Hi,
I'm trying to use wildcard in keytab because i don't want join every 
computer, client for service NFS krb5.
I add a spn like this
# samba-tool spn add host/* nfs
(I create user nfs before)
# samba-tool spn list nfs
nfs
User CN=nfs,CN=Users,DC=if,DC=ujf-grenoble,DC=fr has the following 
servicePrincipalName:
          host/*
I export keytab :
  #samba-tool domain exportkeytab /tmp/wildcardnfs.keytab --principal=host/*
ktutil -k /tmp/wildcardnfs.keytab list
/tmp/wildcardnfs.keytab:
Vno  Type              Principal                  Aliases
   1  des-cbc-crc       host/*@IF.UJF-GRENOBLE.FR
   1  des-cbc-md5       host/*@IF.UJF-GRENOBLE.FR
   1  arcfour-hmac-md5  host/*@IF.UJF-GRENOBLE.FR
I put this keytab on my client (name is bataille) and restart rpc.gssd -vvvv
I try to mount NFS and in my client log, I have :
Mar 31 10:52:23 bataille rpc.gssd[3790]: No key table entry found for 
root/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR while getting keytab 
entry for 'root/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR'
Mar 31 10:52:23 bataille rpc.gssd[3790]: No key table entry found for 
nfs/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR while getting keytab 
entry for 'nfs/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR'
Mar 31 10:52:23 bataille rpc.gssd[3790]: No key table entry found for 
host/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR while getting keytab 
entry for 'host/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR'
Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for 
principal 'host/*@IF.UJF-GRENOBLE.FR'
Mar 31 10:52:23 bataille rpc.gssd[3790]: We will NOT use this entry 
(host/*@IF.UJF-GRENOBLE.FR)
Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for 
principal 'host/*@IF.UJF-GRENOBLE.FR'
Mar 31 10:52:23 bataille rpc.gssd[3790]: We will NOT use this entry 
(host/*@IF.UJF-GRENOBLE.FR)
Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for 
principal 'host/*@IF.UJF-GRENOBLE.FR'
Mar 31 10:52:23 bataille rpc.gssd[3790]: We will NOT use this entry 
(host/*@IF.UJF-GRENOBLE.FR)
Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for 
principal 'host/*@IF.UJF-GRENOBLE.FR'
Mar 31 10:52:23 bataille rpc.gssd[3790]: We will NOT use this entry 
(host/*@IF.UJF-GRENOBLE.FR)
Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for 
principal 'host/*@IF.UJF-GRENOBLE.FR'
Mar 31 10:52:23 bataille rpc.gssd[3790]: We will NOT use this entry 
(host/*@IF.UJF-GRENOBLE.FR)
Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for 
principal 'host/*@IF.UJF-GRENOBLE.FR'
Mar 31 10:52:23 bataille rpc.gssd[3790]: We will NOT use this entry 
(host/*@IF.UJF-GRENOBLE.FR)
Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for 
principal 'host/*@IF.UJF-GRENOBLE.FR'
Mar 31 10:52:23 bataille rpc.gssd[3790]: We WILL use this entry 
(host/*@IF.UJF-GRENOBLE.FR)
Mar 31 10:52:23 bataille rpc.gssd[3790]: Success getting keytab entry 
for host/*@IF.UJF-GRENOBLE.FR
Mar 31 10:52:23 bataille rpc.gssd[3790]: WARNING: Client 
'host/*@IF.UJF-GRENOBLE.FR' not found in Kerberos database while getting
initial ticket for principal 'host/*@IF.UJF-GRENOBLE.FR' using keytab 
'FILE:/etc/krb5.keytab'
Mar 31 10:52:23 bataille rpc.gssd[3790]: ERROR: No credentials found for 
connection to server ifsamba
Mar 31 10:52:23 bataille rpc.gssd[3790]: doing error downcall
Mar 31 10:52:23 bataille rpc.gssd[3790]: destroying client 
/run/rpc_pipefs/nfs/clnt1b
Mar 31 10:52:23 bataille rpc.gssd[3790]: destroying client 
/run/rpc_pipefs/nfs/clnt1a
And on my server :
[2016/03/31 10:52:23.036664,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: AS-REQ host/*@IF.UJF-GRENOBLE.FR from 
ipv4:152.77.213.108:38741 for krbtgt/IF.UJF-GRENOBLE.FR at IF.UJF-GRENOBLE.FR
[2016/03/31 10:52:23.038496,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: UNKNOWN -- host/*@IF.UJF-GRENOBLE.FR: no such entry found 
in hdb
[2016/03/31 10:52:23.046352,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: AS-REQ host/*@IF.UJF-GRENOBLE.FR from 
ipv4:152.77.213.108:34207 for krbtgt/IF.UJF-GRENOBLE.FR at IF.UJF-GRENOBLE.FR
[2016/03/31 10:52:23.047710,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: UNKNOWN -- host/*@IF.UJF-GRENOBLE.FR: no such entry found 
in hdb
I wish use nfsv4 with krb but without join all my clients in Samba4 : is 
it possible ?
