What is the client OS?
I have been implementing Kerberos with linux (Fedora Core 19) nfs
clients, but a Oracle/Solaris Kerberos server (MIT not Heimdal) and
Directory (LDAP) server.
For the client, I created the following principals
root/client.example.com
host/client.example.com
nfs/client.example.com
I then exported them to a keytab file to be used on the client (
/etc/krb5.keytab )
Verify with "klist -k -e"
# klist -k -e
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
3 host/client.example.com at XYZ.EXAMPLE.COM (ArcFour with HMAC/md5)
3 nfs/client.example.com at XYZ.EXAMPLE.COM (ArcFour with HMAC/md5)
3 root/client.example.com at XYZ.EXAMPLE.COM (ArcFour with HMAC/md5)
#
(My DNS domain name is example.com, my kerberos realm is XYZ.EXAMPLE.COM.)
NFS is a little tricky because nfs and autofs clients are run as root.
Fedora 19 will try any of the principals above (root, host, nfs) so you
probably don't really need all 3.
I found specifying the correct encryption to be important. When I
create principals and keytab entries, several encryption options will be
supported. However, it looks like , with NFS, the client and server
won't negotiate the highest common protocol. If the client supports
RC4 and 3DES, and the server supports 3DES, the connection will fail
even tho they have a common protocol. Fedora 11 did not support
RC4 or AES with NFS, so I would have to make sure I created the
principals and keytabs to only use 3DES and DES. Fedora 19 (and I
think Fedora 14) support newer encryption.
On Fedora 19, the services don't start up in the correct order by
default. For testing you may want to manually restart nfs-idmap and
nfs-secure services.
And make sure client and server have the same time (at least w/in a few
minutes.)
On 09/23/14 08:12, Lars Hanke wrote:> It's probably difting slightly off the topic, but I know that there
> are some people listening here, who have a decent expertise. I'm
> trying to setup a file server (nfs4 at ad.domain) and mount from a client
> (hunin at ad.domain) using the user database and especially Kerberos
> provided by my AD (samba at ad.domain).
>
> It already works nicely, if I forget about krb5, i.e. idmapd is
> working straight.
>
> Running gssd -vvv yields the following messages in /var/log/syslog:
>
> Sep 23 13:36:24 hunin rpc.gssd[15285]: dir_notify_handler: sig 37 si
> 0xbfad367c data 0xbfad36fc
> Sep 23 13:36:24 hunin rpc.gssd[15285]: dir_notify_handler: sig 37 si
> 0xbfad367c data 0xbfad36fc
> Sep 23 13:36:24 hunin rpc.gssd[15285]: dir_notify_handler: sig 37 si
> 0xbfad367c data 0xbfad36fc
> Sep 23 13:36:24 hunin rpc.gssd[15285]: dir_notify_handler: sig 37 si
> 0xbfad367c data 0xbfad36fc
> Sep 23 13:36:24 hunin rpc.gssd[15285]: dir_notify_handler: sig 37 si
> 0xbfad367c data 0xbfad36fc
> Sep 23 13:36:24 hunin rpc.gssd[15285]: handling gssd upcall
> (/var/lib/nfs/rpc_pipefs/nfs/clnte)
> Sep 23 13:36:24 hunin rpc.gssd[15285]: handle_gssd_upcall: 'mech=krb5
> uid=0 enctypes=18,17,16,23,3,1,2 '
> Sep 23 13:36:24 hunin rpc.gssd[15285]: handling krb5 upcall
> (/var/lib/nfs/rpc_pipefs/nfs/clnte)
> Sep 23 13:36:24 hunin rpc.gssd[15285]: process_krb5_upcall: service is
> '<null>'
> Sep 23 13:36:24 hunin rpc.gssd[15285]: Full hostname for
> 'nfs4.ad.microsult.de' is 'nfs4.ad.microsult.de'
> Sep 23 13:36:24 hunin rpc.gssd[15285]: Full hostname for
> 'hunin.ad.microsult.de' is 'hunin.ad.microsult.de'
> Sep 23 13:36:24 hunin rpc.gssd[15285]: Success getting keytab entry
> for 'HUNIN$@AD.MICROSULT.DE'
> Sep 23 13:36:24 hunin rpc.gssd[15285]: INFO: Credentials in CC
> 'FILE:/tmp/krb5cc_machine_AD.MICROSULT.DE' are good until
1411507622
> Sep 23 13:36:24 hunin rpc.gssd[15285]: INFO: Credentials in CC
> 'FILE:/tmp/krb5cc_machine_AD.MICROSULT.DE' are good until
1411507622
> Sep 23 13:36:24 hunin rpc.gssd[15285]: using
> FILE:/tmp/krb5cc_machine_AD.MICROSULT.DE as credentials cache for
> machine creds
> Sep 23 13:36:24 hunin rpc.gssd[15285]: using environment variable to
