[Samba] NFSv4 / Krb / wildcard in keytab

Service Informatique IF ifinfo at ujf-grenoble.fr
Thu Mar 31 12:01:05 UTC 2016


Le 31/03/2016 11:44, Rowland penny a écrit :
> On 31/03/16 10:04, Service Informatique IF wrote:
>> Hi,
>>
>> I'm trying to use wildcard in keytab because i don't want join every 
>> computer, client for service NFS krb5.
>>
>> I add a spn like this
>>
>> # samba-tool spn add host/* nfs
>>
>> (I create user nfs before)
>>
>> # samba-tool spn list nfs
>> nfs
>> User CN=nfs,CN=Users,DC=if,DC=ujf-grenoble,DC=fr has the following 
>> servicePrincipalName:
>>          host/*
>>
>> I export keytab :
>>
>>  #samba-tool domain exportkeytab /tmp/wildcardnfs.keytab 
>> --principal=host/*
>>
>> ktutil -k /tmp/wildcardnfs.keytab list
>> /tmp/wildcardnfs.keytab:
>>
>> Vno  Type              Principal                  Aliases
>>   1  des-cbc-crc       host/*@IF.UJF-GRENOBLE.FR
>>   1  des-cbc-md5       host/*@IF.UJF-GRENOBLE.FR
>>   1  arcfour-hmac-md5  host/*@IF.UJF-GRENOBLE.FR
>>
>>
>> I put this keytab on my client (name is bataille) and restart 
>> rpc.gssd -vvvv
>>
>> I try to mount NFS and in my client log, I have :
>> Mar 31 10:52:23 bataille rpc.gssd[3790]: No key table entry found for 
>> root/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR while getting keytab 
>> entry for 'root/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR'
>> Mar 31 10:52:23 bataille rpc.gssd[3790]: No key table entry found for 
>> nfs/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR while getting keytab 
>> entry for 'nfs/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR'
>> Mar 31 10:52:23 bataille rpc.gssd[3790]: No key table entry found for 
>> host/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR while getting keytab 
>> entry for 'host/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR'
>> Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for 
>> principal 'host/*@IF.UJF-GRENOBLE.FR'
>> Mar 31 10:52:23 bataille rpc.gssd[3790]: We will NOT use this entry 
>> (host/*@IF.UJF-GRENOBLE.FR)
>> Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for 
>> principal 'host/*@IF.UJF-GRENOBLE.FR'
>> Mar 31 10:52:23 bataille rpc.gssd[3790]: We will NOT use this entry 
>> (host/*@IF.UJF-GRENOBLE.FR)
>> Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for 
>> principal 'host/*@IF.UJF-GRENOBLE.FR'
>> Mar 31 10:52:23 bataille rpc.gssd[3790]: We will NOT use this entry 
>> (host/*@IF.UJF-GRENOBLE.FR)
>> Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for 
>> principal 'host/*@IF.UJF-GRENOBLE.FR'
>> Mar 31 10:52:23 bataille rpc.gssd[3790]: We will NOT use this entry 
>> (host/*@IF.UJF-GRENOBLE.FR)
>> Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for 
>> principal 'host/*@IF.UJF-GRENOBLE.FR'
>> Mar 31 10:52:23 bataille rpc.gssd[3790]: We will NOT use this entry 
>> (host/*@IF.UJF-GRENOBLE.FR)
>> Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for 
>> principal 'host/*@IF.UJF-GRENOBLE.FR'
>> Mar 31 10:52:23 bataille rpc.gssd[3790]: We will NOT use this entry 
>> (host/*@IF.UJF-GRENOBLE.FR)
>> Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for 
>> principal 'host/*@IF.UJF-GRENOBLE.FR'
>> Mar 31 10:52:23 bataille rpc.gssd[3790]: We WILL use this entry 
>> (host/*@IF.UJF-GRENOBLE.FR)
>> Mar 31 10:52:23 bataille rpc.gssd[3790]: Success getting keytab entry 
>> for host/*@IF.UJF-GRENOBLE.FR
>>
>> Mar 31 10:52:23 bataille rpc.gssd[3790]: WARNING: Client 
>> 'host/*@IF.UJF-GRENOBLE.FR' not found in Kerberos database while 
>> getting initial ticket for principal 'host/*@IF.UJF-GRENOBLE.FR' 
>> using keytab 'FILE:/etc/krb5.keytab'
>>
>> Mar 31 10:52:23 bataille rpc.gssd[3790]: ERROR: No credentials found 
>> for connection to server ifsamba
>> Mar 31 10:52:23 bataille rpc.gssd[3790]: doing error downcall
>> Mar 31 10:52:23 bataille rpc.gssd[3790]: destroying client 
>> /run/rpc_pipefs/nfs/clnt1b
>> Mar 31 10:52:23 bataille rpc.gssd[3790]: destroying client 
>> /run/rpc_pipefs/nfs/clnt1a
>>
>> And on my server :
>>
>> [2016/03/31 10:52:23.036664,  3] 
>> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
>>   Kerberos: AS-REQ host/*@IF.UJF-GRENOBLE.FR from 
>> ipv4:152.77.213.108:38741 for 
>> krbtgt/IF.UJF-GRENOBLE.FR at IF.UJF-GRENOBLE.FR
>> [2016/03/31 10:52:23.038496,  3] 
>> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
>>   Kerberos: UNKNOWN -- host/*@IF.UJF-GRENOBLE.FR: no such entry found 
>> in hdb
>> [2016/03/31 10:52:23.046352,  3] 
>> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
>>   Kerberos: AS-REQ host/*@IF.UJF-GRENOBLE.FR from 
>> ipv4:152.77.213.108:34207 for 
>> krbtgt/IF.UJF-GRENOBLE.FR at IF.UJF-GRENOBLE.FR
>> [2016/03/31 10:52:23.047710,  3] 
>> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
>>   Kerberos: UNKNOWN -- host/*@IF.UJF-GRENOBLE.FR: no such entry found 