PS : I try to create a spn with HOST/* (host uppercase) because when i 
show spn on a computer joined in Samba, i have this :
root at ifsamba:/scripts# samba-tool spn list CARTAN$
cartan$
User CN=cartan,CN=Computers,DC=if,DC=ujf-grenoble,DC=fr has the 
following servicePrincipalName:
          HOST/CARTAN
          HOST/cartan.if.ujf-grenoble.fr
but on my client rpc.gssd don't use the keytab when HOST is uppercase :
log :
Mar 31 09:55:28 bataille rpc.gssd[3777]: No key table entry found for 
BATAILLE$@IF.UJF-GRENOBLE.FR while getting keytab entry for 
'BATAILLE$@IF.UJF-GRENOBLE.FR'
Mar 31 09:55:28 bataille rpc.gssd[3777]: No key table entry found for 
root/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR while getting keytab 
entry for 'root/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR'
Mar 31 09:55:28 bataille rpc.gssd[3777]: No key table entry found for 
nfs/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR while getting keytab 
entry for 'nfs/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR'
Mar 31 09:55:28 bataille rpc.gssd[3777]: No key table entry found for 
host/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR while getting keytab 
entry for 'host/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR'
Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for 
principal 'HOST/*@IF.UJF-GRENOBLE.FR'
Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry 
(HOST/*@IF.UJF-GRENOBLE.FR)
Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for 
principal 'HOST/*@IF.UJF-GRENOBLE.FR'
Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry 
(HOST/*@IF.UJF-GRENOBLE.FR)
Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for 
principal 'HOST/*@IF.UJF-GRENOBLE.FR'
Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry 
(HOST/*@IF.UJF-GRENOBLE.FR)
Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for 
principal 'HOST/*@IF.UJF-GRENOBLE.FR'
Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry 
(HOST/*@IF.UJF-GRENOBLE.FR)
Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for 
principal 'HOST/*@IF.UJF-GRENOBLE.FR'
Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry 
(HOST/*@IF.UJF-GRENOBLE.FR)
Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for 
principal 'HOST/*@IF.UJF-GRENOBLE.FR'
Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry 
(HOST/*@IF.UJF-GRENOBLE.FR)
Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for 
principal 'HOST/*@IF.UJF-GRENOBLE.FR'
Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry 
(HOST/*@IF.UJF-GRENOBLE.FR)
Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for 
principal 'HOST/*@IF.UJF-GRENOBLE.FR'
Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry 
(HOST/*@IF.UJF-GRENOBLE.FR)
Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for 
principal 'HOST/*@IF.UJF-GRENOBLE.FR'
Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry 
(HOST/*@IF.UJF-GRENOBLE.FR)
Mar 31 09:55:28 bataille rpc.gssd[3777]: ERROR: 
gssd_refresh_krb5_machine_credential: no usable keytab entry found in 
keytab /etc/krb5.keytab for connection with host ifsamba
Mar 31 09:55:28 bataille rpc.gssd[3777]: ERROR: No credentials found for 
connection to server ifsamba
What is the right process ?
