[Samba] samba AD, keberos, NFS - not working
Rowland Penny
rpenny at samba.org
Thu Dec 20 15:20:38 UTC 2018
On Thu, 20 Dec 2018 20:08:52 +0530
VigneshDhanraj G via samba <samba at lists.samba.org> wrote:
> Hi,
>
> Upgraded the samba from 4.7.7 to 4.9.3 in debian. Trying to get Samba
> AD 4.9.3 as a Kerberos source for nfs4.
> Until 4.7.7 able to mount the nfs4 over krb5 security. After upgrade
> unable to mount it.
> Suggest me is there any configure change in 4.9.3. Please look the
> following configuration.
>
> [Global] available= yes restrict anonymous= 0 Workgroup= SAM netbios
> name= x2 realm= SAM.COM password server= 192.168.1.14, * idmap
> backend= tdb idmap uid= 5000-9999999 idmap gid= 5000-9999999 idmap
> config SAM : backend= rid idmap config SAM : range=
> 10000000-19999999 security= ADS name resolve order= wins host bcast
> lmhosts client use spnego= yes dns proxy= no winbind use default
> domain= no winbind nested groups= yes inherit acls= yes winbind enum
> users= yes winbind enum groups= yes winbind separator= \\ winbind
> cache time= 300 winbind offline logon= true template shell= /bin/sh
> kerberos method= secrets and keytab map to guest= Bad User host
> msdfs= yes strict allocate= no encrypt passwords= yes printcap name=
> lpstat printable= no load printers= yes max smbd processes= 500 getwd
> cache= yes use sendfile= yes winbind sequence directory= /tmp/samba
> log level= 0 max log size= 50 unix extensions= no dos charset= ascii
> state directory= /mnt/system/samba/system cache
> directory= /tmp/samba/ ntlm auth= Yes winbind expand groups= 1 idmap
> config * : backend= tdb idmap config * : range= 3000-7999
>
> console output:
>
> *mount.nfs4: access denied by server while mounting*
>
> Thanks,
OK, after expanding your smb. conf ;-)
Two things are apparent, you have:
kerberos method= secrets and keytab
But do not have the required:
dedicated keytab file = /etc/krb5.keytab
Does 'etc/krb5.keytab' exist ?
You also have:
* idmap backend= tdb
idmap uid= 5000-9999999
idmap gid= 5000-9999999
idmap config * : backend= tdb
idmap config * : range= 3000-7999
idmap config SAM : backend= rid
idmap config SAM : range= 10000000-19999999
You shouldn't have the top three lines.
You also have a lot of default lines and even some lines that do not
exist.
Rowland
More information about the samba
mailing list