[Samba] NFSv4 / Krb / wildcard in keytab

L.P.H. van Belle belle at bazuin.nl
Thu Mar 31 09:46:11 UTC 2016


So, bit more "correct" info. 

I can tell that it IS possible, but ! 
You need to use an ACL file and as for i did find, you need kadmind for it, at least thats what i did find. 

Read : 
http://techpubs.spinlocksolutions.com/dklar/kerberos.html 
and 
https://www.centos.org/docs/5/html/5.1/Deployment_Guide/s1-kerberos-server.html 

Greetz, 

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens L.P.H. van Belle
> Verzonden: donderdag 31 maart 2016 11:31
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] NFSv4 / Krb / wildcard in keytab
> 
> Sorry, my previous was totaly wrong..
> Forget that one.
> 
> Greetz,
> 
> Louis
> 
> 
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens L.P.H. van
> Belle
> > Verzonden: donderdag 31 maart 2016 11:25
> > Aan: samba at lists.samba.org
> > Onderwerp: Re: [Samba] NFSv4 / Krb / wildcard in keytab
> >
> > Try it like :
> >
> > http/%s at DOMAIN.COM
> >
> > not http/*@DOMAIN.COM
> >
> > Greetz,
> >
> > Louis
> >
> >
> > > -----Oorspronkelijk bericht-----
> > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Service
> > > Informatique IF
> > > Verzonden: donderdag 31 maart 2016 11:04
> > > Aan: samba at lists.samba.org
> > > CC: ifinfo at ujf-grenoble.fr
> > > Onderwerp: [Samba] NFSv4 / Krb / wildcard in keytab
> > >
> > > Hi,
> > >
> > > I'm trying to use wildcard in keytab because i don't want join every
> > > computer, client for service NFS krb5.
> > >
> > > I add a spn like this
> > >
> > > # samba-tool spn add host/* nfs
> > >
> > > (I create user nfs before)
> > >
> > > # samba-tool spn list nfs
> > > nfs
> > > User CN=nfs,CN=Users,DC=if,DC=ujf-grenoble,DC=fr has the following
> > > servicePrincipalName:
> > >           host/*
> > >
> > > I export keytab :
> > >
> > >   #samba-tool domain exportkeytab /tmp/wildcardnfs.keytab --
> > > principal=host/*
> > >
> > > ktutil -k /tmp/wildcardnfs.keytab list
> > > /tmp/wildcardnfs.keytab:
> > >
> > > Vno  Type              Principal                  Aliases
> > >    1  des-cbc-crc       host/*@IF.UJF-GRENOBLE.FR
> > >    1  des-cbc-md5       host/*@IF.UJF-GRENOBLE.FR
> > >    1  arcfour-hmac-md5  host/*@IF.UJF-GRENOBLE.FR
> > >
> > >
> > > I put this keytab on my client (name is bataille) and restart rpc.gssd
> -
> > > vvvv
> > >
> > > I try to mount NFS and in my client log, I have :
> > > Mar 31 10:52:23 bataille rpc.gssd[3790]: No key table entry found for
> > > root/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR while getting keytab
> > > entry for 'root/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR'
> > > Mar 31 10:52:23 bataille rpc.gssd[3790]: No key table entry found for
> > > nfs/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR while getting keytab
> > > entry for 'nfs/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR'
> > > Mar 31 10:52:23 bataille rpc.gssd[3790]: No key table entry found for
> > > host/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR while getting keytab
> > > entry for 'host/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR'
> > > Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for
> > > principal 'host/*@IF.UJF-GRENOBLE.FR'
> > > Mar 31 10:52:23 bataille rpc.gssd[3790]: We will NOT use this entry
> > > (host/*@IF.UJF-GRENOBLE.FR)
> > > Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for
> > > principal 'host/*@IF.UJF-GRENOBLE.FR'
> > > Mar 31 10:52:23 bataille rpc.gssd[3790]: We will NOT use this entry
> > > (host/*@IF.UJF-GRENOBLE.FR)
> > > Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for
> > > principal 'host/*@IF.UJF-GRENOBLE.FR'
> > > Mar 31 10:52:23 bataille rpc.gssd[3790]: We will NOT use this entry
> > > (host/*@IF.UJF-GRENOBLE.FR)
> > > Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for
> > > principal 'host/*@IF.UJF-GRENOBLE.FR'
> > > Mar 31 10:52:23 bataille rpc.gssd[3790]: We will NOT use this entry
> > > (host/*@IF.UJF-GRENOBLE.FR)
> > > Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for
> > > principal 'host/*@IF.UJF-GRENOBLE.FR'
> > > Mar 31 10:52:23 bataille rpc.gssd[3790]: We will NOT use this entry
> > > (host/*@IF.UJF-GRENOBLE.FR)
> > > Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for
> > > principal 'host/*@IF.UJF-GRENOBLE.FR'
> > > Mar 31 10:52:23 bataille rpc.gssd[3790]: We will NOT use this entry
> > > (host/*@IF.UJF-GRENOBLE.FR)
> > > Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for
> > > principal 'host/*@IF.UJF-GRENOBLE.FR'
> > > Mar 31 10:52:23 bataille rpc.gssd[3790]: We WILL use this entry
> > > (host/*@IF.UJF-GRENOBLE.FR)
> > > Mar 31 10:52:23 bataille rpc.gssd[3790]: Success getting keytab entry
> > > for host/*@IF.UJF-GRENOBLE.FR
> > >
> > > Mar 31 10:52:23 bataille rpc.gssd[3790]: WARNING: Client
> > > 'host/*@IF.UJF-GRENOBLE.FR' not found in Kerberos database while
> getting
> > > initial ticket for principal 'host/*@IF.UJF-GRENOBLE.FR' using keytab
> > > 'FILE:/etc/krb5.keytab'
> > >
> > > Mar 31 10:52:23 bataille rpc.gssd[3790]: ERROR: No credentials found
> for
> > > connection to server ifsamba
