[Samba] Samba AD + Kerbero + NFS "Client no longer in database"
Norbert Hanke
norbert.hanke at gmx.ch
Sun Mar 11 22:43:38 UTC 2018
On 04.03.2018 02:52, Ken McDonald via samba wrote:
> I am soo lost trying to get Samba AD 4.7.5 as a Kerberos source for
> NFSv4. The NFS server is the Samba AD server running Ubuntu Server
> 16.0.4.3 and the client is Linux Mint 18.3
>
> This export WORKS and mounts on client
>
> ########## /etc/exports ##########
>
> /mnt/fileshare *(rw,no_subtree_check,async)
>
> ############################
>
> This export DOES NOT
>
> ########## /etc/exports ##########
>
> /mnt/fileshare *(rw,async,no_subtree_check,sec=krb5p:krb5i:krb5)
>
> ############################
>
> The error I get on client side is
>
> ########## console ##########
>
> sudo mount -vvvv -t nfs4 -o sec=krb5 ubuntu-nfs:/mnt/fileshare
> /mnt/fileshare
>
> mount.nfs4: timeout set for Sat Mar 3 20:27:51 2018
> mount.nfs4: trying text-based options
> 'sec=krb5,addr=172.20.100.151,clientaddr=172.20.100.205'
> mount.nfs4: mount(2): Permission denied
> mount.nfs4: access denied by server while mounting
> ubuntu-nfs:/mnt/fileshare
>
> ############################
>
> On server side, syslog is no help.
>
> ########## /var/log/syslog ##########
>
> Mar 3 20:25:53 ubuntu-nfs rpc.mountd[2377]: auth_unix_ip: inbuf 'nfsd
> 172.20.100.205'
> Mar 3 20:25:53 ubuntu-nfs rpc.mountd[2377]: v4root_create: path '/'
> flags 0x12405
> Mar 3 20:25:53 ubuntu-nfs rpc.mountd[2377]: v4root_create: path
> '/mnt' flags 0x10405
> Mar 3 20:25:53 ubuntu-nfs rpc.mountd[2377]: auth_unix_ip: client
> 0x16ec5b0 '*'
>
> ############################
>
> On server side, I increased Samba logging level to log level = 4 and I
> get this error when the remote mount fails initially
>
> ########## /usr/local/samba/var/log.samba ##########
>
> SUBDOMAIN[2018/03/03 20:18:57.282480, 3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> Kerberos: AS-REQ
> nfs/mint-nfs.subdomain.domain.com at SUBDOMAIN.DOMAIN.COM from
> ipv4:172.20.100.205:36129 for
> krbtgt/SUBDOMAIN.DOMAIN.COM at SUBDOMAIN.DOMAIN.COM
> [2018/03/03 20:18:57.287154, 3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> Kerberos: Client sent patypes: 149
> [2018/03/03 20:18:57.287185, 3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> Kerberos: Looking for PKINIT pa-data --
> nfs/mint-nfs.subdomain.domain.com at SUBDOMAIN.DOMAIN.COM
> [2018/03/03 20:18:57.287207, 3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> Kerberos: Looking for ENC-TS pa-data --
> nfs/mint-nfs.subdomain.domain.com at SUBDOMAIN.DOMAIN.COM
> [2018/03/03 20:18:57.287406, 3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> Kerberos: No preauth found, returning PREAUTH-REQUIRED --
> nfs/mint-nfs.subdomain.domain.com at SUBDOMAIN.DOMAIN.COM
> [2018/03/03 20:18:57.288906, 3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> Kerberos: AS-REQ
> nfs/mint-nfs.subdomain.domain.com at SUBDOMAIN.DOMAIN.COM from
> ipv4:172.20.100.205:39005 for
> krbtgt/SUBDOMAIN.DOMAIN.COM at SUBDOMAIN.DOMAIN.COM
> [2018/03/03 20:18:57.292893, 3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> Kerberos: Client sent patypes: encrypted-timestamp, 149
> [2018/03/03 20:18:57.292921, 3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> Kerberos: Looking for PKINIT pa-data --
> nfs/mint-nfs.subdomain.domain.com at SUBDOMAIN.DOMAIN.COM
