[Samba] Again NFSv4 and Kerberos at the 'samba way'...

Marco Gaiarin gaio at sv.lnf.it
Thu Oct 25 09:59:11 UTC 2018 

Mandi! L.P.H. van Belle via samba
  In chel di` si favelave...

> The nfs-server needs to be able to delegate the servers with kerberos. (obligated for nfsv4 with kerberos mounts ) 
> Start - ADUC, enable advanced features - goto  CN=Computers  
>  get the member server's properties, tab Delegation, enable "Trust this computer for delegation to any service (kerberos only) 
>  I have set this on both NFS server and NFS client, thats more because of the use of my servers. 

OK. Done. The same can be achived with:

	samba-tool delegation for-any-service vdmpp1$ on

> And obligated in smb.conf for this setup. 
>     kerberos method = secrets and keytab
OK.
>     dedicated keytab file = /etc/krb5.keytab
Seems not needed. smb.conf manpage say explicitly that this is needed
only if 'kerberos method = dedicated keytab'; if 'kerberos method = secrets and
keytab' is set, system keytab are used.

>     # Renew the kerberos ticket
>     winbind refresh tickets = yes

Mmmmhhhh... manapage says about 'pam_winbind' tickets, so seems a
'user' part, not a system keytab one... anyway, in doubt, setted.


> Check the spn/upn in the AD with the RSAT's ADUC, this is why i do.

Ok, added the nfs/ SPN:
	samba-tool spn add nfs/vdmpp1.ad.fvg.lnf.it vdmpp1$

clearly you can check it also with:

 root at vdcsv1:~# samba-tool spn list vdmpp1$
 vdmpp1$
 User CN=VDMPP1,OU=Computers,OU=Pasian,OU=FVG,DC=ad,DC=fvg,DC=lnf,DC=it has the following servicePrincipalName: 
	 HOST/VDMPP1
	 HOST/vdmpp1.ad.fvg.lnf.it
	 HOST/filepp.ad.fvg.lnf.it
	 HOST/FILEPP
	 HOST/cupspp.ad.fvg.lnf.it
	 HOST/CUPSPP
	 HOST/homepp.ad.fvg.lnf.it
	 HOST/HOMEPP
	 nfs/vdmpp1.ad.fvg.lnf.it
	 nfs/vdmpp1.ad.fvg.lnf.it/vdmpp1
	 nfs/vdmpp1.ad.fvg.lnf.it/vdmpp1.ad.fvg.lnf.it


Still i get:

	root at vdmpp2:~# mount -t nfs4 -o sec=krb5 vdmpp1.ad.fvg.lnf.it:/home /home
	mount.nfs4: access denied by server while mounting vdmpp1.ad.fvg.lnf.it:/home

on server and client now i got no logs at all, even if i've added
'-vvv' to GSS options and 'Verbosity = 5' to idmap.


> You nfs stalled, then it gets mask to prevent other errors. 
> systemctl unmask nfs-common
> systemctl enable nfs-common
> If you keep hitting problems with the nfs server/client 

I've treid on client. purged 'nfs-common', reinstall, restore
configuration on /etc/default/nfs-common and /etc/idmapd.conf, but:

	root at vdmpp2:~# systemctl unmask nfs-common
	root at vdmpp2:~# systemctl start nfs-common
	Failed to start nfs-common.service: Unit nfs-common.service is masked.

there's no /usr/sbin/rpc.gssd run, only idmap. Mount fail:

	root at vdmpp2:~# mount -t nfs4 -o sec=krb5 vdmpp1.ad.fvg.lnf.it:/home /home
	mount.nfs4: an incorrect mount option was specified

i've tried to run by hand with '-vvv' and i got:

