[Samba] Again NFSv4 and Kerberos at the 'samba way'...

Marco Gaiarin gaio at sv.lnf.it
Fri Oct 26 09:23:01 UTC 2018 

Mandi! L.P.H. van Belle via samba
  In chel di` si favelave...

> >  root at vdcsv1:~# samba-tool spn list vdmpp1$
> Hmm, 
> > 	 nfs/vdmpp1.ad.fvg.lnf.it   << correct 
> And these are wrong. 
> > 	 nfs/vdmpp1.ad.fvg.lnf.it/vdmpp1
> > 	 nfs/vdmpp1.ad.fvg.lnf.it/vdmpp1.ad.fvg.lnf.it
> Remove these 2. 

Removed, both on server and client. But, really, i've only do:

	samba-tool spn add nfs/vdmpp1.ad.fvg.lnf.it vdmpp1$

strange.


> What is the output of : 
> dig -x $(hostname -i)

Still i'm using the old domain DNS for (back)resolving, so reverse
point to old address (vdmpp2.pp.lnf.it).
Clearly, i've addedd in /etc/hosts relevant record, and added to
svcgssd the option '-p nfs/vdmpp1.ad.fvg.lnf.it' thatm, AFAI've
understood, fix that.


> exportfs
> getfacl /home

 root at vdmpp1:~# exportfs
 /home         	10.27.0.0/21
 root at vdmpp1:~# getfacl /home
 getfacl: Removing leading '/' from absolute path names
 # file: home
 # owner: root
 # group: root
 user::rwx
 group::r-x
 other::r-x


> And if you test with 
> mount -t nfs4 -o sec=sys vdmpp1.ad.fvg.lnf.it:/home /home
> Or 
> mount -t nfs4 -o sec=krb5,vers=4.1 vdmpp1.ad.fvg.lnf.it:/home /home
> Does that work or one of these work? If sys works then its not firewalling. 

No, both does not work, same error.


> Have you set the encryption types i suggested in /etc/krb5.conf ?
> The one i posted support CIFS and NFS both. 

I have on both server and client:

 ; for Windows 2008 with AES
    default_tgs_enctypes =  aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
    default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
    permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5


> ? No key table table entry??  Hmm.. 
> Check this with : klist -ke | grep "vdmpp2\\$"

Return empty.

> Looks like the local keytab is having problems. 
> Run  on vdmpp2 :
> klist -ke
> kinit nfs/$(hostname -f) -kt /etc/krb5.keytab
> klist | grep "Default principal"
> That should show :
> Default principal: nfs/vdmpp2.ad.fvg.lnf.it at AD.FVG.LNF.IT

 root at vdmpp2:~# klist -ke | grep "vdmpp2\\$"
 root at vdmpp2:~# klist -ke
 Keytab name: FILE:/etc/krb5.keytab
 KVNO Principal
 ---- --------------------------------------------------------------------------
    2 NFS/vdmpp2.ad.fvg.lnf.it at AD.FVG.LNF.IT (des-cbc-crc) 
    2 NFS/vdmpp2.ad.fvg.lnf.it at AD.FVG.LNF.IT (des-cbc-md5) 
    2 NFS/vdmpp2.ad.fvg.lnf.it at AD.FVG.LNF.IT (aes128-cts-hmac-sha1-96) 
    2 NFS/vdmpp2.ad.fvg.lnf.it at AD.FVG.LNF.IT (aes256-cts-hmac-sha1-96) 
    2 NFS/vdmpp2.ad.fvg.lnf.it at AD.FVG.LNF.IT (arcfour-hmac) 
    2 nfs/vdmpp2.ad.fvg.lnf.it at AD.FVG.LNF.IT (des-cbc-crc) 
    2 nfs/vdmpp2.ad.fvg.lnf.it at AD.FVG.LNF.IT (des-cbc-md5) 
    2 nfs/vdmpp2.ad.fvg.lnf.it at AD.FVG.LNF.IT (aes128-cts-hmac-sha1-96) 
    2 nfs/vdmpp2.ad.fvg.lnf.it at AD.FVG.LNF.IT (aes256-cts-hmac-sha1-96) 
    2 nfs/vdmpp2.ad.fvg.lnf.it at AD.FVG.LNF.IT (arcfour-hmac) 
    2 nfs/vdmpp1.ad.fvg.lnf.it at AD.FVG.LNF.IT (des-cbc-crc) 
    2 nfs/vdmpp1.ad.fvg.lnf.it at AD.FVG.LNF.IT (des-cbc-md5) 
    2 nfs/vdmpp1.ad.fvg.lnf.it at AD.FVG.LNF.IT (aes128-cts-hmac-sha1-96) 
    2 nfs/vdmpp1.ad.fvg.lnf.it at AD.FVG.LNF.IT (aes256-cts-hmac-sha1-96) 
    2 nfs/vdmpp1.ad.fvg.lnf.it at AD.FVG.LNF.IT (arcfour-hmac) 
    2 nfs/vdmpp2.ad.fvg.lnf.it/MEDIAPP.ad.fvg.lnf.it at AD.FVG.LNF.IT (des-cbc-crc) 
    2 nfs/vdmpp2.ad.fvg.lnf.it/VDMPP2 at AD.FVG.LNF.IT (des-cbc-crc) 
    2 nfs/vdmpp2.ad.fvg.lnf.it/MEDIAPP.ad.fvg.lnf.it at AD.FVG.LNF.IT (des-cbc-md5) 
    2 nfs/vdmpp2.ad.fvg.lnf.it/VDMPP2 at AD.FVG.LNF.IT (des-cbc-md5) 
    2 nfs/vdmpp2.ad.fvg.lnf.it/MEDIAPP.ad.fvg.lnf.it at AD.FVG.LNF.IT (aes128-cts-hmac-sha1-96) 
    2 nfs/vdmpp2.ad.fvg.lnf.it/VDMPP2 at AD.FVG.LNF.IT (aes128-cts-hmac-sha1-96) 
    2 nfs/vdmpp2.ad.fvg.lnf.it/MEDIAPP.ad.fvg.lnf.it at AD.FVG.LNF.IT (aes256-cts-hmac-sha1-96) 
    2 nfs/vdmpp2.ad.fvg.lnf.it/VDMPP2 at AD.FVG.LNF.IT (aes256-cts-hmac-sha1-96) 
    2 nfs/vdmpp2.ad.fvg.lnf.it/MEDIAPP.ad.fvg.lnf.it at AD.FVG.LNF.IT (arcfour-hmac) 
    2 nfs/vdmpp2.ad.fvg.lnf.it/VDMPP2 at AD.FVG.LNF.IT (arcfour-hmac) 
 root at vdmpp2:~# kinit nfs/$(hostname -f) -kt /etc/krb5.keytab
 root at vdmpp2:~# klist | grep "Default principal"
 Default principal: nfs/vdmpp2.ad.fvg.lnf.it at AD.FVG.LNF.IT
 root at vdmpp2:~# kdestroy
 root at vdmpp2:~# mount -t nfs4 -o sec=krb5 vdmpp1.ad.fvg.lnf.it:/home /home
 mount.nfs4: access denied by server while mounting vdmpp1.ad.fvg.lnf.it:/home


> Take this slow, make sure you have tested every step before you go to the next. 

Sorry, but still i think that most of my problem came from the fact
that i cannot restart idmap and gssd, because 'nfs-common' is masked.

Better to try to run them by hand? Eg, i kill them and restart by hand,
enabling debug?

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

More information about the samba mailing list