samba - Oct 2014 - Samba4 PDC keytab creation for NFSv4 not working

Hello everybody,

Fist a little about our setup.

We have an Debian (7) Wheezy, now upgraded to Debian (testing) Jessie
with Samba4 as PDC, Kerberos and LDAP - all provided through Samba4, and
bind9 and isc-dhcp server for DDNS and DHCP, our environment is a mix of
Linux (Debian Jessie), Mac (Maverick and  Yosemite) and Windows 7 and
8.1 clients.

The Windows clients use Samba and are all part of the domain
(YGGDRASIL), Mac and Linux both use NFSv4, and Linux mounts homes over
AutoFS.

The past year we have used NFSv4 without Kerberos validation but because
of new security levels in the organization we have to implement Kerberos
for NFSv4.
The problem that we are facing now, and have messed around with for the
last two weeks, is that Samba wont save the previsioning for the
Kerberos keytab.

At first we found some minor problems in our bind9 configuration so that
our reverse addresses on IPv6 were not pointing correctly, but IPv4 was.
Now everything looks right but the problem still remains.



# kinit Administrator
Reports no error

# klist -l
    Name                                                         Cache
naSamba4 PDC keytab creation for NFSv4 not workingme                
Expires             
* Administrator at YGGDRASIL.BITTOO.NET   FILE:/tmp/krb5cc_0   Oct 31
21:19:24 2014
Looks as it should

# net ads keytab add -k -S jotunheim.static.yggdrasil.bittoo.net -W
YGGDRASIL -U Administrator nfs/jotunheim.static.yggdrasil.bittoo.net -d5
http://pastebin.com/v3McRKnm
But I can't add NFS as you can see above .


# samba-tool spn add
nfs/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET jotunheim$
# samba-tool spn add
host/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET jotunheim$
Can add the entries correctly into the LDAP database


# samba-tool spn list JOTUNHEIM$
jotunheim$
User CN=JOTUNHEIM,OU=Domain Controllers,DC=yggdrasil,DC=bittoo,DC=net
has the following servicePrincipalName:
         HOST/jotunheim.yggdrasil.bittoo.net
         HOST/jotunheim.yggdrasil.bittoo.net/YGGDRASIL
         ldap/jotunheim.yggdrasil.bittoo.net/YGGDRASIL
         GC/jotunheim.yggdrasil.bittoo.net/yggdrasil.bittoo.net
         ldap/jotunheim.yggdrasil.bittoo.net
         HOST/jotunheim.yggdrasil.bittoo.net/yggdrasil.bittoo.net
         ldap/jotunheim.yggdrasil.bittoo.net/yggdrasil.bittoo.net
         HOST/JOTUNHEIM
        
E3514235-4B06-11D1-AB04-00C04FC2DCD2/2350a512-9df8-4e43-b7b2-419cee958c1c/yggdrasil.bittoo.net
        
ldap/2350a512-9df8-4e43-b7b2-419cee958c1c._msdcs.yggdrasil.bittoo.net
         ldap/JOTUNHEIM
         RestrictedKrbHost/JOTUNHEIM
         RestrictedKrbHost/jotunheim.yggdrasil.bittoo.net
         host/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
         host/jotunheim.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
         nfs/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
         nfs/jotunheim.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
         http/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
         http/jotunheim.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
         ldap/jotunheim.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
         ldap/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
         imap/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
         imap/jotunheim.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
         radius/jotunheim.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
         radius/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
         proxy/jotunheim.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
         proxy/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET


And I can export eg. HOST and HTTP
# samba-tool domain exportkeytab /etc/krb5.keytab --principal
host/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET
# samba-tool domain exportkeytab /etc/krb5.keytab --principal
http/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET


# ktutil list
FILE:/etc/krb5.keytab:
Vno  Type             
Principal                                                        Aliases
  1  des-cbc-crc      
host/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET 
  1  des-cbc-md5      
host/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET 
  1  arcfour-hmac-md5 
host/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET 
  1  des-cbc-crc      
host/jotunheim.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET        
  1  des-cbc-md5      
host/jotunheim.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET        
  1  arcfour-hmac-md5 
host/jotunheim.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET        
  1  des-cbc-crc      
http/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET 
  1  des-cbc-md5      
http/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET 
  1  arcfour-hmac-md5 
http/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET 
  1  des-cbc-crc      
http/jotunheim.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET        
  1  des-cbc-md5      
http/jotunheim.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET        
  1  arcfour-hmac-md5 
http/jotunheim.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET

But I can't export NFS:
# samba-tool domain exportkeytab /etc/krb5.keytab --principal
nfs/jotunheim.static.yggdrasil.bittoo.net at YGGDRASIL.BITTOO.NET -d5   
http://pastebin.com/v48G77j9


# cat /etc/samba/smb.conf
http://pastebin.com/gxs8Ai3G

# cat /etc/krb5.conf
http://pastebin.com/PSuB1b3P

If you need any more information please don't hesitate to ask for it.

Thanks for your help.

-- 
Med Venlig Hilsen / Best Regards
Henrik Dige Semark
Mobil: +45 26331701