[Samba] NFSv4 / Krb / wildcard in keytab
Rowland penny
rpenny at samba.org
Thu Mar 31 09:44:02 UTC 2016
On 31/03/16 10:04, Service Informatique IF wrote:
> Hi,
>
> I'm trying to use wildcard in keytab because i don't want join every
> computer, client for service NFS krb5.
>
> I add a spn like this
>
> # samba-tool spn add host/* nfs
>
> (I create user nfs before)
>
> # samba-tool spn list nfs
> nfs
> User CN=nfs,CN=Users,DC=if,DC=ujf-grenoble,DC=fr has the following
> servicePrincipalName:
> host/*
>
> I export keytab :
>
> #samba-tool domain exportkeytab /tmp/wildcardnfs.keytab
> --principal=host/*
>
> ktutil -k /tmp/wildcardnfs.keytab list
> /tmp/wildcardnfs.keytab:
>
> Vno Type Principal Aliases
> 1 des-cbc-crc host/*@IF.UJF-GRENOBLE.FR
> 1 des-cbc-md5 host/*@IF.UJF-GRENOBLE.FR
> 1 arcfour-hmac-md5 host/*@IF.UJF-GRENOBLE.FR
>
>
> I put this keytab on my client (name is bataille) and restart rpc.gssd
> -vvvv
>
> I try to mount NFS and in my client log, I have :
> Mar 31 10:52:23 bataille rpc.gssd[3790]: No key table entry found for
> root/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR while getting keytab
> entry for 'root/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR'
> Mar 31 10:52:23 bataille rpc.gssd[3790]: No key table entry found for
> nfs/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR while getting keytab
> entry for 'nfs/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR'
> Mar 31 10:52:23 bataille rpc.gssd[3790]: No key table entry found for
> host/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR while getting keytab
> entry for 'host/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR'
> Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for
> principal 'host/*@IF.UJF-GRENOBLE.FR'
> Mar 31 10:52:23 bataille rpc.gssd[3790]: We will NOT use this entry
> (host/*@IF.UJF-GRENOBLE.FR)
> Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for
> principal 'host/*@IF.UJF-GRENOBLE.FR'
> Mar 31 10:52:23 bataille rpc.gssd[3790]: We will NOT use this entry
> (host/*@IF.UJF-GRENOBLE.FR)
> Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for
> principal 'host/*@IF.UJF-GRENOBLE.FR'
> Mar 31 10:52:23 bataille rpc.gssd[3790]: We will NOT use this entry
> (host/*@IF.UJF-GRENOBLE.FR)
> Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for
> principal 'host/*@IF.UJF-GRENOBLE.FR'
> Mar 31 10:52:23 bataille rpc.gssd[3790]: We will NOT use this entry
> (host/*@IF.UJF-GRENOBLE.FR)
> Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for
> principal 'host/*@IF.UJF-GRENOBLE.FR'
> Mar 31 10:52:23 bataille rpc.gssd[3790]: We will NOT use this entry
> (host/*@IF.UJF-GRENOBLE.FR)
> Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for
> principal 'host/*@IF.UJF-GRENOBLE.FR'
> Mar 31 10:52:23 bataille rpc.gssd[3790]: We will NOT use this entry
> (host/*@IF.UJF-GRENOBLE.FR)
> Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for
> principal 'host/*@IF.UJF-GRENOBLE.FR'
> Mar 31 10:52:23 bataille rpc.gssd[3790]: We WILL use this entry
> (host/*@IF.UJF-GRENOBLE.FR)
> Mar 31 10:52:23 bataille rpc.gssd[3790]: Success getting keytab entry
> for host/*@IF.UJF-GRENOBLE.FR
>
> Mar 31 10:52:23 bataille rpc.gssd[3790]: WARNING: Client
> 'host/*@IF.UJF-GRENOBLE.FR' not found in Kerberos database while
> getting initial ticket for principal 'host/*@IF.UJF-GRENOBLE.FR' using
> keytab 'FILE:/etc/krb5.keytab'
>
> Mar 31 10:52:23 bataille rpc.gssd[3790]: ERROR: No credentials found
> for connection to server ifsamba
> Mar 31 10:52:23 bataille rpc.gssd[3790]: doing error downcall
> Mar 31 10:52:23 bataille rpc.gssd[3790]: destroying client
> /run/rpc_pipefs/nfs/clnt1b
> Mar 31 10:52:23 bataille rpc.gssd[3790]: destroying client
> /run/rpc_pipefs/nfs/clnt1a
>
> And on my server :
>
> [2016/03/31 10:52:23.036664, 3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> Kerberos: AS-REQ host/*@IF.UJF-GRENOBLE.FR from
> ipv4:152.77.213.108:38741 for
> krbtgt/IF.UJF-GRENOBLE.FR at IF.UJF-GRENOBLE.FR
> [2016/03/31 10:52:23.038496, 3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> Kerberos: UNKNOWN -- host/*@IF.UJF-GRENOBLE.FR: no such entry found
> in hdb
> [2016/03/31 10:52:23.046352, 3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> Kerberos: AS-REQ host/*@IF.UJF-GRENOBLE.FR from
> ipv4:152.77.213.108:34207 for
> krbtgt/IF.UJF-GRENOBLE.FR at IF.UJF-GRENOBLE.FR
> [2016/03/31 10:52:23.047710, 3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> Kerberos: UNKNOWN -- host/*@IF.UJF-GRENOBLE.FR: no such entry found
> in hdb
>
> I wish use nfsv4 with krb but without join all my clients in Samba4 :
> is it possible ?
