[Samba] Again NFSv4 and Kerberos at the 'samba way'...

Wed Oct 31 08:51:00 UTC 2018

On Wed, 31 Oct 2018 08:31:17 +0100
"L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:

> Hai Marco, 
> 
> > 
> > Mandi! L.P.H. van Belle via samba
> >   In chel di` si favelave...
> > 
> > > Sofar, until tomorrow, 
> > 
> > Done some tests, metoo.
> > 
> > 1) seems that nfs-common is disabled 'by design'. Looking at debian
> > changelog:
> > 
> >  nfs-utils (1:1.2.8-9.1) unstable; urgency=medium
> > 
> >   Partial sync from ubuntu, included changes:
> > 
> >   [ Martin Pitt ]
> >   [...]
> >   * 27-systemd-enable-with-systemctl-statd.patch: let the admin
> >     enable/disable statd via systemd tools. (LP: #1428486)
> > 
> >   [...]
> >   [ Andreas Henriksson ]
> >   * Restore anything related to nfs-common.init and
> > nfs-common.default
> >   * debian/nfs-common.links: Mask nfs-common init script with 
> > a symlink
> >     to /dev/null to avoid using it under systemd.
> > 
> > so seems you have to enable/disable/mask single services. Note that
> > still there are some troubles, eg on client:
> > 
> > 	root at vdmpp2:~# systemctl start nfs-idmapd
> > 	Failed to start nfs-idmapd.service: Unit 
> > nfs-server.service not found.
> > 
> > (but probably idmap is a server-only service, so it is normal?)
> > and also seems that /etc/default/nfs-common are *totally* ignored
> > (eg, there's no way to pass options to services).
> > 
> > Anyway, now i'm able to restart nfs/rpc services. ;-)
> 
> Ok, thats at least better. 
> 
> And no, /etc/default/nfs-common is not ignored. Its just harder to
> see it. 
> 
> systemctl cat nfs-config  
> contains :  ExecStart=/usr/lib/systemd/scripts/nfs-utils_env.sh
> And the nfs-utils_env.sh contains : 
> [ -r /etc/default/nfs-common ] && . /etc/default/nfs-common
> [ -r /etc/default/nfs-kernel-server ]
> && . /etc/default/nfs-kernel-server
> 
> ;-) 
> 
> And 
> /lib/systemd/system/rpc-svcgssd.service
> Contains:  ConditionPathExists=/etc/krb5.keytab
> 
> Thats all ok. 
> 
> All i did for the server was systemctl enable nfs-server
> And for the client systemctl enable nfs-client
> After the setup, all other servers start if needed based on the
> settings in /etc/default/nfs-common
> and/or /etc/default/nfs-kernel-server 

Hmm, I wonder if 'nfsidmap' is now being used instead of nfs-common ?

> 
> 
> > 
> > 
> > 2) doing some mounts on the same host, with verbose output, i get:
> > 
> >  Oct 30 15:13:33 vdmpp1 rpc.gssd[6448]: Success getting 
> > keytab entry for 'nfs/vdmpp1.ad.fvg.lnf.it at AD.FVG.LNF.IT'
> >  Oct 30 15:13:33 vdmpp1 rpc.gssd[6448]: WARNING: 
> > Preauthentication failed while getting initial ticket for 
> > principal 'nfs/vdmpp1.ad.fvg.lnf.it at AD.FVG.LNF.IT' using 
> > keytab 'FILE:/etc/krb5.keytab'
> >  Oct 30 15:13:33 vdmpp1 rpc.gssd[6448]: ERROR: No credentials 
> > found for connection to server vdmpp1.ad.fvg.lnf.it
> > 
> > 'Preauthentication'?
> Hmm, that is strange, it looks like this computer account is acting
> like a real user. If i look in ADUC, Tab Account, only a user has the
> option to "disable preauthentication" So this might help in solving
> the problem. Can you check in ADUC of you see the Account tab or not. 
> If its really a computer, you should not see the Account tab. 
> 

A computer is a user, it just has an extra objectclass and a '$' on the
end of the samAccountName

Rowland