Thank you in advance
Sim
Try it like : http/%s at DOMAIN.COM not http/*@DOMAIN.COM Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Service > Informatique IF > Verzonden: donderdag 31 maart 2016 11:04 > Aan: samba at lists.samba.org > CC: ifinfo at ujf-grenoble.fr > Onderwerp: [Samba] NFSv4 / Krb / wildcard in keytab > > Hi, > > I'm trying to use wildcard in keytab because i don't want join every > computer, client for service NFS krb5. > > I add a spn like this > > # samba-tool spn add host/* nfs > > (I create user nfs before) > > # samba-tool spn list nfs > nfs > User CN=nfs,CN=Users,DC=if,DC=ujf-grenoble,DC=fr has the following > servicePrincipalName: > host/* > > I export keytab : > > #samba-tool domain exportkeytab /tmp/wildcardnfs.keytab -- > principal=host/* > > ktutil -k /tmp/wildcardnfs.keytab list > /tmp/wildcardnfs.keytab: > > Vno Type Principal Aliases > 1 des-cbc-crc host/*@IF.UJF-GRENOBLE.FR > 1 des-cbc-md5 host/*@IF.UJF-GRENOBLE.FR > 1 arcfour-hmac-md5 host/*@IF.UJF-GRENOBLE.FR > > > I put this keytab on my client (name is bataille) and restart rpc.gssd - > vvvv > > I try to mount NFS and in my client log, I have : > Mar 31 10:52:23 bataille rpc.gssd[3790]: No key table entry found for > root/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR while getting keytab > entry for 'root/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR' > Mar 31 10:52:23 bataille rpc.gssd[3790]: No key table entry found for > nfs/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR while getting keytab > entry for 'nfs/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR' > Mar 31 10:52:23 bataille rpc.gssd[3790]: No key table entry found for > host/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR while getting keytab > entry for 'host/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR' > Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for > principal 'host/*@IF.UJF-GRENOBLE.FR' > Mar 31 10:52:23 bataille rpc.gssd[3790]: We will NOT use this entry > (host/*@IF.UJF-GRENOBLE.FR) > Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for > principal 'host/*@IF.UJF-GRENOBLE.FR' > Mar 31 10:52:23 bataille rpc.gssd[3790]: We will NOT use this entry > (host/*@IF.UJF-GRENOBLE.FR) > Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for > principal 'host/*@IF.UJF-GRENOBLE.FR' > Mar 31 10:52:23 bataille rpc.gssd[3790]: We will NOT use this entry > (host/*@IF.UJF-GRENOBLE.FR) > Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for > principal 'host/*@IF.UJF-GRENOBLE.FR' > Mar 31 10:52:23 bataille rpc.gssd[3790]: We will NOT use this entry > (host/*@IF.UJF-GRENOBLE.FR) > Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for > principal 'host/*@IF.UJF-GRENOBLE.FR' > Mar 31 10:52:23 bataille rpc.gssd[3790]: We will NOT use this entry > (host/*@IF.UJF-GRENOBLE.FR) > Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for > principal 'host/*@IF.UJF-GRENOBLE.FR' > Mar 31 10:52:23 bataille rpc.gssd[3790]: We will NOT use this entry > (host/*@IF.UJF-GRENOBLE.FR) > Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for > principal 'host/*@IF.UJF-GRENOBLE.FR' > Mar 31 10:52:23 bataille rpc.gssd[3790]: We WILL use this entry > (host/*@IF.UJF-GRENOBLE.FR) > Mar 31 10:52:23 bataille rpc.gssd[3790]: Success getting keytab entry > for host/*@IF.UJF-GRENOBLE.FR > > Mar 31 10:52:23 bataille rpc.gssd[3790]: WARNING: Client > 'host/*@IF.UJF-GRENOBLE.FR' not found in Kerberos database while getting > initial ticket for principal 'host/*@IF.UJF-GRENOBLE.FR' using keytab > 'FILE:/etc/krb5.keytab' > > Mar 31 10:52:23 bataille rpc.gssd[3790]: ERROR: No credentials found for > connection to server ifsamba > Mar 31 10:52:23 bataille rpc.gssd[3790]: doing error downcall > Mar 31 10:52:23 bataille rpc.gssd[3790]: destroying client > /run/rpc_pipefs/nfs/clnt1b > Mar 31 10:52:23 bataille rpc.gssd[3790]: destroying client > /run/rpc_pipefs/nfs/clnt1a > > And on my server : > > [2016/03/31 10:52:23.036664, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: AS-REQ host/*@IF.UJF-GRENOBLE.FR from > ipv4:152.77.213.108:38741 for krbtgt/IF.UJF-GRENOBLE.FR at IF.UJF-GRENOBLE.FR > [2016/03/31 10:52:23.038496, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: UNKNOWN -- host/*@IF.UJF-GRENOBLE.FR: no such entry found > in hdb > [2016/03/31 10:52:23.046352, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: AS-REQ host/*@IF.UJF-GRENOBLE.FR from > ipv4:152.77.213.108:34207 for krbtgt/IF.UJF-GRENOBLE.FR at IF.UJF-GRENOBLE.FR > [2016/03/31 10:52:23.047710, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: UNKNOWN -- host/*@IF.UJF-GRENOBLE.FR: no such entry found > in hdb > > I wish use nfsv4 with krb but without join all my clients in Samba4 : is > it possible ? > > PS : I try to create a spn with HOST/* (host uppercase) because when i > show spn on a computer joined in Samba, i have this : > > > root at ifsamba:/scripts# samba-tool spn list CARTAN$ > cartan$ > User CN=cartan,CN=Computers,DC=if,DC=ujf-grenoble,DC=fr has the > following servicePrincipalName: > HOST/CARTAN > HOST/cartan.if.ujf-grenoble.fr > > but on my client rpc.gssd don't use the keytab when HOST is uppercase : > log : > Mar 31 09:55:28 bataille rpc.gssd[3777]: No key table entry found for > BATAILLE$@IF.UJF-GRENOBLE.FR while getting keytab entry for > 'BATAILLE$@IF.UJF-GRENOBLE.FR' > Mar 31 09:55:28 bataille rpc.gssd[3777]: No key table entry found for > root/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR while getting keytab > entry for 'root/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR' > Mar 31 09:55:28 bataille rpc.gssd[3777]: No key table entry found for > nfs/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR while getting keytab > entry for 'nfs/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR' > Mar 31 09:55:28 bataille rpc.gssd[3777]: No key table entry found for > host/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR while getting keytab > entry for 'host/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR' > Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for > principal 'HOST/*@IF.UJF-GRENOBLE.FR' > Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry > (HOST/*@IF.UJF-GRENOBLE.FR) > Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for > principal 'HOST/*@IF.UJF-GRENOBLE.FR' > Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry > (HOST/*@IF.UJF-GRENOBLE.FR) > Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for > principal 'HOST/*@IF.UJF-GRENOBLE.FR' > Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry > (HOST/*@IF.UJF-GRENOBLE.FR) > Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for > principal 'HOST/*@IF.UJF-GRENOBLE.FR' > Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry > (HOST/*@IF.UJF-GRENOBLE.FR) > Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for > principal 'HOST/*@IF.UJF-GRENOBLE.FR' > Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry > (HOST/*@IF.UJF-GRENOBLE.FR) > Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for > principal 'HOST/*@IF.UJF-GRENOBLE.FR' > Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry > (HOST/*@IF.UJF-GRENOBLE.FR) > Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for > principal 'HOST/*@IF.UJF-GRENOBLE.FR' > Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry > (HOST/*@IF.UJF-GRENOBLE.FR) > Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for > principal 'HOST/*@IF.UJF-GRENOBLE.FR' > Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry > (HOST/*@IF.UJF-GRENOBLE.FR) > Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for > principal 'HOST/*@IF.UJF-GRENOBLE.FR' > Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry > (HOST/*@IF.UJF-GRENOBLE.FR) > Mar 31 09:55:28 bataille rpc.gssd[3777]: ERROR: > gssd_refresh_krb5_machine_credential: no usable keytab entry found in > keytab /etc/krb5.keytab for connection with host ifsamba > Mar 31 09:55:28 bataille rpc.gssd[3777]: ERROR: No credentials found for > connection to server ifsamba > > > What is the right process ? > > Thank you in advance > Sim > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Sorry, my previous was totaly wrong.. Forget that one. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens L.P.H. van Belle > Verzonden: donderdag 31 maart 2016 11:25 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] NFSv4 / Krb / wildcard in keytab > > Try it like : > > http/%s at DOMAIN.COM > > not http/*@DOMAIN.COM > > Greetz, > > Louis > > > > -----Oorspronkelijk bericht----- > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Service > > Informatique IF > > Verzonden: donderdag 31 maart 2016 11:04 > > Aan: samba at lists.samba.org > > CC: ifinfo at ujf-grenoble.fr > > Onderwerp: [Samba] NFSv4 / Krb / wildcard in keytab > > > > Hi, > > > > I'm trying to use wildcard in keytab because i don't want join every > > computer, client for service NFS krb5. > > > > I add a spn like this > > > > # samba-tool spn add host/* nfs > > > > (I create user nfs before) > > > > # samba-tool spn list nfs > > nfs > > User CN=nfs,CN=Users,DC=if,DC=ujf-grenoble,DC=fr has the following > > servicePrincipalName: > > host/* > > > > I export keytab : > > > > #samba-tool domain exportkeytab /tmp/wildcardnfs.keytab -- > > principal=host/* > > > > ktutil -k /tmp/wildcardnfs.keytab list > > /tmp/wildcardnfs.keytab: > > > > Vno Type Principal Aliases > > 1 des-cbc-crc host/*@IF.UJF-GRENOBLE.FR > > 1 des-cbc-md5 host/*@IF.UJF-GRENOBLE.FR > > 1 arcfour-hmac-md5 host/*@IF.UJF-GRENOBLE.FR > > > > > > I put this keytab on my client (name is bataille) and restart rpc.gssd - > > vvvv > > > > I try to mount NFS and in my client log, I have : > > Mar 31 10:52:23 bataille rpc.gssd[3790]: No key table entry found for > > root/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR while getting keytab > > entry for 'root/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR' > > Mar 31 10:52:23 bataille rpc.gssd[3790]: No key table entry found for > > nfs/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR while getting keytab > > entry for 'nfs/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR' > > Mar 31 10:52:23 bataille rpc.gssd[3790]: No key table entry found for > > host/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR while getting keytab > > entry for 'host/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR' > > Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for > > principal 'host/*@IF.UJF-GRENOBLE.FR' > > Mar 31 10:52:23 bataille rpc.gssd[3790]: We will NOT use this entry > > (host/*@IF.UJF-GRENOBLE.FR) > > Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for > > principal 'host/*@IF.UJF-GRENOBLE.FR' > > Mar 31 10:52:23 bataille rpc.gssd[3790]: We will NOT use this entry > > (host/*@IF.UJF-GRENOBLE.FR) > > Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for > > principal 'host/*@IF.UJF-GRENOBLE.FR' > > Mar 31 10:52:23 bataille rpc.gssd[3790]: We will NOT use this entry > > (host/*@IF.UJF-GRENOBLE.FR) > > Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for > > principal 'host/*@IF.UJF-GRENOBLE.FR' > > Mar 31 10:52:23 bataille rpc.gssd[3790]: We will NOT use this entry > > (host/*@IF.UJF-GRENOBLE.FR) > > Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for > > principal 'host/*@IF.UJF-GRENOBLE.FR' > > Mar 31 10:52:23 bataille rpc.gssd[3790]: We will NOT use this entry > > (host/*@IF.UJF-GRENOBLE.FR) > > Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for > > principal 'host/*@IF.UJF-GRENOBLE.FR' > > Mar 31 10:52:23 bataille rpc.gssd[3790]: We will NOT use this entry > > (host/*@IF.UJF-GRENOBLE.FR) > > Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for > > principal 'host/*@IF.UJF-GRENOBLE.FR' > > Mar 31 10:52:23 bataille rpc.gssd[3790]: We WILL use this entry > > (host/*@IF.UJF-GRENOBLE.FR) > > Mar 31 10:52:23 bataille rpc.gssd[3790]: Success getting keytab entry > > for host/*@IF.UJF-GRENOBLE.FR > > > > Mar 31 10:52:23 bataille rpc.gssd[3790]: WARNING: Client > > 'host/*@IF.UJF-GRENOBLE.FR' not found in Kerberos database while getting > > initial ticket for principal 'host/*@IF.UJF-GRENOBLE.FR' using keytab > > 'FILE:/etc/krb5.keytab' > > > > Mar 31 10:52:23 bataille rpc.gssd[3790]: ERROR: No credentials found for > > connection to server ifsamba > > Mar 31 10:52:23 bataille rpc.gssd[3790]: doing error downcall > > Mar 31 10:52:23 bataille rpc.gssd[3790]: destroying client > > /run/rpc_pipefs/nfs/clnt1b > > Mar 31 10:52:23 bataille rpc.gssd[3790]: destroying client > > /run/rpc_pipefs/nfs/clnt1a > > > > And on my server : > > > > [2016/03/31 10:52:23.036664, 3] > > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > > Kerberos: AS-REQ host/*@IF.UJF-GRENOBLE.FR from > > ipv4:152.77.213.108:38741 for krbtgt/IF.UJF-GRENOBLE.FR at IF.UJF- > GRENOBLE.FR > > [2016/03/31 10:52:23.038496, 3] > > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > > Kerberos: UNKNOWN -- host/*@IF.UJF-GRENOBLE.FR: no such entry found > > in hdb > > [2016/03/31 10:52:23.046352, 3] > > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > > Kerberos: AS-REQ host/*@IF.UJF-GRENOBLE.FR from > > ipv4:152.77.213.108:34207 for krbtgt/IF.UJF-GRENOBLE.FR at IF.UJF- > GRENOBLE.FR > > [2016/03/31 10:52:23.047710, 3] > > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > > Kerberos: UNKNOWN -- host/*@IF.UJF-GRENOBLE.FR: no such entry found > > in hdb > > > > I wish use nfsv4 with krb but without join all my clients in Samba4 : is > > it possible ? > > > > PS : I try to create a spn with HOST/* (host uppercase) because when i > > show spn on a computer joined in Samba, i have this : > > > > > > root at ifsamba:/scripts# samba-tool spn list CARTAN$ > > cartan$ > > User CN=cartan,CN=Computers,DC=if,DC=ujf-grenoble,DC=fr has the > > following servicePrincipalName: > > HOST/CARTAN > > HOST/cartan.if.ujf-grenoble.fr > > > > but on my client rpc.gssd don't use the keytab when HOST is uppercase : > > log : > > Mar 31 09:55:28 bataille rpc.gssd[3777]: No key table entry found for > > BATAILLE$@IF.UJF-GRENOBLE.FR while getting keytab entry for > > 'BATAILLE$@IF.UJF-GRENOBLE.FR' > > Mar 31 09:55:28 bataille rpc.gssd[3777]: No key table entry found for > > root/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR while