[Samba] Again NFSv4 and Kerberos at the 'samba way'...

Marco Gaiarin gaio at sv.lnf.it
Wed Oct 24 09:50:47 UTC 2018 

> I've tried to start with this, that seems very simple:
> 	https://wiki.debian.org/NFS/Kerberos

This is totally OT, but... i'm not able to restart nfs-common, because:

 root at vdmpp2:~# systemctl status nfs-common
 ● nfs-common.service
    Loaded: masked (/dev/null; bad)
    Active: inactive (dead)

but:

 root at vdmpp2:~# systemctl unmask nfs-common
 root at vdmpp2:~# systemctl enable nfs-common
 Synchronizing state of nfs-common.service with SysV service script with /lib/systemd/systemd-sysv-install.
 Executing: /lib/systemd/systemd-sysv-install enable nfs-common
 Failed to enable unit: Unit file /lib/systemd/system/nfs-common.service is masked.

Why?!



> but in 'samba' lingo the same operation can be obtained with (run in
> the client and server, with appropiate data):
> 	net -U gaio ads keytab add NFS/vdmpp1.ad.fvg.lnf.it at AD.FVG.LNF.IT -k
> done that, effectively the file /etc/krb5.keytab on server and client
> got created, with something that seems a 'key'.

Seems that lowecase apply, eg:

	net -U gaio ads keytab add nfs/vdmpp1.ad.fvg.lnf.it at AD.FVG.LNF.IT -k


> c) i've enabled, as stated by wiki and you, Louis, the IDMAP and GSSD/svcgssd
>  on cliend and server as requested.

At least server side the 'backresolving' troubles can be solved
expliciting the principal. Eg, doing that the server does not start
with error:

 Oct 23 18:46:36 vdmpp1 rpc.svcgssd[4118]: ERROR: GSS-API: error in gss_acquire_cred(): GSS_S_FAILURE (Unspecified GSS failure.  Minor code may provide more information) - No key table entry found matching nfs/@
 Oct 23 18:46:36 vdmpp1 rpc.svcgssd[4118]: unable to obtain root (machine) credentials
 Oct 23 18:46:36 vdmpp1 systemd[1]: rpc-svcgssd.service: Control process exited, code=exited status=1
 Oct 23 18:46:36 vdmpp1 rpc.svcgssd[4118]: do you have a keytab entry for nfs/<your.host>@<YOUR.REALM> in /etc/krb5.keytab?
 Oct 23 18:46:36 vdmpp1 systemd[1]: rpc-svcgssd.service: Unit entered failed state.
 Oct 23 18:46:36 vdmpp1 systemd[1]: rpc-svcgssd.service: Failed with result 'exit-code'.

but if i add to /etc/default/nfs-kernel-server:

	RPCSVCGSSDOPTS="-vvv -p nfs/vdmpp1.ad.fvg.lnf.it at AD.FVG.LNF.IT"

now the server start.

Still the client does not connect, even the server itself, eg, doing
both:

	root at vdmpp1:~# mount -t nfs4 -o sec=krb5 vdmpp1.ad.fvg.lnf.it:/home /mnt
or
	root at vdmpp2:~# mount -t nfs4 -o sec=krb5 vdmpp1.ad.fvg.lnf.it:/home /home

lead to:
	mount.nfs4: access denied by server while mounting vdmpp1.ad.fvg.lnf.it:/home

and in log:

	Oct 24 11:47:14 vdmpp1 rpc.gssd[4117]: ERROR: No credentials found for connection to server vdmpp1.ad.fvg.lnf.it
	Oct 24 11:47:23 vdmpp2 rpc.gssd[684]: ERROR: No credentials found for connection to server vdmpp1.ad.fvg.lnf.it


Still searching a clue...

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

More information about the samba mailing list