samba - Jul 2014 - NFSv4 + Kerberos understanding

Hi,

I've a SAMBA4 AD Domain that works nicely. All my W7 joined perfectly 
and all my Linux clients authenticates against kerberos part of SAMBA. 
All work perfectly, now I'm trying to secure my NFS mounts by using 
kerberos part of SAMBA.

My NFS server works and I can mount NFS4 exports without kerberos (and 
without problem ;-) ), but when I want to mount a gss/krb5 export on a 
linux client it doesn't work at all....

What I've done :

On my DC:

   - Creating a user 'nfs-client' :
         # samba-tool user add nfs-client --random-password

   - Creating a Service Principal Name for that client :
         # samba-tool spn add nfs/client.mydom.com nfs-client

   - Exporting this new principal to my client :
         # samba-tool domain exportkeytab /root/client.nfs.keytab 
--principal=nfs/client.mydomain.com

   - At last, do an scp to copy this new keytab part and merging it with 
the actual.


On the client:

When I try to mount I've always the same answer : mount.nfs4: access 
denied by server while mounting server.mydomain.com:/data

On syslog, rpc.gssd say always : WARNING: Client 
'nfs/client.mydomain.com at MYDOMAIN.COM' not found in Kerberos database
while getting initial ticket for principal 
'nfs/client.mydomain.com at MYDOMAIN.COM' using keytab
'FILE:/etc/krb5.keytab'

/etc/krb5.conf :
[libdefaults]
     default_realm = MYDOMAIN.COM
     dns_lookup_realm = false
     dns_lookup_kdc = true

# klist -k /etc/krb5.keytab :
KVNO Principal
---- 
--------------------------------------------------------------------------
    1 client$@MYDOMAIN.COM
    1 client$@MYDOMAIN.COM
    1 client$@MYDOMAIN.COM
    1 client$@MYDOMAIN.COM
    1 client$@MYDOMAIN.COM
    1 nfs/client.mydomain.com at MYDOMAIN.COM
    1 nfs/client.mydomain.com at MYDOMAIN.COM
    1 nfs/client.mydomain.com at MYDOMAIN.COM


If anybody I've an idea,
thanks by advance,

Regards
Bruno.



-- 

Bruno MACADRE
-------------------------------------------------------------------
  Ing?nieur Syst?mes et R?seau     | Systems and Network Engineer
  D?partement Informatique         | Department of computer science
  Responsable Info SER             | SER IT Manager
  Universit? de Rouen              | University of Rouen
-------------------------------------------------------------------
Coordonn?es / Contact :
	Universit? de Rouen
	Facult? des Sciences et Techniques - Madrillet
	Avenue de l'Universit?
	CS 70012
	76801 St Etienne du Rouvray CEDEX
	FRANCE

	T?l : +33 (0)2-32-95-51-86
	Mob : +33 (0)6-74-71-45-64
-------------------------------------------------------------------

After some tries, the only way I've getting this worked, is when I use 
the -n option on rpc.gssd daemon and do a kinit 
Administrator at MYDOMAIN.COM as root. With this, the mount is OK....

But this is not a solution 'cause my NFS must be mounted at boot (so no 
kinit needed)....



Le 28/07/2014 17:14, Bruno MACADR? a ?crit :
> Hi,
>
> I've a SAMBA4 AD Domain that works nicely. All my W7 joined perfectly 
> and all my Linux clients authenticates against kerberos part of SAMBA. 
> All work perfectly, now I'm trying to secure my NFS mounts by using 
> kerberos part of SAMBA.
>
> My NFS server works and I can mount NFS4 exports without kerberos (and 
> without problem ;-) ), but when I want to mount a gss/krb5 export on a 
> linux client it doesn't work at all....
>
> What I've done :
>
> On my DC:
>
>   - Creating a user 'nfs-client' :
>         # samba-tool user add nfs-client --random-password
>
>   - Creating a Service Principal Name for that client :
>         # samba-tool spn add nfs/client.mydom.com nfs-client
>
>   - Exporting this new principal to my client :
>         # samba-tool domain exportkeytab /root/client.nfs.keytab 
> --principal=nfs/client.mydomain.com
>
>   - At last, do an scp to copy this new keytab part and merging it 
> with the actual.
>
>
> On the client:
>
> When I try to mount I've always the same answer : mount.nfs4: access 
> denied by server while mounting server.mydomain.com:/data
>
> On syslog, rpc.gssd say always : WARNING: Client 
> 'nfs/client.mydomain.com at MYDOMAIN.COM' not found in Kerberos
database
> while getting initial ticket for principal 
> 'nfs/client.mydomain.com at MYDOMAIN.COM' using keytab 
> 'FILE:/etc/krb5.keytab'
>
> /etc/krb5.conf :
> [libdefaults]
>     default_realm = MYDOMAIN.COM
>     dns_lookup_realm = false
>     dns_lookup_kdc = true
>
> # klist -k /etc/krb5.keytab :
> KVNO Principal
> ---- 
> --------------------------------------------------------------------------
>    1 client$@MYDOMAIN.COM
>    1 client$@MYDOMAIN.COM
>    1 client$@MYDOMAIN.COM
>    1 client$@MYDOMAIN.COM
>    1 client$@MYDOMAIN.COM
>    1 nfs/client.mydomain.com at MYDOMAIN.COM
>    1 nfs/client.mydomain.com at MYDOMAIN.COM
>    1 nfs/client.mydomain.com at MYDOMAIN.COM
>
>
> If anybody I've an idea,
> thanks by advance,
>
> Regards
> Bruno.
>
>
>
-- 

Bruno MACADRE
-------------------------------------------------------------------
  Ing?nieur Syst?mes et R?seau     | Systems and Network Engineer
  D?partement Informatique         | Department of computer science
  Responsable Info SER             | SER IT Manager
  Universit? de Rouen              | University of Rouen
-------------------------------------------------------------------
Coordonn?es / Contact :
	Universit? de Rouen
	Facult? des Sciences et Techniques - Madrillet
	Avenue de l'Universit?
	CS 70012
	76801 St Etienne du Rouvray CEDEX
	FRANCE

	T?l : +33 (0)2-32-95-51-86
	Mob : +33 (0)6-74-71-45-64
-------------------------------------------------------------------