that. So by now, I tried tweaking the
>> client's LDAP entry.
>>
>> Adding
>>
>> userPrincipalName=CLIENT02.DOMAIN.TLD
>>
>> does not succeeed, however, after reviewing the ldap filter once
>> again, I added
>>
>> userPrincipalName=nfs/client02.domain.tld at DOMAIN.TLD
>>
>> to the workstation's account and finally, the mount does not return
>> an error anymore. Though I can't access anything on the mounted share
>> but I guess that's OK for now, because the users' home directories
>> hosted there must not be accessible to the root user at all.
>>
>> However I don't expect that to be the right approach, not only
>> because it requires a userPricipalName for a service but mainly
>> because I even have to add the kerberos REALM ... or am I mistaken
>> there? (please bear with me if that sounds stupid, I'm still somehow
>> new to dealing with kerberos)
>>
>> Regards,
>> Mathias
>>
>
> I don't normally use NFS, but I did try it out some time ago and I
> didn't do it the way everybody else seems to be trying.
> I created a user just for nfs and gave that a SPN 'nfs/FQDN', where
> 'FQDN' is the fully qualified name of the computer that is running the
> NFS server.
>
> This works for me, I just tried it again, mounting nfs shares from a DC
> on a domain member.
>
> Rowland
Hi Rowland,
I just wanted to make sure: Your DCs are Samba based?
After mounting the nfs share, were you able to access files?
Bye,
Marcel
More information about the samba
mailing list