getting keytab > > entry for 'root/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR' > > Mar 31 09:55:28 bataille rpc.gssd[3777]: No key table entry found for > > nfs/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR while getting keytab > > entry for 'nfs/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR' > > Mar 31 09:55:28 bataille rpc.gssd[3777]: No key table entry found for > > host/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR while getting keytab > > entry for 'host/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR' > > Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for > > principal 'HOST/*@IF.UJF-GRENOBLE.FR' > > Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry > > (HOST/*@IF.UJF-GRENOBLE.FR) > > Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for > > principal 'HOST/*@IF.UJF-GRENOBLE.FR' > > Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry > > (HOST/*@IF.UJF-GRENOBLE.FR) > > Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for > > principal 'HOST/*@IF.UJF-GRENOBLE.FR' > > Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry > > (HOST/*@IF.UJF-GRENOBLE.FR) > > Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for > > principal 'HOST/*@IF.UJF-GRENOBLE.FR' > > Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry > > (HOST/*@IF.UJF-GRENOBLE.FR) > > Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for > > principal 'HOST/*@IF.UJF-GRENOBLE.FR' > > Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry > > (HOST/*@IF.UJF-GRENOBLE.FR) > > Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for > > principal 'HOST/*@IF.UJF-GRENOBLE.FR' > > Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry > > (HOST/*@IF.UJF-GRENOBLE.FR) > > Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for > > principal 'HOST/*@IF.UJF-GRENOBLE.FR' > > Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry > > (HOST/*@IF.UJF-GRENOBLE.FR) > > Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for > > principal 'HOST/*@IF.UJF-GRENOBLE.FR' > > Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry > > (HOST/*@IF.UJF-GRENOBLE.FR) > > Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for > > principal 'HOST/*@IF.UJF-GRENOBLE.FR' > > Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry > > (HOST/*@IF.UJF-GRENOBLE.FR) > > Mar 31 09:55:28 bataille rpc.gssd[3777]: ERROR: > > gssd_refresh_krb5_machine_credential: no usable keytab entry found in > > keytab /etc/krb5.keytab for connection with host ifsamba > > Mar 31 09:55:28 bataille rpc.gssd[3777]: ERROR: No credentials found for > > connection to server ifsamba > > > > > > What is the right process ? > > > > Thank you in advance > > Sim > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
On 31/03/16 10:04, Service Informatique IF wrote:> Hi, > > I'm trying to use wildcard in keytab because i don't want join every > computer, client for service NFS krb5. > > I add a spn like this > > # samba-tool spn add host/* nfs > > (I create user nfs before) > > # samba-tool spn list nfs > nfs > User CN=nfs,CN=Users,DC=if,DC=ujf-grenoble,DC=fr has the following > servicePrincipalName: > host/* > > I export keytab : > > #samba-tool domain exportkeytab /tmp/wildcardnfs.keytab > --principal=host/* > > ktutil -k /tmp/wildcardnfs.keytab list > /tmp/wildcardnfs.keytab: > > Vno Type Principal Aliases > 1 des-cbc-crc host/*@IF.UJF-GRENOBLE.FR > 1 des-cbc-md5 host/*@IF.UJF-GRENOBLE.FR > 1 arcfour-hmac-md5 host/*@IF.UJF-GRENOBLE.FR > > > I put this keytab on my client (name is bataille) and restart rpc.gssd > -vvvv > > I try to mount NFS and in my client log, I have : > Mar 31 10:52:23 bataille rpc.gssd[3790]: No key table entry found for > root/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR while getting keytab > entry for 'root/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR' > Mar 31 10:52:23 bataille rpc.gssd[3790]: No key table entry found for > nfs/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR while getting keytab > entry for 'nfs/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR' > Mar 31 10:52:23 bataille rpc.gssd[3790]: No key table entry found for > host/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR while getting keytab > entry for 'host/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR' > Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for > principal 'host/*@IF.UJF-GRENOBLE.FR' > Mar 31 10:52:23 bataille rpc.gssd[3790]: We will NOT use this entry > (host/*@IF.UJF-GRENOBLE.FR) > Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for > principal 'host/*@IF.UJF-GRENOBLE.FR' > Mar 31 10:52:23 bataille rpc.gssd[3790]: We will NOT use this entry > (host/*@IF.UJF-GRENOBLE.FR) > Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for > principal 'host/*@IF.UJF-GRENOBLE.FR' > Mar 31 10:52:23 bataille rpc.gssd[3790]: We will NOT use this entry > (host/*@IF.UJF-GRENOBLE.FR) > Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for > principal 'host/*@IF.UJF-GRENOBLE.FR' > Mar 31 10:52:23 bataille rpc.gssd[3790]: We will NOT use this entry > (host/*@IF.UJF-GRENOBLE.FR) > Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for > principal 'host/*@IF.UJF-GRENOBLE.FR' > Mar 31 10:52:23 bataille rpc.gssd[3790]: We will NOT use this entry > (host/*@IF.UJF-GRENOBLE.FR) > Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for > principal 'host/*@IF.UJF-GRENOBLE.FR' > Mar 31 10:52:23 bataille rpc.gssd[3790]: We will NOT use this entry > (host/*@IF.UJF-GRENOBLE.FR) > Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for > principal 'host/*@IF.UJF-GRENOBLE.FR' > Mar 31 10:52:23 bataille rpc.gssd[3790]: We WILL use this entry > (host/*@IF.UJF-GRENOBLE.FR) > Mar 31 10:52:23 bataille rpc.gssd[3790]: Success getting keytab entry > for host/*@IF.UJF-GRENOBLE.FR > > Mar 31 10:52:23 bataille rpc.gssd[3790]: WARNING: Client > 'host/*@IF.UJF-GRENOBLE.FR' not found in Kerberos database while > getting initial ticket for principal 'host/*@IF.UJF-GRENOBLE.FR' using > keytab 'FILE:/etc/krb5.keytab' > > Mar 31 10:52:23 bataille rpc.gssd[3790]: ERROR: No credentials found > for connection to server ifsamba > Mar 31 10:52:23 bataille rpc.gssd[3790]: doing error downcall > Mar 31 10:52:23 bataille rpc.gssd[3790]: destroying client > /run/rpc_pipefs/nfs/clnt1b > Mar 31 10:52:23 bataille rpc.gssd[3790]: destroying client > /run/rpc_pipefs/nfs/clnt1a > > And on my server : > > [2016/03/31 10:52:23.036664, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: AS-REQ host/*@IF.UJF-GRENOBLE.FR from > ipv4:152.77.213.108:38741 for > krbtgt/IF.UJF-GRENOBLE.FR at IF.UJF-GRENOBLE.FR > [2016/03/31 10:52:23.038496, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: UNKNOWN -- host/*@IF.UJF-GRENOBLE.FR: no such entry found > in hdb > [2016/03/31 10:52:23.046352, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: AS-REQ host/*@IF.UJF-GRENOBLE.FR from > ipv4:152.77.213.108:34207 for > krbtgt/IF.UJF-GRENOBLE.FR at IF.UJF-GRENOBLE.FR > [2016/03/31 10:52:23.047710, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: UNKNOWN -- host/*@IF.UJF-GRENOBLE.FR: no such entry found > in hdb > > I wish use nfsv4 with krb but without join all my clients in Samba4 : > is it possible ? > > PS : I try to create a spn with HOST/* (host uppercase) because when i > show spn on a computer joined in Samba, i have this : > > > root at ifsamba:/scripts# samba-tool spn list CARTAN$ > cartan$ > User CN=cartan,CN=Computers,DC=if,DC=ujf-grenoble,DC=fr has the > following servicePrincipalName: > HOST/CARTAN > HOST/cartan.if.ujf-grenoble.fr > > but on my client rpc.gssd don't use the keytab when HOST is uppercase : > log : > Mar 31 09:55:28 bataille rpc.gssd[3777]: No key table entry found for > BATAILLE$@IF.UJF-GRENOBLE.FR while getting keytab entry for > 'BATAILLE$@IF.UJF-GRENOBLE.FR' > Mar 31 09:55:28 bataille rpc.gssd[3777]: No key table entry found for > root/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR while getting keytab > entry for 'root/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR' > Mar 31 09:55:28 bataille rpc.gssd[3777]: No key table entry found for > nfs/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR while getting keytab > entry for 'nfs/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR' > Mar 31 09:55:28 bataille rpc.gssd[3777]: No key table entry found for > host/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR while getting keytab > entry for 'host/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR' > Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for > principal 'HOST/*@IF.UJF-GRENOBLE.FR' > Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry > (HOST/*@IF.UJF-GRENOBLE.FR) > Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for > principal 'HOST/*@IF.UJF-GRENOBLE.FR' > Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry > (HOST/*@IF.UJF-GRENOBLE.FR) > Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for > principal 'HOST/*@IF.UJF-GRENOBLE.FR' > Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry > (HOST/*@IF.UJF-GRENOBLE.FR) > Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for > principal 'HOST/*@IF.UJF-GRENOBLE.FR' > Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry > (HOST/*@IF.UJF-GRENOBLE.FR) > Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for > principal 'HOST/*@IF.UJF-GRENOBLE.FR' > Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry > (HOST/*@IF.UJF-GRENOBLE.FR) > Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for > principal 