[Samba] samba and kerberized nfs issues

Jason Keltz jas at yorku.ca
Tue Jun 21 19:06:13 UTC 2022 

Hi.

I have a Samba/AD domain consisting of a bunch of Linux servers and Linux workstations, all presently running latest Samba 4.15.

My question comes in two parts:

Part 1:

I have a Linux NFS server (nfs1) sharing various volumes to many Linux workstations via Kerberized NFS4, and it's all working great.
When I originally setup nfs1, I added a service principal for nfs before mounting would work:

On nfs1: net ads keytab add_update_ads nfs/nfs1.FQDN at REALM

This added the nfs service principal to both the local keytab (/etc/krb5.keytab) and on the DC server (samba-tool computer show nfs1 would show the nfs principal).

Now, I'm adding a new nfs server called nfs2.

If I do the same thing that I did in the past:

On nfs2: net ads keytab add_update_ads nfs/nfs2.FQDN at REALM<mailto:nfs/nfs2.FQDN at REALM>

... then the service principal gets added to the local /etc/krb5.keytab on nfs2, but if I do: samba-tool computer show nfs2, the nfs service principal was NOT automatically added there like before!

Since the DC record for nfs2 doesn't have the nfs service principal, a client workstation cannot mount from nfs2.

If instead I do on nfs2: net ads setspn add nfs/nfs2.FQDN then the service principal gets added in the DC server database (samba-tool computer show nfs2 displays it), but is not written to /etc/krb5.keytab.
Yet, NFS mounting now works.

I just want to understand:

  1.  Why does net ads keytab add_update_ads not work like it did before, updating both the /etc/krb5.keytab  on the NFS server and the DC database with the nfs2 service principal?
  2.  Why can a client mount from nfs2 when only the DC has the nfs service principal, and not /etc/krb5.keytab on nfs2.  I'm assuming that's because /etc/krb5.keytab has the host/nfs2... entry, and this is a fallback?

Part 2:

nfs2 needs to be able to handle requests for nfs1 for a little bit.
If I take nfs1 offline, and add the IP of nfs1 to nfs2, now I can ping either nfs2 or nfs1.  Of course clients can't mount from nfs1 name yet because nfs2 needs nfs1 principal.
I tried exporting from the DC host/nfs1.FQDN at REALM<mailto:host/nfs1.FQDN at REALM> and adding it to /etc/krb5.keytab on nfs2, and the mount would not work: mount.nfs: Operation not permitted
I then tried exporting from the DC nfs/nfs1.FQDN at REALM<mailto:nfs/nfs1.FQDN at REALM> and adding it to /etc/krb5.keytab on nfs2, and that didn't work either.
I know that I've done this before, and it worked.  Any thoughts as to what I'm missing?

(The machine uses gssproxy, and it seems there is a bug because when enabling debugging on gssproxy, it core dumps, and hence I can't find the details...)

Thanks for any assistance,

Jason.

More information about the samba mailing list