> [2018/03/03 20:18:57.292937, 3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> Kerberos: Looking for ENC-TS pa-data --
> nfs/mint-nfs.subdomain.domain.com at SUBDOMAIN.DOMAIN.COM
> [2018/03/03 20:18:57.293106, 3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> Kerberos: ENC-TS Pre-authentication succeeded --
> nfs/mint-nfs.subdomain.domain.com at SUBDOMAIN.DOMAIN.COM using
> aes256-cts-hmac-sha1-96
> [2018/03/03 20:18:57.297323, 3]
> ../auth/auth_log.c:760(log_authentication_event_human_readable)
> Auth: [Kerberos KDC,ENC-TS Pre-authentication] user
> [(null)]\[nfs/mint-nfs.subdomain.domain.com at SUBDOMAIN.DOMAIN.COM] at
> [Sat, 03 Mar 2018 20:18:57.297240 EST] with [aes256-cts-hmac-sha1-96]
> status [NT_STATUS_OK] workstation [(null)] remote host
> [ipv4:172.20.100.205:39005] became [SUBDOMAIN]\[MINT-NFS$]
> [S-1-5-21-1314416752-3121880105-2930208240-1104]. local host [NULL]
> [2018/03/03 20:18:57.297491, 3] ../auth/auth_log.c:220(log_json)
> JSON Authentication: {"timestamp":
> "2018-03-03T20:18:57.297385-0500", "type": "Authentication",
> "Authentication": {"authDescription": "ENC-TS Pre-authentication",
> "version": {"major": 1, "minor": 0}, "becameSid":
> "S-1-5-21-1314416752-3121880105-2930208240-1104", "netlogonComputer":
> null, "status": "NT_STATUS_OK", "netlogonTrustAccount": null,
> "serviceDescription": "Kerberos KDC", "localAddress": "NULL",
> "clientAccount":
> "nfs/mint-nfs.subdomain.domain.com at SUBDOMAIN.DOMAIN.COM",
> "remoteAddress": "ipv4:172.20.100.205:39005", "clientDomain": null,
> "workstation": null, "becameAccount": "MINT-NFS$", "mappedAccount":
> "MINT-NFS$", "becameDomain": "SUBDOMAIN", "netlogonSecureChannelType":
> 0, "mappedDomain": "SUBDOMAIN", "netlogonNegotiateFlags":
> "0x00000000", "netlogonTrustAccountSid": "(NULL SID)", "passwordType":
> "aes256-cts-hmac-sha1-96"}}
> [2018/03/03 20:18:57.297615, 3]
> ../auth/auth_log.c:139(get_auth_event_server)
> get_auth_event_server: Failed to find 'auth_event' registered on the
> message bus to send JSON authentication events to:
> NT_STATUS_OBJECT_NAME_NOT_FOUND
> [2018/03/03 20:18:57.297648, 4]
> ../source4/auth/sam.c:189(authsam_account_ok)
> authsam_account_ok: Checking SMB password for user
> nfs/mint-nfs.subdomain.domain.com at SUBDOMAIN.DOMAIN.COM
> [2018/03/03 20:18:57.307065, 3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> Kerberos: AS-REQ authtime: 2018-03-03T20:18:57 starttime: unset
> endtime: 2018-03-04T06:18:57 renew till: 2018-03-04T20:18:57
> [2018/03/03 20:18:57.307839, 3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96,
> aes128-cts-hmac-sha1-96, arcfour-hmac-md5, des3-cbc-sha1, 25, 26,
> using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
> [2018/03/03 20:18:57.307878, 3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> Kerberos: Requested flags: renewable-ok
> [2018/03/03 20:18:57.310239, 3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> Kerberos: AS-REQ
> nfs/mint-nfs.subdomain.domain.com at SUBDOMAIN.DOMAIN.COM from
> ipv4:172.20.100.205:57552 for
> krbtgt/SUBDOMAIN.DOMAIN.COM at SUBDOMAIN.DOMAIN.COM
> [2018/03/03 20:18:57.314895, 3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> Kerberos: Client sent patypes: encrypted-timestamp, 149
> [2018/03/03 20:18:57.314932, 3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> Kerberos: Looking for PKINIT pa-data --
