[Samba] Again NFSv4 and Kerberos at the 'samba way'...

Marco Gaiarin gaio at sv.lnf.it
Tue Oct 23 16:57:49 UTC 2018 

Sorry, i come back to this topic in a different thread, because i'm
still totally puzzled with the previuous one. Louis, sorry me. ;(

I've tried to start with this, that seems very simple:

	https://wiki.debian.org/NFS/Kerberos

And so i've done:

a) installed 'nfs-kernel-server' on server,  'nfs-common' on client.
 Ok, this is easy.


b) AFAI've understood i need to create a 'principal', type 'NFS', for
 server and client, and store the key in ''local keytab''. Debian wiki
suggest:
	addpriv -randkey NFS/vdmpp1.ad.fvg.lnf.it at AD.FVG.LNF.IT
	ktadd NFS/vdmpp1.ad.fvg.lnf.it at AD.FVG.LNF.IT

but in 'samba' lingo the same operation can be obtained with (run in
the client and server, with appropiate data):

	net -U gaio ads keytab add NFS/vdmpp1.ad.fvg.lnf.it at AD.FVG.LNF.IT -k

done that, effectively the file /etc/krb5.keytab on server and client
got created, with something that seems a 'key'.


c) i've enabled, as stated by wiki and you, Louis, the IDMAP and GSSD/svcgssd
 on cliend and server as requested.


OK, good start. But doing that i got:

	root at vdmpp2:~# mount -t nfs4 -o sec=krb5 vdmpp1:/home /home
	mount.nfs4: an incorrect mount option was specified


After restarting the client, now i got:

	root at vdmpp2:~# mount -t nfs4 -o sec=krb5 vdmpp1:/home /home
	mount.nfs4: access denied by server while mounting vdmpp1:/home

and in log:

 Oct 23 18:50:47 vdmpp2 kernel: [   49.414391] FS-Cache: Loaded
 Oct 23 18:50:47 vdmpp2 kernel: [   49.453067] FS-Cache: Netfs 'nfs' registered for caching
 Oct 23 18:50:47 vdmpp2 kernel: [   49.457587] Key type dns_resolver registered
 Oct 23 18:50:47 vdmpp2 kernel: [   49.472990] NFS: Registering the id_resolver key type
 Oct 23 18:50:47 vdmpp2 kernel: [   49.472994] Key type id_resolver registered
 Oct 23 18:50:47 vdmpp2 kernel: [   49.472995] Key type id_legacy registered
 Oct 23 18:50:47 vdmpp2 rpc.gssd[696]: ERROR: gssd_refresh_krb5_machine_credential: no usable keytab entry found in keytab /etc/krb5.keytab for connection with host vdmpp1.pp.lnf.it
 Oct 23 18:50:47 vdmpp2 rpc.gssd[696]: ERROR: No credentials found for connection to server vdmpp1.pp.lnf.it
 Oct 23 18:50:47 vdmpp2 rpc.gssd[696]: ERROR: gssd_refresh_krb5_machine_credential: no usable keytab entry found in keytab /etc/krb5.keytab for connection with host vdmpp1.pp.lnf.it
 Oct 23 18:50:47 vdmpp2 rpc.gssd[696]: ERROR: No credentials found for connection to server vdmpp1.pp.lnf.it
 Oct 23 18:50:47 vdmpp2 rpc.gssd[696]: ERROR: gssd_refresh_krb5_machine_credential: no usable keytab entry found in keytab /etc/krb5.keytab for connection with host vdmpp1.pp.lnf.it
 Oct 23 18:50:47 vdmpp2 rpc.gssd[696]: ERROR: No credentials found for connection to server vdmpp1.pp.lnf.it
 Oct 23 18:50:47 vdmpp2 rpc.gssd[696]: ERROR: gssd_refresh_krb5_machine_credential: no usable keytab entry found in keytab /etc/krb5.keytab for connection with host vdmpp1.pp.lnf.it
 Oct 23 18:50:47 vdmpp2 rpc.gssd[696]: ERROR: No credentials found for connection to server vdmpp1.pp.lnf.it
 Oct 23 18:50:47 vdmpp2 rpc.gssd[696]: ERROR: gssd_refresh_krb5_machine_credential: no usable keytab entry found in keytab /etc/krb5.keytab for connection with host vdmpp1.pp.lnf.it
 Oct 23 18:50:47 vdmpp2 rpc.gssd[696]: ERROR: No credentials found for connection to server vdmpp1.pp.lnf.it

Seems i've to fix a bit my backresolving, so i've put and entr in
/etc/hosts, to test, and:

 Oct 23 18:56:26 vdmpp2 rpc.gssd[696]: ERROR: gssd_refresh_krb5_machine_credential: no usable keytab entry found in keytab /etc/krb5.keytab for connection with host vdmpp1.ad.fvg.lnf.it
 Oct 23 18:56:26 vdmpp2 rpc.gssd[696]: ERROR: No credentials found for connection to server vdmpp1.ad.fvg.lnf.it
 Oct 23 18:56:26 vdmpp2 rpc.gssd[696]: ERROR: gssd_refresh_krb5_machine_credential: no usable keytab entry found in keytab /etc/krb5.keytab for connection with host vdmpp1.ad.fvg.lnf.it
 Oct 23 18:56:26 vdmpp2 rpc.gssd[696]: ERROR: No credentials found for connection to server vdmpp1.ad.fvg.lnf.it
 Oct 23 18:56:26 vdmpp2 rpc.gssd[696]: ERROR: gssd_refresh_krb5_machine_credential: no usable keytab entry found in keytab /etc/krb5.keytab for connection with host vdmpp1.ad.fvg.lnf.it
 Oct 23 18:56:26 vdmpp2 rpc.gssd[696]: ERROR: No credentials found for connection to server vdmpp1.ad.fvg.lnf.it
 Oct 23 18:56:26 vdmpp2 rpc.gssd[696]: ERROR: gssd_refresh_krb5_machine_credential: no usable keytab entry found in keytab /etc/krb5.keytab for connection with host vdmpp1.ad.fvg.lnf.it
 Oct 23 18:56:26 vdmpp2 rpc.gssd[696]: ERROR: No credentials found for connection to server vdmpp1.ad.fvg.lnf.it
 Oct 23 18:56:26 vdmpp2 rpc.gssd[696]: ERROR: gssd_refresh_krb5_machine_credential: no usable keytab entry found in keytab /etc/krb5.keytab for connection with host vdmpp1.ad.fvg.lnf.it
 Oct 23 18:56:26 vdmpp2 rpc.gssd[696]: ERROR: No credentials found for connection to server vdmpp1.ad.fvg.lnf.it

Why?! Thanks.

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

More information about the samba mailing list