[Samba] samba AD, keberos, NFS - not working

Rowland Penny rpenny at samba.org
Thu Dec 20 15:20:38 UTC 2018 

On Thu, 20 Dec 2018 20:08:52 +0530
VigneshDhanraj G via samba <samba at lists.samba.org> wrote:

> Hi,
> 
> Upgraded the samba from 4.7.7 to 4.9.3 in debian. Trying to get Samba
> AD 4.9.3 as a Kerberos source for nfs4.
> Until 4.7.7 able to mount the nfs4 over krb5 security. After upgrade
> unable to mount it.
> Suggest me is there any configure change in 4.9.3. Please look the
> following configuration.
> 
> [Global] available= yes restrict anonymous= 0 Workgroup= SAM netbios
> name= x2 realm= SAM.COM password server= 192.168.1.14, * idmap
> backend= tdb idmap uid= 5000-9999999 idmap gid= 5000-9999999 idmap
> config SAM  : backend= rid idmap config SAM  : range=
> 10000000-19999999 security= ADS name resolve order= wins host bcast
> lmhosts client use spnego= yes dns proxy= no winbind use default
> domain= no winbind nested groups= yes inherit acls= yes winbind enum
> users= yes winbind enum groups= yes winbind separator= \\ winbind
> cache time= 300 winbind offline logon= true template shell= /bin/sh
> kerberos method= secrets and keytab map to guest= Bad User host
> msdfs= yes strict allocate= no encrypt passwords= yes printcap name=
> lpstat printable= no load printers= yes max smbd processes= 500 getwd
> cache= yes use sendfile= yes winbind sequence directory= /tmp/samba
> log level= 0 max log size= 50 unix extensions= no dos charset= ascii
> state directory= /mnt/system/samba/system cache
> directory= /tmp/samba/ ntlm auth= Yes winbind expand groups= 1 idmap
> config * : backend= tdb idmap config * : range= 3000-7999
> 
> console output:
> 
> *mount.nfs4: access denied by server while mounting*
> 
> Thanks,

OK, after expanding your smb. conf ;-)

Two things are apparent, you have:

  kerberos method= secrets and keytab

But do not have the required:

dedicated keytab file = /etc/krb5.keytab

Does 'etc/krb5.keytab' exist ?

You also have:

 * idmap backend= tdb
 idmap uid= 5000-9999999
 idmap gid= 5000-9999999
 idmap config * : backend= tdb
 idmap config * : range= 3000-7999
 idmap config SAM  : backend= rid
 idmap config SAM  : range= 10000000-19999999
 
You shouldn't have the top three lines.

You also have a lot of default lines and even some lines that do not
exist.

Rowland

More information about the samba mailing list