[Samba] Samba AD + Kerbero + NFS "Client no longer in database"

Ken McDonald ken at generation.tech
Sun Mar 4 01:52:40 UTC 2018 

I am soo lost trying to get Samba AD 4.7.5 as a Kerberos source for 
NFSv4. The NFS server is the Samba AD server running Ubuntu Server 
16.0.4.3 and the client is Linux Mint 18.3

This export WORKS and mounts on client

########## /etc/exports ##########

/mnt/fileshare         *(rw,no_subtree_check,async)

############################

This export DOES NOT

########## /etc/exports ##########

/mnt/fileshare *(rw,async,no_subtree_check,sec=krb5p:krb5i:krb5)

############################

The error I get on client side is

########## console ##########

sudo mount -vvvv -t nfs4 -o sec=krb5 ubuntu-nfs:/mnt/fileshare 
/mnt/fileshare

mount.nfs4: timeout set for Sat Mar  3 20:27:51 2018
mount.nfs4: trying text-based options 
'sec=krb5,addr=172.20.100.151,clientaddr=172.20.100.205'
mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting ubuntu-nfs:/mnt/fileshare

############################

On server side, syslog is no help.

########## /var/log/syslog ##########

Mar  3 20:25:53 ubuntu-nfs rpc.mountd[2377]: auth_unix_ip: inbuf 'nfsd 
172.20.100.205'
Mar  3 20:25:53 ubuntu-nfs rpc.mountd[2377]: v4root_create: path '/' 
flags 0x12405
Mar  3 20:25:53 ubuntu-nfs rpc.mountd[2377]: v4root_create: path '/mnt' 
flags 0x10405
Mar  3 20:25:53 ubuntu-nfs rpc.mountd[2377]: auth_unix_ip: client 
0x16ec5b0 '*'

############################

On server side, I increased Samba logging level to log level = 4 and I 
get this error when the remote mount fails initially