>
> PS : I try to create a spn with HOST/* (host uppercase) because when i
> show spn on a computer joined in Samba, i have this :
>
>
> root at ifsamba:/scripts# samba-tool spn list CARTAN$
> cartan$
> User CN=cartan,CN=Computers,DC=if,DC=ujf-grenoble,DC=fr has the
> following servicePrincipalName:
> HOST/CARTAN
> HOST/cartan.if.ujf-grenoble.fr
>
> but on my client rpc.gssd don't use the keytab when HOST is uppercase :
> log :
> Mar 31 09:55:28 bataille rpc.gssd[3777]: No key table entry found for
> BATAILLE$@IF.UJF-GRENOBLE.FR while getting keytab entry for
> 'BATAILLE$@IF.UJF-GRENOBLE.FR'
> Mar 31 09:55:28 bataille rpc.gssd[3777]: No key table entry found for
> root/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR while getting keytab
> entry for 'root/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR'
> Mar 31 09:55:28 bataille rpc.gssd[3777]: No key table entry found for
> nfs/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR while getting keytab
> entry for 'nfs/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR'
> Mar 31 09:55:28 bataille rpc.gssd[3777]: No key table entry found for
> host/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR while getting keytab
> entry for 'host/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR'
> Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for
> principal 'HOST/*@IF.UJF-GRENOBLE.FR'
> Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry
> (HOST/*@IF.UJF-GRENOBLE.FR)
> Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for
> principal 'HOST/*@IF.UJF-GRENOBLE.FR'
> Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry
> (HOST/*@IF.UJF-GRENOBLE.FR)
> Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for
> principal 'HOST/*@IF.UJF-GRENOBLE.FR'
> Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry
> (HOST/*@IF.UJF-GRENOBLE.FR)
> Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for
> principal 'HOST/*@IF.UJF-GRENOBLE.FR'
> Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry
> (HOST/*@IF.UJF-GRENOBLE.FR)
> Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for
> principal 'HOST/*@IF.UJF-GRENOBLE.FR'
> Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry
> (HOST/*@IF.UJF-GRENOBLE.FR)
> Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for
> principal 'HOST/*@IF.UJF-GRENOBLE.FR'
> Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry
> (HOST/*@IF.UJF-GRENOBLE.FR)
> Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for
> principal 'HOST/*@IF.UJF-GRENOBLE.FR'
> Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry
> (HOST/*@IF.UJF-GRENOBLE.FR)
> Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for
> principal 'HOST/*@IF.UJF-GRENOBLE.FR'
> Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry
> (HOST/*@IF.UJF-GRENOBLE.FR)
> Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for
> principal 'HOST/*@IF.UJF-GRENOBLE.FR'
> Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry
> (HOST/*@IF.UJF-GRENOBLE.FR)
> Mar 31 09:55:28 bataille rpc.gssd[3777]: ERROR:
> gssd_refresh_krb5_machine_credential: no usable keytab entry found in
> keytab /etc/krb5.keytab for connection with host ifsamba
> Mar 31 09:55:28 bataille rpc.gssd[3777]: ERROR: No credentials found
> for connection to server ifsamba
>
>
> What is the right process ?
>
> Thank you in advance
> Sim
>
I thought the whole idea of kerberos was to authenticate 'something' or
'someone' without passing passwords.
As far as I am aware, 'something' or 'someone' must be in the kerberos
database and I don't think using '*' is going to work, as this would
allow anybody to gain access to your network, do you really want this ??
Rowland
More information about the samba
mailing list