[Samba] Again NFSv4 and Kerberos at the 'samba way'...

L.P.H. van Belle belle at bazuin.nl
Wed Oct 31 09:48:09 UTC 2018


 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland Penny via samba
> Verzonden: woensdag 31 oktober 2018 9:51
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Again NFSv4 and Kerberos at the 'samba way'...
> 
> On Wed, 31 Oct 2018 08:31:17 +0100
> "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
> 
> > Hai Marco, 
> > 
> > > 
> > > Mandi! L.P.H. van Belle via samba
> > >   In chel di` si favelave...
> > > 
> > > > Sofar, until tomorrow, 
> > > 
> > > Done some tests, metoo.
> > > 
> > > 1) seems that nfs-common is disabled 'by design'. Looking 
> at debian
> > > changelog:
> > > 
> > >  nfs-utils (1:1.2.8-9.1) unstable; urgency=medium
> > > 
> > >   Partial sync from ubuntu, included changes:
> > > 
> > >   [ Martin Pitt ]
> > >   [...]
> > >   * 27-systemd-enable-with-systemctl-statd.patch: let the admin
> > >     enable/disable statd via systemd tools. (LP: #1428486)
> > > 
> > >   [...]
> > >   [ Andreas Henriksson ]
> > >   * Restore anything related to nfs-common.init and
> > > nfs-common.default
> > >   * debian/nfs-common.links: Mask nfs-common init script with 
> > > a symlink
> > >     to /dev/null to avoid using it under systemd.
> > > 
> > > so seems you have to enable/disable/mask single services. 
> Note that
> > > still there are some troubles, eg on client:
> > > 
> > > 	root at vdmpp2:~# systemctl start nfs-idmapd
> > > 	Failed to start nfs-idmapd.service: Unit 
> > > nfs-server.service not found.
> > > 
> > > (but probably idmap is a server-only service, so it is normal?)
> > > and also seems that /etc/default/nfs-common are *totally* ignored
> > > (eg, there's no way to pass options to services).
> > > 
> > > Anyway, now i'm able to restart nfs/rpc services. ;-)
> > 
> > Ok, thats at least better. 
> > 
> > And no, /etc/default/nfs-common is not ignored. Its just harder to
> > see it. 
> > 
> > systemctl cat nfs-config  
> > contains :  ExecStart=/usr/lib/systemd/scripts/nfs-utils_env.sh
> > And the nfs-utils_env.sh contains : 
> > [ -r /etc/default/nfs-common ] && . /etc/default/nfs-common
> > [ -r /etc/default/nfs-kernel-server ]
> > && . /etc/default/nfs-kernel-server
> > 
> > ;-) 
> > 
> > And 
> > /lib/systemd/system/rpc-svcgssd.service
> > Contains:  ConditionPathExists=/etc/krb5.keytab
> > 
> > Thats all ok. 
> > 
> > All i did for the server was systemctl enable nfs-server
> > And for the client systemctl enable nfs-client
> > After the setup, all other servers start if needed based on the
> > settings in /etc/default/nfs-common
> > and/or /etc/default/nfs-kernel-server 
> 
> Hmm, I wonder if 'nfsidmap' is now being used instead of nfs-common ?

Yes, nfsidmap also used, but all settings are loaded through the /etc/defaults/nfs-.... Files

See the complete path of things that are getting loaded. Install these. 
dpkg -l | grep nfs
ii  libnfsidmap2:amd64                    0.25-5.1                       amd64        NFS idmapping library
ii  nfs-common                            1:1.3.4-2.1                    amd64        NFS support files common to client and server
ii  nfs-kernel-server                     1:1.3.4-2.1                    amd64        support for NFS kernel server
ii  nfs4-acl-tools                        0.3.3-3                        amd64        Commandline and GUI ACL utilities for the NFSv4 client

And see this service file output : systemctl cat nfs-server.service

> 
> > 
> > 
> > > 
> > > 
> > > 2) doing some mounts on the same host, with verbose output, i get:
> > > 
> > >  Oct 30 15:13:33 vdmpp1 rpc.gssd[6448]: Success getting 
> > > keytab entry for 'nfs/vdmpp1.ad.fvg.lnf.it at AD.FVG.LNF.IT'
> > >  Oct 30 15:13:33 vdmpp1 rpc.gssd[6448]: WARNING: 
> > > Preauthentication failed while getting initial ticket for 
> > > principal 'nfs/vdmpp1.ad.fvg.lnf.it at AD.FVG.LNF.IT' using 
> > > keytab 'FILE:/etc/krb5.keytab'
> > >  Oct 30 15:13:33 vdmpp1 rpc.gssd[6448]: ERROR: No credentials 
> > > found for connection to server vdmpp1.ad.fvg.lnf.it
> > > 
> > > 'Preauthentication'?
> > Hmm, that is strange, it looks like this computer account is acting
> > like a real user. If i look in ADUC, Tab Account, only a 
> user has the
> > option to "disable preauthentication" So this might help in solving
> > the problem. Can you check in ADUC of you see the Account 
> tab or not. 
> > If its really a computer, you should not see the Account tab. 
> > 
> 
> A computer is a user, it just has an extra objectclass and a '$' on the end of the samAccountName

There is a difference at least in what we "see" in ADUC. 
And based on what i did see here, it might help Marco to fix the problem of finding the problem. 
This computer account is behaving like a user account. 

> A computer is a user, it just has an extra objectclass and a '$' on the end of the samAccountName  
Yes, totaly agree, but why is his "computer" account is complaining about : Preauthentication 
Which is normaly only available in a user account. Due to ( if im correct here ) the values : 
sAMAccountType 805306368 ( user_account ) 
userAccountControl 0x200 ( 512 ) 

And for the computer 
sAMAccountType 805306369 ( computer_account ) 
userAccountControl 0x19000 ( 593920 )  Workstation trust account. 

This is why i also check in ADUC to "see" what is there. 

Because of this old statement i made long time a go, in the win95 time and this still applies.  

In computer terms, It's a 0 or 1, always.. Yes, i say no..  ( sort off.. ) 

A door is open or closed, yes, .... No...  ;-) 

What if i open the door a very little bit, so its open, but you cannot go through it, now is it open or closed? 
If you say open, i say then go throug it, but you cant, its not open enough, so its closed, No.. Its open.. 

What if i can prove the it can be both.  :-) sort of, at least in windows, i havent seen it in linux yet.  
And when its both, it's a really a bug or corruption in the registry/database. 

In windows, you can "see" a setting, but in the backend (registry) this setting can be different. 
Thats what i'm saying here, you see something is turned on in windows, but in the registry its not. 

I think, something like this is happening in Marco's AD at least for that computer account. 

An ldap export of a correct computer account and the failing one will show what changed. 
I'm  still working on it howto detect and check all settings..


Greetz, 

Louis




















More information about the samba mailing list