[Samba] Again NFSv4 and Kerberos at the 'samba way'...
Marco Gaiarin
gaio at sv.lnf.it
Fri Oct 26 09:23:01 UTC 2018
Mandi! L.P.H. van Belle via samba
In chel di` si favelave...
> > root at vdcsv1:~# samba-tool spn list vdmpp1$
> Hmm,
> > nfs/vdmpp1.ad.fvg.lnf.it << correct
> And these are wrong.
> > nfs/vdmpp1.ad.fvg.lnf.it/vdmpp1
> > nfs/vdmpp1.ad.fvg.lnf.it/vdmpp1.ad.fvg.lnf.it
> Remove these 2.
Removed, both on server and client. But, really, i've only do:
samba-tool spn add nfs/vdmpp1.ad.fvg.lnf.it vdmpp1$
strange.
> What is the output of :
> dig -x $(hostname -i)
Still i'm using the old domain DNS for (back)resolving, so reverse
point to old address (vdmpp2.pp.lnf.it).
Clearly, i've addedd in /etc/hosts relevant record, and added to
svcgssd the option '-p nfs/vdmpp1.ad.fvg.lnf.it' thatm, AFAI've
understood, fix that.
> exportfs
> getfacl /home
root at vdmpp1:~# exportfs
/home 10.27.0.0/21
root at vdmpp1:~# getfacl /home
getfacl: Removing leading '/' from absolute path names
# file: home
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
> And if you test with
> mount -t nfs4 -o sec=sys vdmpp1.ad.fvg.lnf.it:/home /home
> Or
> mount -t nfs4 -o sec=krb5,vers=4.1 vdmpp1.ad.fvg.lnf.it:/home /home
> Does that work or one of these work? If sys works then its not firewalling.
No, both does not work, same error.
> Have you set the encryption types i suggested in /etc/krb5.conf ?
> The one i posted support CIFS and NFS both.
I have on both server and client:
; for Windows 2008 with AES
default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
> ? No key table table entry?? Hmm..
> Check this with : klist -ke | grep "vdmpp2\\$"
Return empty.
> Looks like the local keytab is having problems.
> Run on vdmpp2 :
> klist -ke
> kinit nfs/$(hostname -f) -kt /etc/krb5.keytab
> klist | grep "Default principal"
> That should show :
> Default principal: nfs/vdmpp2.ad.fvg.lnf.it at AD.FVG.LNF.IT
root at vdmpp2:~# klist -ke | grep "vdmpp2\\$"
root at vdmpp2:~# klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
2 NFS/vdmpp2.ad.fvg.lnf.it at AD.FVG.LNF.IT (des-cbc-crc)
2 NFS/vdmpp2.ad.fvg.lnf.it at AD.FVG.LNF.IT (des-cbc-md5)
2 NFS/vdmpp2.ad.fvg.lnf.it at AD.FVG.LNF.IT (aes128-cts-hmac-sha1-96)
2 NFS/vdmpp2.ad.fvg.lnf.it at AD.FVG.LNF.IT (aes256-cts-hmac-sha1-96)
2 NFS/vdmpp2.ad.fvg.lnf.it at AD.FVG.LNF.IT (arcfour-hmac)
2 nfs/vdmpp2.ad.fvg.lnf.it at AD.FVG.LNF.IT (des-cbc-crc)
2 nfs/vdmpp2.ad.fvg.lnf.it at AD.FVG.LNF.IT (des-cbc-md5)
2 nfs/vdmpp2.ad.fvg.lnf.it at AD.FVG.LNF.IT (aes128-cts-hmac-sha1-96)
2 nfs/vdmpp2.ad.fvg.lnf.it at AD.FVG.LNF.IT (aes256-cts-hmac-sha1-96)
2 nfs/vdmpp2.ad.fvg.lnf.it at AD.FVG.LNF.IT (arcfour-hmac)
2 nfs/vdmpp1.ad.fvg.lnf.it at AD.FVG.LNF.IT (des-cbc-crc)
2 nfs/vdmpp1.ad.fvg.lnf.it at AD.FVG.LNF.IT (des-cbc-md5)
2 nfs/vdmpp1.ad.fvg.lnf.it at AD.FVG.LNF.IT (aes128-cts-hmac-sha1-96)
2 nfs/vdmpp1.ad.fvg.lnf.it at AD.FVG.LNF.IT (aes256-cts-hmac-sha1-96)
2 nfs/vdmpp1.ad.fvg.lnf.it at AD.FVG.LNF.IT (arcfour-hmac)
2 nfs/vdmpp2.ad.fvg.lnf.it/MEDIAPP.ad.fvg.lnf.it at AD.FVG.LNF.IT (des-cbc-crc)
2 nfs/vdmpp2.ad.fvg.lnf.it/VDMPP2 at AD.FVG.LNF.IT (des-cbc-crc)
2 nfs/vdmpp2.ad.fvg.lnf.it/MEDIAPP.ad.fvg.lnf.it at AD.FVG.LNF.IT (des-cbc-md5)
2 nfs/vdmpp2.ad.fvg.lnf.it/VDMPP2 at AD.FVG.LNF.IT (des-cbc-md5)
2 nfs/vdmpp2.ad.fvg.lnf.it/MEDIAPP.ad.fvg.lnf.it at AD.FVG.LNF.IT (aes128-cts-hmac-sha1-96)
2 nfs/vdmpp2.ad.fvg.lnf.it/VDMPP2 at AD.FVG.LNF.IT (aes128-cts-hmac-sha1-96)
2 nfs/vdmpp2.ad.fvg.lnf.it/MEDIAPP.ad.fvg.lnf.it at AD.FVG.LNF.IT (aes256-cts-hmac-sha1-96)
2 nfs/vdmpp2.ad.fvg.lnf.it/VDMPP2 at AD.FVG.LNF.IT (aes256-cts-hmac-sha1-96)
2 nfs/vdmpp2.ad.fvg.lnf.it/MEDIAPP.ad.fvg.lnf.it at AD.FVG.LNF.IT (arcfour-hmac)
2 nfs/vdmpp2.ad.fvg.lnf.it/VDMPP2 at AD.FVG.LNF.IT (arcfour-hmac)
root at vdmpp2:~# kinit nfs/$(hostname -f) -kt /etc/krb5.keytab
root at vdmpp2:~# klist | grep "Default principal"
Default principal: nfs/vdmpp2.ad.fvg.lnf.it at AD.FVG.LNF.IT
root at vdmpp2:~# kdestroy
root at vdmpp2:~# mount -t nfs4 -o sec=krb5 vdmpp1.ad.fvg.lnf.it:/home /home
mount.nfs4: access denied by server while mounting vdmpp1.ad.fvg.lnf.it:/home
> Take this slow, make sure you have tested every step before you go to the next.
Sorry, but still i think that most of my problem came from the fact
that i cannot restart idmap and gssd, because 'nfs-common' is masked.
Better to try to run them by hand? Eg, i kill them and restart by hand,
enabling debug?
--
dott. Marco Gaiarin GNUPG Key ID: 240A3D66
Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/
Polo FVG - Via della Bontà , 7 - 33078 - San Vito al Tagliamento (PN)
marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797
Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
More information about the samba
mailing list