########## /usr/local/samba/var/log.samba ##########

SUBDOMAIN[2018/03/03 20:18:57.282480,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: AS-REQ 
nfs/mint-nfs.subdomain.domain.com at SUBDOMAIN.DOMAIN.COM from 
ipv4:172.20.100.205:36129 for 
krbtgt/SUBDOMAIN.DOMAIN.COM at SUBDOMAIN.DOMAIN.COM
[2018/03/03 20:18:57.287154,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: Client sent patypes: 149
[2018/03/03 20:18:57.287185,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: Looking for PKINIT pa-data -- 
nfs/mint-nfs.subdomain.domain.com at SUBDOMAIN.DOMAIN.COM
[2018/03/03 20:18:57.287207,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: Looking for ENC-TS pa-data -- 
nfs/mint-nfs.subdomain.domain.com at SUBDOMAIN.DOMAIN.COM
[2018/03/03 20:18:57.287406,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: No preauth found, returning PREAUTH-REQUIRED -- 
nfs/mint-nfs.subdomain.domain.com at SUBDOMAIN.DOMAIN.COM
[2018/03/03 20:18:57.288906,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: AS-REQ 
nfs/mint-nfs.subdomain.domain.com at SUBDOMAIN.DOMAIN.COM from 
ipv4:172.20.100.205:39005 for 
krbtgt/SUBDOMAIN.DOMAIN.COM at SUBDOMAIN.DOMAIN.COM
[2018/03/03 20:18:57.292893,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: Client sent patypes: encrypted-timestamp, 149
[2018/03/03 20:18:57.292921,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: Looking for PKINIT pa-data -- 
nfs/mint-nfs.subdomain.domain.com at SUBDOMAIN.DOMAIN.COM
[2018/03/03 20:18:57.292937,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: Looking for ENC-TS pa-data -- 
nfs/mint-nfs.subdomain.domain.com at SUBDOMAIN.DOMAIN.COM
[2018/03/03 20:18:57.293106,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: ENC-TS Pre-authentication succeeded -- 
nfs/mint-nfs.subdomain.domain.com at SUBDOMAIN.DOMAIN.COM using 
aes256-cts-hmac-sha1-96
[2018/03/03 20:18:57.297323,  3] 
../auth/auth_log.c:760(log_authentication_event_human_readable)
   Auth: [Kerberos KDC,ENC-TS Pre-authentication] user 
[(null)]\[nfs/mint-nfs.subdomain.domain.com at SUBDOMAIN.DOMAIN.COM] at 
[Sat, 03 Mar 2018 20:18:57.297240 EST] with [aes256-cts-hmac-sha1-96] 
status [NT_STATUS_OK] workstation [(null)] remote host 
[ipv4:172.20.100.205:39005] became [SUBDOMAIN]\[MINT-NFS$] 
[S-1-5-21-1314416752-3121880105-2930208240-1104]. local host [NULL]
[2018/03/03 20:18:57.297491,  3] ../auth/auth_log.c:220(log_json)
   JSON Authentication: {"timestamp": "2018-03-03T20:18:57.297385-0500", 
"type": "Authentication", "Authentication": {"authDescription": "ENC-TS 
Pre-authentication", "version": {"major": 1, "minor": 0}, "becameSid": 
"S-1-5-21-1314416752-3121880105-2930208240-1104", "netlogonComputer": 
null, "status": "NT_STATUS_OK", "netlogonTrustAccount": null, 
"serviceDescription": "Kerberos KDC", "localAddress": "NULL", 
"clientAccount": 
"nfs/mint-nfs.subdomain.domain.com at SUBDOMAIN.DOMAIN.COM", 
"remoteAddress": "ipv4:172.20.100.205:39005", "clientDomain": null, 
"workstation": null, "becameAccount": "MINT-NFS$", "mappedAccount": 
"MINT-NFS$", "becameDomain": "SUBDOMAIN", "netlogonSecureChannelType": 
0, "mappedDomain": "SUBDOMAIN", "netlogonNegotiateFlags": "0x00000000", 
"netlogonTrustAccountSid": "(NULL SID)", "passwordType": 
"aes256-cts-hmac-sha1-96"}}
[2018/03/03 20:18:57.297615,  3] 
../auth/auth_log.c:139(get_auth_event_server)
   get_auth_event_server: Failed to find 'auth_event' registered on the 
message bus to send JSON authentication events to: 
NT_STATUS_OBJECT_NAME_NOT_FOUND
[2018/03/03 20:18:57.297648,  4] 
../source4/auth/sam.c:189(authsam_account_ok)
   authsam_account_ok: Checking SMB password for user 
nfs/mint-nfs.subdomain.domain.com at SUBDOMAIN.DOMAIN.COM
[2018/03/03 20:18:57.307065,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: AS-REQ authtime: 2018-03-03T20:18:57 starttime: unset 
endtime: 2018-03-04T06:18:57 renew till: 2018-03-04T20:18:57
[2018/03/03 20:18:57.307839,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96, 
aes128-cts-hmac-sha1-96, arcfour-hmac-md5, des3-cbc-sha1, 25, 26, using 
aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
[2018/03/03 20:18:57.307878,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: Requested flags: renewable-ok
[2018/03/03 20:18:57.310239,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: AS-REQ 
nfs/mint-nfs.subdomain.domain.com at SUBDOMAIN.DOMAIN.COM from 
ipv4:172.20.100.205:57552 for 
krbtgt/SUBDOMAIN.DOMAIN.COM at SUBDOMAIN.DOMAIN.COM
[2018/03/03 20:18:57.314895,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: Client sent patypes: encrypted-timestamp, 149
[2018/03/03 20:18:57.314932,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: Looking for PKINIT pa-data -- 
nfs/mint-nfs.subdomain.domain.com at SUBDOMAIN.DOMAIN.COM
[2018/03/03 20:18:57.314951,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: Looking for ENC-TS pa-data -- 
nfs/mint-nfs.subdomain.domain.com at SUBDOMAIN.DOMAIN.COM
[2018/03/03 20:18:57.315138,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: ENC-TS Pre-authentication succeeded -- 
nfs/mint-nfs.subdomain.domain.com at SUBDOMAIN.DOMAIN.COM using 
aes256-cts-hmac-sha1-96
[2018/03/03 20:18:57.315187,  3] 
../auth/auth_log.c:760(log_authentication_event_human_readable)
   Auth: [Kerberos KDC,ENC-TS Pre-authentication] user 
[(null)]\[nfs/mint-nfs.subdomain.domain.com at SUBDOMAIN.DOMAIN.COM] at 
[Sat, 03 Mar 2018 20:18:57.315174 EST] with [aes256-cts-hmac-sha1-96] 
status [NT_STATUS_OK] workstation [(null)] remote host 
[ipv4:172.20.100.205:57552] became [SUBDOMAIN]\[MINT-NFS$] 
[S-1-5-21-1314416752-3121880105-2930208240-1104]. local host [NULL]
[2018/03/03 20:18:57.315435,  3] ../auth/auth_log.c:220(log_json)
   JSON Authentication: {"timestamp": "2018-03-03T20:18:57.315308-0500", 
"type": "Authentication", "Authentication": {"authDescription": "ENC-TS 
Pre-authentication", "version": {"major": 1, "minor": 0}, "becameSid": 
"S-1-5-21-1314416752-3121880105-2930208240-1104", "netlogonComputer": 
null, "status": "NT_STATUS_OK", "netlogonTrustAccount": null, 
"serviceDescription": "Kerberos KDC", "localAddress": "NULL", 
"clientAccount": 
"nfs/mint-nfs.subdomain.domain.com at SUBDOMAIN.DOMAIN.COM", 
"remoteAddress": "ipv4:172.20.100.205:57552", "clientDomain": null, 
"workstation": null, "becameAccount": "MINT-NFS$", "mappedAccount": 
"MINT-NFS$", "becameDomain": "SUBDOMAIN", "netlogonSecureChannelType": 
0, "mappedDomain": "SUBDOMAIN", "netlogonNegotiateFlags": "0x00000000", 
"netlogonTrustAccountSid": "(NULL SID)", "passwordType": 
"aes256-cts-hmac-sha1-96"}}
[2018/03/03 20:18:57.315512,  3] 
../auth/auth_log.c:139(get_auth_event_server)
   get_auth_event_server: Failed to find 'auth_event' registered on the 
message bus to send JSON authentication events to: 
NT_STATUS_OBJECT_NAME_NOT_FOUND
[2018/03/03 20:18:57.315622,  4] 
../source4/auth/sam.c:189(authsam_account_ok)
   authsam_account_ok: Checking SMB password for user 
nfs/mint-nfs.subdomain.domain.com at SUBDOMAIN.DOMAIN.COM
[2018/03/03 20:18:57.322796,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: AS-REQ authtime: 2018-03-03T20:18:57 starttime: unset 
endtime: 2018-03-04T06:18:57 renew till: 2018-03-04T20:18:57
[2018/03/03 20:18:57.323216,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96, 
aes128-cts-hmac-sha1-96, arcfour-hmac-md5, des3-cbc-sha1, 25, 26, using 
aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
[2018/03/03 20:18:57.323256,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: Requested flags: renewable-ok
[2018/03/03 20:18:57.323763,  3] 
../source4/smbd/service_stream.c:65(stream_terminate_connection)
   Terminating connection - 'kdc_tcp_call_loop: 
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
[2018/03/03 20:18:57.323830,  3] 
../source4/smbd/process_single.c:114(single_terminate)
   single_terminate: reason[kdc_tcp_call_loop: 
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]

