[Samba] NFSv4 / Krb / wildcard in keytab

Service Informatique IF ifinfo at ujf-grenoble.fr
Thu Mar 31 09:04:23 UTC 2016 

Hi,

I'm trying to use wildcard in keytab because i don't want join every 
computer, client for service NFS krb5.

I add a spn like this

# samba-tool spn add host/* nfs

(I create user nfs before)

# samba-tool spn list nfs
nfs
User CN=nfs,CN=Users,DC=if,DC=ujf-grenoble,DC=fr has the following 
servicePrincipalName:
          host/*

I export keytab :

  #samba-tool domain exportkeytab /tmp/wildcardnfs.keytab --principal=host/*

ktutil -k /tmp/wildcardnfs.keytab list
/tmp/wildcardnfs.keytab:

Vno  Type              Principal                  Aliases
   1  des-cbc-crc       host/*@IF.UJF-GRENOBLE.FR
   1  des-cbc-md5       host/*@IF.UJF-GRENOBLE.FR
   1  arcfour-hmac-md5  host/*@IF.UJF-GRENOBLE.FR


I put this keytab on my client (name is bataille) and restart rpc.gssd -vvvv

I try to mount NFS and in my client log, I have :
Mar 31 10:52:23 bataille rpc.gssd[3790]: No key table entry found for 
root/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR while getting keytab 
entry for 'root/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR'
Mar 31 10:52:23 bataille rpc.gssd[3790]: No key table entry found for 
nfs/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR while getting keytab 
entry for 'nfs/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR'
Mar 31 10:52:23 bataille rpc.gssd[3790]: No key table entry found for 
host/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR while getting keytab 
entry for 'host/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR'
Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for 
principal 'host/*@IF.UJF-GRENOBLE.FR'
Mar 31 10:52:23 bataille rpc.gssd[3790]: We will NOT use this entry 
(host/*@IF.UJF-GRENOBLE.FR)
Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for 
principal 'host/*@IF.UJF-GRENOBLE.FR'
Mar 31 10:52:23 bataille rpc.gssd[3790]: We will NOT use this entry 
(host/*@IF.UJF-GRENOBLE.FR)
Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for 
principal 'host/*@IF.UJF-GRENOBLE.FR'
Mar 31 10:52:23 bataille rpc.gssd[3790]: We will NOT use this entry 
(host/*@IF.UJF-GRENOBLE.FR)
Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for 
principal 'host/*@IF.UJF-GRENOBLE.FR'
Mar 31 10:52:23 bataille rpc.gssd[3790]: We will NOT use this entry 
(host/*@IF.UJF-GRENOBLE.FR)
Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for 
principal 'host/*@IF.UJF-GRENOBLE.FR'
Mar 31 10:52:23 bataille rpc.gssd[3790]: We will NOT use this entry 
(host/*@IF.UJF-GRENOBLE.FR)
Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for 
principal 'host/*@IF.UJF-GRENOBLE.FR'
Mar 31 10:52:23 bataille rpc.gssd[3790]: We will NOT use this entry 
(host/*@IF.UJF-GRENOBLE.FR)
Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for 
principal 'host/*@IF.UJF-GRENOBLE.FR'
Mar 31 10:52:23 bataille rpc.gssd[3790]: We WILL use this entry 
(host/*@IF.UJF-GRENOBLE.FR)
Mar 31 10:52:23 bataille rpc.gssd[3790]: Success getting keytab entry 
for host/*@IF.UJF-GRENOBLE.FR

Mar 31 10:52:23 bataille rpc.gssd[3790]: WARNING: Client 
'host/*@IF.UJF-GRENOBLE.FR' not found in Kerberos database while getting 
initial ticket for principal 'host/*@IF.UJF-GRENOBLE.FR' using keytab 
'FILE:/etc/krb5.keytab'

Mar 31 10:52:23 bataille rpc.gssd[3790]: ERROR: No credentials found for 
connection to server ifsamba
Mar 31 10:52:23 bataille rpc.gssd[3790]: doing error downcall
Mar 31 10:52:23 bataille rpc.gssd[3790]: destroying client 
/run/rpc_pipefs/nfs/clnt1b
Mar 31 10:52:23 bataille rpc.gssd[3790]: destroying client 
/run/rpc_pipefs/nfs/clnt1a

