Hi,
while trying to use Samba4 as KDC for secure NFS (once again)
I found something I suspect to be an error:
In order for NFS (with krb5) to work it requires a nfs/... principal,
so I created one using samba-tool:
samba-tool user add nfs-user
samba-tool spn add nfs/atom.mydomain.org nfs-user
samba-tool domain exportkeytab /etc/krb5.keytab -principal=nfs/atom.mydomain.org
After setting up NFS, a secure mount fails (permission denied).
While trying to debug this error, I had a look at the KDC debug
output of samba, and all queries done while looking for the
SPN are:
# Samba 4 log (during mount attempt):
Kerberos: AS-REQ nfs/atom.mydomain.org at MYDOMAIN.ORG from
ipv4:192.168.1.2:43938 for krbtgt/MYDOMAIN.ORG at MYDOMAIN.ORG
expr: (&(objectClass=user)(userPrincipalName=nfs/atom.mydomain.org at
MYDOMAIN.ORG))
expr: (&(objectClass=user)(samAccountName=nfs/atom.mydomain.org))
Kerberos: UNKNOWN -- nfs/atom.mydomain.org at MYDOMAIN.ORG: no such entry found
in hdb
Obviously the created computer object (s. below) does not
match any of the above queries:
# atom-nfs, Users, mydomain.org
dn: CN=atom-nfs,CN=Users,DC=mydomain,DC=org
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: atom-nfs
instanceType: 4
whenCreated: 20120720212952.0Z
uSNCreated: 4039
name: atom-nfs
objectGUID:: ZBSl4FIfvUyd6pbg4Rpy0w=badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAA7rfhoQA6M19vFKNmWgQAAA=logonCount: 0
sAMAccountName: atom-nfs
sAMAccountType: 805306368
userPrincipalName: atom-nfs at mydomain.org
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=mydomain,DC=org
pwdLastSet: 129872933920000000
userAccountControl: 66048
accountExpires: 0
servicePrincipalName: nfs/atom.mydomain.org
whenChanged: 20120720213725.0Z
uSNChanged: 4043
distinguishedName: CN=atom-nfs,CN=Users,DC=mydomain,DC=org
So the question is: Shouldn't there also be a query like
expr: (&(objectClass=user)(servicePrincipalName=nfs/atom.mydomain.org))
to make SPNs usable?
Or did I miss something else here?
Hope someone can help,
Marcel
On 07/21/2012 09:01 AM, Marcel Ritter wrote:> Hi, > > while trying to use Samba4 as KDC for secure NFS (once again) > I found something I suspect to be an error: > > In order for NFS (with krb5) to work it requires a nfs/... principal, > so I created one using samba-tool: > > samba-tool user add nfs-user > samba-tool spn add nfs/atom.mydomain.org nfs-user > samba-tool domain exportkeytab /etc/krb5.keytab -principal=nfs/atom.mydomain.org > > After setting up NFS, a secure mount fails (permission denied). >Hi Marcel The client doesn't need a nfs principal. e.g. we just use the machine$ principal. From man rpc.gssd(8) <quote> Previous versions of rpc.gssd used only "nfs/*" keys found within the keytab. To be more consistent with other implementations, we now look for specific keytab entries. The search order for keytabs to be used for "machine credentials" is now: <HOSTNAME>$@<REALM> root/<hostname>@<REALM> nfs/<hostname>@<REALM> host/<hostname>@<REALM> root/<anyname>@<REALM> nfs/<anyname>@<REALM> host/<anyname>@<REALM> </quote> There are lots of misunderstandings about nfs and Kerberos. We tried to collect them: http://linuxcostablanca.blogspot.com.es/2012/02/nfsv4-myths-and-legends.html HTH, Steve
On Sat, 2012-07-21 at 07:01 +0000, Marcel Ritter wrote:> Hi, > > while trying to use Samba4 as KDC for secure NFS (once again) > I found something I suspect to be an error: > > In order for NFS (with krb5) to work it requires a nfs/... principal, > so I created one using samba-tool: > > samba-tool user add nfs-user > samba-tool spn add nfs/atom.mydomain.org nfs-user > samba-tool domain exportkeytab /etc/krb5.keytab -principal=nfs/atom.mydomain.org > > After setting up NFS, a secure mount fails (permission denied). > > While trying to debug this error, I had a look at the KDC debug > output of samba, and all queries done while looking for the > SPN are: > > # Samba 4 log (during mount attempt): > Kerberos: AS-REQ nfs/atom.mydomain.org at MYDOMAIN.ORG from ipv4:192.168.1.2:43938 for krbtgt/MYDOMAIN.ORG at MYDOMAIN.ORG > expr: (&(objectClass=user)(userPrincipalName=nfs/atom.mydomain.org at MYDOMAIN.ORG)) > expr: (&(objectClass=user)(samAccountName=nfs/atom.mydomain.org)) > Kerberos: UNKNOWN -- nfs/atom.mydomain.org at MYDOMAIN.ORG: no such entry found in hdb> So the question is: Shouldn't there also be a query like > expr: (&(objectClass=user)(servicePrincipalName=nfs/atom.mydomain.org)) > to make SPNs usable? > > Or did I miss something else here?An AS-REQ means that something is trying to kinit with the name nfs/atom.mydomain.org (ie, as a client). This shouldn't be needed, so work out what is doing that. The line for a client (user) connecting to an NFS server will be more like: Kerberos: TGS-REQ user at realm for nfs/atom.mydomain.org I hope this helps you debug this further, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org