 Oct 25 11:52:57 vdmpp2 rpc.gssd[13790]: doing a full rescan
 Oct 25 11:53:18 vdmpp2 rpc.gssd[13790]: #012handle_gssd_upcall: 'mech=krb5 uid=0 service=* enctypes=18,17,16,23,3,1,2 ' (nfs/clnt28)
 Oct 25 11:53:18 vdmpp2 rpc.gssd[13790]: krb5_use_machine_creds: uid 0 tgtname (null)
 Oct 25 11:53:18 vdmpp2 rpc.gssd[13790]: Full hostname for 'vdmpp1.ad.fvg.lnf.it' is 'vdmpp1.ad.fvg.lnf.it'
 Oct 25 11:53:18 vdmpp2 rpc.gssd[13790]: Full hostname for 'vdmpp2.ad.fvg.lnf.it' is 'vdmpp2.ad.fvg.lnf.it'
 Oct 25 11:53:18 vdmpp2 rpc.gssd[13790]: No key table entry found for vdmpp2$@AD.FVG.LNF.IT while getting keytab entry for 'vdmpp2$@AD.FVG.LNF.IT'
 Oct 25 11:53:18 vdmpp2 rpc.gssd[13790]: No key table entry found for VDMPP2$@AD.FVG.LNF.IT while getting keytab entry for 'VDMPP2$@AD.FVG.LNF.IT'
 Oct 25 11:53:18 vdmpp2 rpc.gssd[13790]: No key table entry found for root/vdmpp2.ad.fvg.lnf.it at AD.FVG.LNF.IT while getting keytab entry for 'root/vdmpp2.ad.fvg.lnf.it at AD.FVG.LNF.IT'
 Oct 25 11:53:18 vdmpp2 rpc.gssd[13790]: Success getting keytab entry for 'nfs/vdmpp2.ad.fvg.lnf.it at AD.FVG.LNF.IT'
 Oct 25 11:53:18 vdmpp2 rpc.gssd[13790]: gssd_get_single_krb5_cred: principal 'nfs/vdmpp2.ad.fvg.lnf.it at AD.FVG.LNF.IT' ccache:'FILE:/tmp/krb5ccmachine_AD.FVG.LNF.IT'
 Oct 25 11:53:18 vdmpp2 rpc.gssd[13790]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_AD.FVG.LNF.IT' are good until 1540497198
 Oct 25 11:53:18 vdmpp2 rpc.gssd[13790]: creating tcp client for server vdmpp1.ad.fvg.lnf.it
 Oct 25 11:53:18 vdmpp2 rpc.gssd[13790]: DEBUG: port already set to 2049
 Oct 25 11:53:18 vdmpp2 rpc.gssd[13790]: creating context with server nfs at vdmpp1.ad.fvg.lnf.it
 Oct 25 11:53:18 vdmpp2 rpc.gssd[13790]: WARNING: Failed to create krb5 context for user with uid 0 for server nfs at vdmpp1.ad.fvg.lnf.it
 Oct 25 11:53:18 vdmpp2 rpc.gssd[13790]: WARNING: Failed to create machine krb5 context with cred cache FILE:/tmp/krb5ccmachine_AD.FVG.LNF.IT for server vdmpp1.ad.fvg.lnf.it
 Oct 25 11:53:18 vdmpp2 rpc.gssd[13790]: WARNING: Machine cache prematurely expired or corrupted trying to recreate cache for server vdmpp1.ad.fvg.lnf.it
 Oct 25 11:53:18 vdmpp2 rpc.gssd[13790]: Full hostname for 'vdmpp1.ad.fvg.lnf.it' is 'vdmpp1.ad.fvg.lnf.it'
 Oct 25 11:53:18 vdmpp2 rpc.gssd[13790]: Full hostname for 'vdmpp2.ad.fvg.lnf.it' is 'vdmpp2.ad.fvg.lnf.it'
 Oct 25 11:53:18 vdmpp2 rpc.gssd[13790]: No key table entry found for vdmpp2$@AD.FVG.LNF.IT while getting keytab entry for 'vdmpp2$@AD.FVG.LNF.IT'
 Oct 25 11:53:18 vdmpp2 rpc.gssd[13790]: No key table entry found for VDMPP2$@AD.FVG.LNF.IT while getting keytab entry for 'VDMPP2$@AD.FVG.LNF.IT'
 Oct 25 11:53:18 vdmpp2 rpc.gssd[13790]: No key table entry found for root/vdmpp2.ad.fvg.lnf.it at AD.FVG.LNF.IT while getting keytab entry for 'root/vdmpp2.ad.fvg.lnf.it at AD.FVG.LNF.IT'
 Oct 25 11:53:18 vdmpp2 rpc.gssd[13790]: Success getting keytab entry for 'nfs/vdmpp2.ad.fvg.lnf.it at AD.FVG.LNF.IT'
 Oct 25 11:53:18 vdmpp2 rpc.gssd[13790]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_AD.FVG.LNF.IT' are good until 1540497198
 Oct 25 11:53:18 vdmpp2 rpc.gssd[13790]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_AD.FVG.LNF.IT' are good until 1540497198
 Oct 25 11:53:18 vdmpp2 rpc.gssd[13790]: creating tcp client for server vdmpp1.ad.fvg.lnf.it
 Oct 25 11:53:18 vdmpp2 rpc.gssd[13790]: DEBUG: port already set to 2049
 Oct 25 11:53:18 vdmpp2 rpc.gssd[13790]: creating context with server nfs at vdmpp1.ad.fvg.lnf.it
 Oct 25 11:53:18 vdmpp2 rpc.gssd[13790]: WARNING: Failed to create krb5 context for user with uid 0 for server nfs at vdmpp1.ad.fvg.lnf.it
 Oct 25 11:53:18 vdmpp2 rpc.gssd[13790]: WARNING: Failed to create machine krb5 context with cred cache FILE:/tmp/krb5ccmachine_AD.FVG.LNF.IT for server vdmpp1.ad.fvg.lnf.it
 Oct 25 11:53:18 vdmpp2 rpc.gssd[13790]: ERROR: Failed to create machine krb5 context with any credentials cache for server vdmpp1.ad.fvg.lnf.it
 Oct 25 11:53:18 vdmpp2 rpc.gssd[13790]: doing error downcall

I've tried only on client.

Thanks.

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

More information about the samba mailing list