############################

In addition, there is a series of these messages repeating after the 
initial connection and any subsequent remount attempt just lists these 
messages below

########## /usr/local/samba/var/log.samba ##########

[2018/03/03 20:18:57.330456,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
     Kerberos: TGS-REQ 
nfs/mint-nfs.subdomain.domain.com at SUBDOMAIN.DOMAIN.COM from 
ipv4:172.20.100.205:57554 for 
nfs/ubuntu-nfs.subdomain.domain.com at SUBDOMAIN.DOMAIN.COM [canonicalize, 
renewable]
   [2018/03/03 20:18:57.334817,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
     Kerberos: Client no longer in database: 
nfs/mint-nfs.subdomain.domain.com at SUBDOMAIN.DOMAIN.COM
   [2018/03/03 20:18:57.334883,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
     Kerberos: ret: -1765328378
   [2018/03/03 20:18:57.334944,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
     Kerberos: Failed building TGS-REP to ipv4:172.20.100.205:57554
   [2018/03/03 20:18:57.336124,  3] 
../source4/smbd/service_stream.c:65(stream_terminate_connection)
     Terminating connection - 'kdc_tcp_call_loop: 
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
   [2018/03/03 20:18:57.336195,  3] 
../source4/smbd/process_single.c:114(single_terminate)
     single_terminate: reason[kdc_tcp_call_loop: 
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]

############################

I believe the "Client no longer in database" message is the root error. 
I added code to Samba sources to pull exact message code of -1765328378 
which I found means KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN

I created the server and client keytab files using these kinds of commands

sudo samba-tool spn add nfs/ubuntu-nfs.subdomain.domain.com "UBUNTU-NFS\$"

sudo samba-tool domain exportkeytab 
--principal=nfs/ubuntu-nfs.subdomain.domain.com ~/ubuntu-nfs.keytab

and put the files in /etc/krb5.keytab . I can verify in ADUC that these 
SPNs do exist on the machine accounts for server and client

I'm soo lost. I had this working on a prior test vm setup but started 
over to clean up my documentation. I've got no idea where to go next to 
make the NFSv4 mount work using Kerberos from Samba AD

More information about the samba mailing list