[Samba] Using Samba AD for NFSV4 Kerberos servers and clients

Ken McDonald ken at generation.tech
Mon Feb 5 01:23:48 UTC 2018 

Thanks Luc,

First, can I just use the small /etc/krb5.conf suggested in Samba AD 
docs or do I need something more substantial on the server & client for 
Kerberos NFS to work?

[libdefaults]
         default_realm = SUBDOMAIN.DOMAIN.COM
         dns_lookup_realm = false
         dns_lookup_kdc = true

I understand a /etc/krb5.keytab file has to be created on both server & 
client. Most of the existing docs show commands to do this using a real 
KDC, not Samba AD. If I try to use the kadmin tool, there's a message 
about the krb5.conf being incomplete. I am able to use klist and ktutil

How do I generate the keytab file with the correct credentials?

nfs/server at subdomain.domain.com

nfs/client at subdomain.domain.com

Are these created manually by adding some account in ADUC and then use 
"samba-tool domain exportkeytab" to export the krb5.keytab file

https://wiki.samba.org/index.php/Generating_Keytabs

-Ken



On 02/04/2018 06:29 PM, Luc Lalonde wrote:
> Hey Ken,
>
> We’re using AD as a Kerberos server for NFSv4 in our Linux labs to automount the students home directories.
>
> I can answer specific questions if you’ve got some.
>
> Cheers, Luc.
>
>
> Luc Lalonde, analyste
> -----------------------------
> Département de génie informatique:
> École polytechnique de MTL
> (514) 340-4711 x5049
> Luc.Lalonde at polymtl.ca
> -----------------------------
>
>> On Feb 4, 2018, at 16:30, Ken McDonald via samba <samba at lists.samba.org> wrote:
>>
>> Is it possible to use Samba AD for Kerberos KDC with NFV4 servers and then have clients connect to them?
>>
>> I have Ubuntu Server for the server and Linux Mint for clients. So far, I've got a lot setup according to these instructions
>>
>> https://help.ubuntu.com/community/NFSv4Howto
>>
>> And seem to have adapted the keytab entries from using this Samba AD info
>>
>> https://wiki.samba.org/index.php/Generating_Keytabs
>>
>> But I'm kind of stuck getting the actual mount to work on a client side. I'll admit to never using Kerberos with NFS before and my Samba AD knowledge is also fairly new (but I do have working Samba AD for Windows and Linux client logins, group, POSIX & Win ACls). I can't seem to find good information or howto on implementing NFSKerberos + SambaAD
>>
>> Before I post actual questions and logs, is this configuration even possible?
>>
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>

More information about the samba mailing list