And on my server :

[2016/03/31 10:52:23.036664,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: AS-REQ host/*@IF.UJF-GRENOBLE.FR from 
ipv4:152.77.213.108:38741 for krbtgt/IF.UJF-GRENOBLE.FR at IF.UJF-GRENOBLE.FR
[2016/03/31 10:52:23.038496,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: UNKNOWN -- host/*@IF.UJF-GRENOBLE.FR: no such entry found 
in hdb
[2016/03/31 10:52:23.046352,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: AS-REQ host/*@IF.UJF-GRENOBLE.FR from 
ipv4:152.77.213.108:34207 for krbtgt/IF.UJF-GRENOBLE.FR at IF.UJF-GRENOBLE.FR
[2016/03/31 10:52:23.047710,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: UNKNOWN -- host/*@IF.UJF-GRENOBLE.FR: no such entry found 
in hdb

I wish use nfsv4 with krb but without join all my clients in Samba4 : is 
it possible ?

PS : I try to create a spn with HOST/* (host uppercase) because when i 
show spn on a computer joined in Samba, i have this :


root at ifsamba:/scripts# samba-tool spn list CARTAN$
cartan$
User CN=cartan,CN=Computers,DC=if,DC=ujf-grenoble,DC=fr has the 
following servicePrincipalName:
          HOST/CARTAN
          HOST/cartan.if.ujf-grenoble.fr

but on my client rpc.gssd don't use the keytab when HOST is uppercase :
log :
Mar 31 09:55:28 bataille rpc.gssd[3777]: No key table entry found for 
BATAILLE$@IF.UJF-GRENOBLE.FR while getting keytab entry for 
'BATAILLE$@IF.UJF-GRENOBLE.FR'
Mar 31 09:55:28 bataille rpc.gssd[3777]: No key table entry found for 
root/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR while getting keytab 
entry for 'root/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR'
Mar 31 09:55:28 bataille rpc.gssd[3777]: No key table entry found for 
nfs/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR while getting keytab 
entry for 'nfs/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR'
Mar 31 09:55:28 bataille rpc.gssd[3777]: No key table entry found for 
host/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR while getting keytab 
entry for 'host/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR'
Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for 
principal 'HOST/*@IF.UJF-GRENOBLE.FR'
Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry 
(HOST/*@IF.UJF-GRENOBLE.FR)
Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for 
principal 'HOST/*@IF.UJF-GRENOBLE.FR'
Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry 
(HOST/*@IF.UJF-GRENOBLE.FR)
Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for 
principal 'HOST/*@IF.UJF-GRENOBLE.FR'
Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry 
(HOST/*@IF.UJF-GRENOBLE.FR)
Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for 
principal 'HOST/*@IF.UJF-GRENOBLE.FR'
Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry 
(HOST/*@IF.UJF-GRENOBLE.FR)
Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for 
principal 'HOST/*@IF.UJF-GRENOBLE.FR'
Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry 
(HOST/*@IF.UJF-GRENOBLE.FR)
Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for 
principal 'HOST/*@IF.UJF-GRENOBLE.FR'
Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry 
(HOST/*@IF.UJF-GRENOBLE.FR)
Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for 
principal 'HOST/*@IF.UJF-GRENOBLE.FR'
Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry 
(HOST/*@IF.UJF-GRENOBLE.FR)
Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for 
principal 'HOST/*@IF.UJF-GRENOBLE.FR'
Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry 
(HOST/*@IF.UJF-GRENOBLE.FR)
Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for 
principal 'HOST/*@IF.UJF-GRENOBLE.FR'
Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry 
(HOST/*@IF.UJF-GRENOBLE.FR)
Mar 31 09:55:28 bataille rpc.gssd[3777]: ERROR: 
gssd_refresh_krb5_machine_credential: no usable keytab entry found in 
keytab /etc/krb5.keytab for connection with host ifsamba
Mar 31 09:55:28 bataille rpc.gssd[3777]: ERROR: No credentials found for 
connection to server ifsamba


What is the right process ?

Thank you in advance
Sim

More information about the samba mailing list