> > > Mar 31 10:52:23 bataille rpc.gssd[3790]: doing error downcall
> > > Mar 31 10:52:23 bataille rpc.gssd[3790]: destroying client
> > > /run/rpc_pipefs/nfs/clnt1b
> > > Mar 31 10:52:23 bataille rpc.gssd[3790]: destroying client
> > > /run/rpc_pipefs/nfs/clnt1a
> > >
> > > And on my server :
> > >
> > > [2016/03/31 10:52:23.036664,  3]
> > >
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > >    Kerberos: AS-REQ host/*@IF.UJF-GRENOBLE.FR from
> > > ipv4:152.77.213.108:38741 for krbtgt/IF.UJF-GRENOBLE.FR at IF.UJF-
> > GRENOBLE.FR
> > > [2016/03/31 10:52:23.038496,  3]
> > >
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > >    Kerberos: UNKNOWN -- host/*@IF.UJF-GRENOBLE.FR: no such entry found
> > > in hdb
> > > [2016/03/31 10:52:23.046352,  3]
> > >
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > >    Kerberos: AS-REQ host/*@IF.UJF-GRENOBLE.FR from
> > > ipv4:152.77.213.108:34207 for krbtgt/IF.UJF-GRENOBLE.FR at IF.UJF-
> > GRENOBLE.FR
> > > [2016/03/31 10:52:23.047710,  3]
> > >
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > >    Kerberos: UNKNOWN -- host/*@IF.UJF-GRENOBLE.FR: no such entry found
> > > in hdb
> > >
> > > I wish use nfsv4 with krb but without join all my clients in Samba4 :
> is
> > > it possible ?
> > >
> > > PS : I try to create a spn with HOST/* (host uppercase) because when i
> > > show spn on a computer joined in Samba, i have this :
> > >
> > >
> > > root at ifsamba:/scripts# samba-tool spn list CARTAN$
> > > cartan$
> > > User CN=cartan,CN=Computers,DC=if,DC=ujf-grenoble,DC=fr has the
> > > following servicePrincipalName:
> > >           HOST/CARTAN
> > >           HOST/cartan.if.ujf-grenoble.fr
> > >
> > > but on my client rpc.gssd don't use the keytab when HOST is uppercase
> :
> > > log :
> > > Mar 31 09:55:28 bataille rpc.gssd[3777]: No key table entry found for
> > > BATAILLE$@IF.UJF-GRENOBLE.FR while getting keytab entry for
> > > 'BATAILLE$@IF.UJF-GRENOBLE.FR'
> > > Mar 31 09:55:28 bataille rpc.gssd[3777]: No key table entry found for
> > > root/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR while getting keytab
> > > entry for 'root/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR'
> > > Mar 31 09:55:28 bataille rpc.gssd[3777]: No key table entry found for
> > > nfs/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR while getting keytab
> > > entry for 'nfs/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR'
> > > Mar 31 09:55:28 bataille rpc.gssd[3777]: No key table entry found for
> > > host/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR while getting keytab
> > > entry for 'host/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR'
> > > Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for
> > > principal 'HOST/*@IF.UJF-GRENOBLE.FR'
> > > Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry
> > > (HOST/*@IF.UJF-GRENOBLE.FR)
> > > Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for
> > > principal 'HOST/*@IF.UJF-GRENOBLE.FR'
> > > Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry
> > > (HOST/*@IF.UJF-GRENOBLE.FR)
> > > Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for
> > > principal 'HOST/*@IF.UJF-GRENOBLE.FR'
> > > Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry
> > > (HOST/*@IF.UJF-GRENOBLE.FR)
> > > Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for
> > > principal 'HOST/*@IF.UJF-GRENOBLE.FR'
> > > Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry
> > > (HOST/*@IF.UJF-GRENOBLE.FR)
> > > Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for
> > > principal 'HOST/*@IF.UJF-GRENOBLE.FR'
> > > Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry
> > > (HOST/*@IF.UJF-GRENOBLE.FR)
> > > Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for
> > > principal 'HOST/*@IF.UJF-GRENOBLE.FR'
> > > Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry
> > > (HOST/*@IF.UJF-GRENOBLE.FR)
> > > Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for
> > > principal 'HOST/*@IF.UJF-GRENOBLE.FR'
> > > Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry
> > > (HOST/*@IF.UJF-GRENOBLE.FR)
> > > Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for
> > > principal 'HOST/*@IF.UJF-GRENOBLE.FR'
> > > Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry
> > > (HOST/*@IF.UJF-GRENOBLE.FR)
> > > Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for
> > > principal 'HOST/*@IF.UJF-GRENOBLE.FR'
> > > Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry
> > > (HOST/*@IF.UJF-GRENOBLE.FR)
> > > Mar 31 09:55:28 bataille rpc.gssd[3777]: ERROR:
> > > gssd_refresh_krb5_machine_credential: no usable keytab entry found in
> > > keytab /etc/krb5.keytab for connection with host ifsamba
> > > Mar 31 09:55:28 bataille rpc.gssd[3777]: ERROR: No credentials found
> for
> > > connection to server ifsamba
> > >
> > >
> > > What is the right process ?
> > >
> > > Thank you in advance
> > > Sim
> > >
> > > --
> > > To unsubscribe from this list go to the following URL and read the
> > > instructions:  https://lists.samba.org/mailman/options/samba
> >
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> 
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba





More information about the samba mailing list