> nfs/mint-nfs.subdomain.domain.com at SUBDOMAIN.DOMAIN.COM
> [2018/03/03 20:18:57.314951, 3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> Kerberos: Looking for ENC-TS pa-data --
> nfs/mint-nfs.subdomain.domain.com at SUBDOMAIN.DOMAIN.COM
> [2018/03/03 20:18:57.315138, 3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> Kerberos: ENC-TS Pre-authentication succeeded --
> nfs/mint-nfs.subdomain.domain.com at SUBDOMAIN.DOMAIN.COM using
> aes256-cts-hmac-sha1-96
> [2018/03/03 20:18:57.315187, 3]
> ../auth/auth_log.c:760(log_authentication_event_human_readable)
> Auth: [Kerberos KDC,ENC-TS Pre-authentication] user
> [(null)]\[nfs/mint-nfs.subdomain.domain.com at SUBDOMAIN.DOMAIN.COM] at
> [Sat, 03 Mar 2018 20:18:57.315174 EST] with [aes256-cts-hmac-sha1-96]
> status [NT_STATUS_OK] workstation [(null)] remote host
> [ipv4:172.20.100.205:57552] became [SUBDOMAIN]\[MINT-NFS$]
> [S-1-5-21-1314416752-3121880105-2930208240-1104]. local host [NULL]
> [2018/03/03 20:18:57.315435, 3] ../auth/auth_log.c:220(log_json)
> JSON Authentication: {"timestamp":
> "2018-03-03T20:18:57.315308-0500", "type": "Authentication",
> "Authentication": {"authDescription": "ENC-TS Pre-authentication",
> "version": {"major": 1, "minor": 0}, "becameSid":
> "S-1-5-21-1314416752-3121880105-2930208240-1104", "netlogonComputer":
> null, "status": "NT_STATUS_OK", "netlogonTrustAccount": null,
> "serviceDescription": "Kerberos KDC", "localAddress": "NULL",
> "clientAccount":
> "nfs/mint-nfs.subdomain.domain.com at SUBDOMAIN.DOMAIN.COM",
> "remoteAddress": "ipv4:172.20.100.205:57552", "clientDomain": null,
> "workstation": null, "becameAccount": "MINT-NFS$", "mappedAccount":
> "MINT-NFS$", "becameDomain": "SUBDOMAIN", "netlogonSecureChannelType":
> 0, "mappedDomain": "SUBDOMAIN", "netlogonNegotiateFlags":
> "0x00000000", "netlogonTrustAccountSid": "(NULL SID)", "passwordType":
> "aes256-cts-hmac-sha1-96"}}
> [2018/03/03 20:18:57.315512, 3]
> ../auth/auth_log.c:139(get_auth_event_server)
> get_auth_event_server: Failed to find 'auth_event' registered on the
> message bus to send JSON authentication events to:
> NT_STATUS_OBJECT_NAME_NOT_FOUND
> [2018/03/03 20:18:57.315622, 4]
> ../source4/auth/sam.c:189(authsam_account_ok)
> authsam_account_ok: Checking SMB password for user
> nfs/mint-nfs.subdomain.domain.com at SUBDOMAIN.DOMAIN.COM
> [2018/03/03 20:18:57.322796, 3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> Kerberos: AS-REQ authtime: 2018-03-03T20:18:57 starttime: unset
> endtime: 2018-03-04T06:18:57 renew till: 2018-03-04T20:18:57
> [2018/03/03 20:18:57.323216, 3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96,
> aes128-cts-hmac-sha1-96, arcfour-hmac-md5, des3-cbc-sha1, 25, 26,
> using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
> [2018/03/03 20:18:57.323256, 3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> Kerberos: Requested flags: renewable-ok
> [2018/03/03 20:18:57.323763, 3]
> ../source4/smbd/service_stream.c:65(stream_terminate_connection)
> Terminating connection - 'kdc_tcp_call_loop:
> tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
> [2018/03/03 20:18:57.323830, 3]
> ../source4/smbd/process_single.c:114(single_terminate)
> single_terminate: reason[kdc_tcp_call_loop:
> tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
>