> select krb5 ccache FILE:/tmp/krb5cc_machine_AD.MICROSULT.DE
> Sep 23 13:36:24 hunin rpc.gssd[15285]: creating context using fsuid 0
> (save_uid 0)
> Sep 23 13:36:24 hunin rpc.gssd[15285]: creating tcp client for server
> nfs4.ad.microsult.de
> Sep 23 13:36:24 hunin rpc.gssd[15285]: DEBUG: port already set to 2049
> Sep 23 13:36:24 hunin rpc.gssd[15285]: creating context with server
> nfs at nfs4.ad.microsult.de
> Sep 23 13:36:24 hunin rpc.gssd[15285]: WARNING: Failed to create krb5
> context for user with uid 0 for server nfs4.ad.microsult.de
> Sep 23 13:36:24 hunin rpc.gssd[15285]: WARNING: Failed to create
> machine krb5 context with credentials cache
> FILE:/tmp/krb5cc_machine_AD.MICROSULT.DE for server nfs4.ad.microsult.de
> Sep 23 13:36:24 hunin rpc.gssd[15285]: WARNING: Machine cache is
> prematurely expired or corrupted trying to recreate cache for server
> nfs4.ad.microsult.de
> Sep 23 13:36:24 hunin rpc.gssd[15285]: Full hostname for
> 'nfs4.ad.microsult.de' is 'nfs4.ad.microsult.de'
> Sep 23 13:36:24 hunin rpc.gssd[15285]: Full hostname for
> 'hunin.ad.microsult.de' is 'hunin.ad.microsult.de'
> Sep 23 13:36:24 hunin rpc.gssd[15285]: Success getting keytab entry
> for 'HUNIN$@AD.MICROSULT.DE'
> Sep 23 13:36:24 hunin rpc.gssd[15285]: INFO: Credentials in CC
> 'FILE:/tmp/krb5cc_machine_AD.MICROSULT.DE' are good until
1411507622
> Sep 23 13:36:24 hunin rpc.gssd[15285]: INFO: Credentials in CC
> 'FILE:/tmp/krb5cc_machine_AD.MICROSULT.DE' are good until
1411507622
> Sep 23 13:36:24 hunin rpc.gssd[15285]: using
> FILE:/tmp/krb5cc_machine_AD.MICROSULT.DE as credentials cache for
> machine creds
> Sep 23 13:36:24 hunin rpc.gssd[15285]: using environment variable to
> select krb5 ccache FILE:/tmp/krb5cc_machine_AD.MICROSULT.DE
> Sep 23 13:36:24 hunin rpc.gssd[15285]: creating context using fsuid 0
> (save_uid 0)
> Sep 23 13:36:24 hunin rpc.gssd[15285]: creating tcp client for server
> nfs4.ad.microsult.de
> Sep 23 13:36:24 hunin rpc.gssd[15285]: DEBUG: port already set to 2049
> Sep 23 13:36:24 hunin rpc.gssd[15285]: creating context with server
> nfs at nfs4.ad.microsult.de
> Sep 23 13:36:24 hunin rpc.gssd[15285]: WARNING: Failed to create krb5
> context for user with uid 0 for server nfs4.ad.microsult.de
> Sep 23 13:36:24 hunin rpc.gssd[15285]: WARNING: Failed to create
> machine krb5 context with credentials cache
> FILE:/tmp/krb5cc_machine_AD.MICROSULT.DE for server nfs4.ad.microsult.de
> Sep 23 13:36:24 hunin rpc.gssd[15285]: WARNING: Failed to create
> machine krb5 context with any credentials cache for server
> nfs4.ad.microsult.de
> Sep 23 13:36:24 hunin rpc.gssd[15285]: doing error downcall
> Sep 23 13:36:24 hunin rpc.gssd[15285]: dir_notify_handler: sig 37 si
> 0xbfad319c data 0xbfad321c
> Sep 23 13:36:24 hunin rpc.gssd[15285]: dir_notify_handler: sig 37 si
> 0xbfad319c data 0xbfad321c
> Sep 23 13:36:24 hunin rpc.gssd[15285]: dir_notify_handler: sig 37 si
> 0xbfad319c data 0xbfad321c
> Sep 23 13:36:24 hunin rpc.gssd[15285]: dir_notify_handler: sig 37 si
> 0xbfad319c data 0xbfad321c
> Sep 23 13:36:24 hunin rpc.gssd[15285]: dir_notify_handler: sig 37 si
> 0xbfad319c data 0xbfad321c
> Sep 23 13:36:24 hunin rpc.gssd[15285]: dir_notify_handler: sig 37 si
> 0xbfad319c data 0xbfad321c
> Sep 23 13:36:24 hunin rpc.gssd[15285]: dir_notify_handler: sig 37 si
> 0xbfad319c data 0xbfad321c
> Sep 23 13:36:24 hunin rpc.gssd[15285]: destroying client
> /var/lib/nfs/rpc_pipefs/nfs/clntf
> Sep 23 13:36:24 hunin rpc.gssd[15285]: destroying client
> /var/lib/nfs/rpc_pipefs/nfs/clnte
>
> However Wireshark tells me that it looks for nfs/nfs4.ad.microsult.de.
> This principal does not exist, but neither has to do anything with uid
> 0. Furthermore, the man page to gssd stipulates that the machine
> account would be just fine.
>
> I'm pretty confused, which principals I'd need and how to create
them
> in the samba AD.
>
> Any help appreciated,
> - lars.