>> in hdb
>>
>> I wish use nfsv4 with krb but without join all my clients in Samba4 : 
>> is it possible ?
>>
>> PS : I try to create a spn with HOST/* (host uppercase) because when 
>> i show spn on a computer joined in Samba, i have this :
>>
>>
>> root at ifsamba:/scripts# samba-tool spn list CARTAN$
>> cartan$
>> User CN=cartan,CN=Computers,DC=if,DC=ujf-grenoble,DC=fr has the 
>> following servicePrincipalName:
>>          HOST/CARTAN
>>          HOST/cartan.if.ujf-grenoble.fr
>>
>> but on my client rpc.gssd don't use the keytab when HOST is uppercase :
>> log :
>> Mar 31 09:55:28 bataille rpc.gssd[3777]: No key table entry found for 
>> BATAILLE$@IF.UJF-GRENOBLE.FR while getting keytab entry for 
>> 'BATAILLE$@IF.UJF-GRENOBLE.FR'
>> Mar 31 09:55:28 bataille rpc.gssd[3777]: No key table entry found for 
>> root/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR while getting keytab 
>> entry for 'root/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR'
>> Mar 31 09:55:28 bataille rpc.gssd[3777]: No key table entry found for 
>> nfs/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR while getting keytab 
>> entry for 'nfs/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR'
>> Mar 31 09:55:28 bataille rpc.gssd[3777]: No key table entry found for 
>> host/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR while getting keytab 
>> entry for 'host/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR'
>> Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for 
>> principal 'HOST/*@IF.UJF-GRENOBLE.FR'
>> Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry 
>> (HOST/*@IF.UJF-GRENOBLE.FR)
>> Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for 
>> principal 'HOST/*@IF.UJF-GRENOBLE.FR'
>> Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry 
>> (HOST/*@IF.UJF-GRENOBLE.FR)
>> Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for 
>> principal 'HOST/*@IF.UJF-GRENOBLE.FR'
>> Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry 
>> (HOST/*@IF.UJF-GRENOBLE.FR)
>> Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for 
>> principal 'HOST/*@IF.UJF-GRENOBLE.FR'
>> Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry 
>> (HOST/*@IF.UJF-GRENOBLE.FR)
>> Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for 
>> principal 'HOST/*@IF.UJF-GRENOBLE.FR'
>> Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry 
>> (HOST/*@IF.UJF-GRENOBLE.FR)
>> Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for 
>> principal 'HOST/*@IF.UJF-GRENOBLE.FR'
>> Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry 
>> (HOST/*@IF.UJF-GRENOBLE.FR)
>> Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for 
>> principal 'HOST/*@IF.UJF-GRENOBLE.FR'
>> Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry 
>> (HOST/*@IF.UJF-GRENOBLE.FR)
>> Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for 
>> principal 'HOST/*@IF.UJF-GRENOBLE.FR'
>> Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry 
>> (HOST/*@IF.UJF-GRENOBLE.FR)
>> Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for 
>> principal 'HOST/*@IF.UJF-GRENOBLE.FR'
>> Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry 
>> (HOST/*@IF.UJF-GRENOBLE.FR)
>> Mar 31 09:55:28 bataille rpc.gssd[3777]: ERROR: 
>> gssd_refresh_krb5_machine_credential: no usable keytab entry found in 
>> keytab /etc/krb5.keytab for connection with host ifsamba
>> Mar 31 09:55:28 bataille rpc.gssd[3777]: ERROR: No credentials found 
>> for connection to server ifsamba
>>
>>
>> What is the right process ?
>>
>> Thank you in advance
>> Sim
>>
> I thought the whole idea of kerberos was to authenticate 'something' 
> or 'someone' without passing passwords.

You're right when using keytab it's without password, but users need to 
enter password to access their datas on a NFSv4 - krb share.

> As far as I am aware, 'something' or 'someone' must be in the kerberos 
> database and I don't think using '*' is going to work, as this would 
> allow anybody to gain access to your network, do you really want this ??

I understand that is a possible security hole, but we already use a 
"generic" keytab for sssd.
Our computers are in a "restricted" network, so I think it's not a big 
hole.
And this keytab is used only for mounting the Nfsv4 share, not to access 
user data, because data are chmod protected
each user need to authenticate to obtain their own ticket, in order to 
see their data.

Wildcard keytab is possible in MIT Kerberos, so I thought it was possbie 
to do that with Samba4.

The problem for us is to join computer automatically to Samba : Maybe 
you have a solution ? (without passwd)

Or maybe if it's possible, create computer accounts in Samba with 
samba-tool user add ...  and so, I could create computer keytab directly 
from Samba.

Thank you in advance
Sim





More information about the samba mailing list