> ############################
>
> In addition, there is a series of these messages repeating after the
> initial connection and any subsequent remount attempt just lists these
> messages below
>
> ########## /usr/local/samba/var/log.samba ##########
>
> [2018/03/03 20:18:57.330456, 3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> Kerberos: TGS-REQ
> nfs/mint-nfs.subdomain.domain.com at SUBDOMAIN.DOMAIN.COM from
> ipv4:172.20.100.205:57554 for
> nfs/ubuntu-nfs.subdomain.domain.com at SUBDOMAIN.DOMAIN.COM
> [canonicalize, renewable]
> [2018/03/03 20:18:57.334817, 3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> Kerberos: Client no longer in database:
> nfs/mint-nfs.subdomain.domain.com at SUBDOMAIN.DOMAIN.COM
> [2018/03/03 20:18:57.334883, 3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> Kerberos: ret: -1765328378
> [2018/03/03 20:18:57.334944, 3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> Kerberos: Failed building TGS-REP to ipv4:172.20.100.205:57554
> [2018/03/03 20:18:57.336124, 3]
> ../source4/smbd/service_stream.c:65(stream_terminate_connection)
> Terminating connection - 'kdc_tcp_call_loop:
> tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
> [2018/03/03 20:18:57.336195, 3]
> ../source4/smbd/process_single.c:114(single_terminate)
> single_terminate: reason[kdc_tcp_call_loop:
> tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
>
> ############################
>
> I believe the "Client no longer in database" message is the root
> error. I added code to Samba sources to pull exact message code of
> -1765328378 which I found means KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN
>
> I created the server and client keytab files using these kinds of
> commands
>
> sudo samba-tool spn add nfs/ubuntu-nfs.subdomain.domain.com
> "UBUNTU-NFS\$"
>
> sudo samba-tool domain exportkeytab
> --principal=nfs/ubuntu-nfs.subdomain.domain.com ~/ubuntu-nfs.keytab
>
> and put the files in /etc/krb5.keytab . I can verify in ADUC that
> these SPNs do exist on the machine accounts for server and client
>
> I'm soo lost. I had this working on a prior test vm setup but started
> over to clean up my documentation. I've got no idea where to go next
> to make the NFSv4 mount work using Kerberos from Samba AD
>
This looks very similar to a problem I had with a Solaris system joined
to a Samba AD DC.
In my case the Solaris system uses to requested a ticket for
root/system.subdomain.domain.tld at SUBDOMAIN.DOMAIN.TLD, which is a valid
SPN for the system, while the UPN for that system was
host/system.subdomain.domain.tld at SUBDOMAIN.DOMAIN.TLD.
Apparently, the Samba built-in KDC expects such a ticket request to be
for a UPN, not an SPN. In comparison, the MIT Kerberos KDC is more
tolerant and accepts such a request: I tested with Samba 4.7.5 on Fedora
27 that uses the MIT KDC and it works.
Since I did not want to migrate my DCs to a different platform
supporting the MIT KDC I implemented a workaround: I renamed the UPN of
the client systems account from host/... to root/... and that works with
the Samba built-in KDC.
Of course this workaround works for exactly one name used client side,
root/... in my case.
You might try the same: rename the UPN to nfs/... and check if it works.
Or switch to a Samba AD DC with an MIT KDC.
Regards,
Norbert
More information about the samba
mailing list