'HOST/*@IF.UJF-GRENOBLE.FR' > Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry > (HOST/*@IF.UJF-GRENOBLE.FR) > Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for > principal 'HOST/*@IF.UJF-GRENOBLE.FR' > Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry > (HOST/*@IF.UJF-GRENOBLE.FR) > Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for > principal 'HOST/*@IF.UJF-GRENOBLE.FR' > Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry > (HOST/*@IF.UJF-GRENOBLE.FR) > Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for > principal 'HOST/*@IF.UJF-GRENOBLE.FR' > Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry > (HOST/*@IF.UJF-GRENOBLE.FR) > Mar 31 09:55:28 bataille rpc.gssd[3777]: ERROR: > gssd_refresh_krb5_machine_credential: no usable keytab entry found in > keytab /etc/krb5.keytab for connection with host ifsamba > Mar 31 09:55:28 bataille rpc.gssd[3777]: ERROR: No credentials found > for connection to server ifsamba > > > What is the right process ? > > Thank you in advance > Sim >I thought the whole idea of kerberos was to authenticate 'something' or 'someone' without passing passwords. As far as I am aware, 'something' or 'someone' must be in the kerberos database and I don't think using '*' is going to work, as this would allow anybody to gain access to your network, do you really want this ?? Rowland
So, bit more "correct" info. I can tell that it IS possible, but ! You need to use an ACL file and as for i did find, you need kadmind for it, at least thats what i did find. Read : http://techpubs.spinlocksolutions.com/dklar/kerberos.html and https://www.centos.org/docs/5/html/5.1/Deployment_Guide/s1-kerberos-server.html Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens L.P.H. van Belle > Verzonden: donderdag 31 maart 2016 11:31 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] NFSv4 / Krb / wildcard in keytab > > Sorry, my previous was totaly wrong.. > Forget that one. > > Greetz, > > Louis > > > > -----Oorspronkelijk bericht----- > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens L.P.H. van > Belle > > Verzonden: donderdag 31 maart 2016 11:25 > > Aan: samba at lists.samba.org > > Onderwerp: Re: [Samba] NFSv4 / Krb / wildcard in keytab > > > > Try it like : > > > > http/%s at DOMAIN.COM > > > > not http/*@DOMAIN.COM > > > > Greetz, > > > > Louis > > > > > > > -----Oorspronkelijk bericht----- > > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Service > > > Informatique IF > > > Verzonden: donderdag 31 maart 2016 11:04 > > > Aan: samba at lists.samba.org > > > CC: ifinfo at ujf-grenoble.fr > > > Onderwerp: [Samba] NFSv4 / Krb / wildcard in keytab > > > > > > Hi, > > > > > > I'm trying to use wildcard in keytab because i don't want join every > > > computer, client for service NFS krb5. > > > > > > I add a spn like this > > > > > > # samba-tool spn add host/* nfs > > > > > > (I create user nfs before) > > > > > > # samba-tool spn list nfs > > > nfs > > > User CN=nfs,CN=Users,DC=if,DC=ujf-grenoble,DC=fr has the following > > > servicePrincipalName: > > > host/* > > > > > > I export keytab : > > > > > > #samba-tool domain exportkeytab /tmp/wildcardnfs.keytab -- > > > principal=host/* > > > > > > ktutil -k /tmp/wildcardnfs.keytab list > > > /tmp/wildcardnfs.keytab: > > > > > > Vno Type Principal Aliases > > > 1 des-cbc-crc host/*@IF.UJF-GRENOBLE.FR > > > 1 des-cbc-md5 host/*@IF.UJF-GRENOBLE.FR > > > 1 arcfour-hmac-md5 host/*@IF.UJF-GRENOBLE.FR > > > > > > > > > I put this keytab on my client (name is bataille) and restart rpc.gssd > - > > > vvvv > > > > > > I try to mount NFS and in my client log, I have : > > > Mar 31 10:52:23 bataille rpc.gssd[3790]: No key table entry found for > > > root/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR while getting keytab > > > entry for 'root/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR' > > > Mar 31 10:52:23 bataille rpc.gssd[3790]: No key table entry found for > > > nfs/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR while getting keytab > > > entry for 'nfs/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR' > > > Mar 31 10:52:23 bataille rpc.gssd[3790]: No key table entry found for > > > host/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR while getting keytab > > > entry for 'host/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR' > > > Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for > > > principal 'host/*@IF.UJF-GRENOBLE.FR' > > > Mar 31 10:52:23 bataille rpc.gssd[3790]: We will NOT use this entry > > > (host/*@IF.UJF-GRENOBLE.FR) > > > Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for > > > principal 'host/*@IF.UJF-GRENOBLE.FR' > > > Mar 31 10:52:23 bataille rpc.gssd[3790]: We will NOT use this entry > > > (host/*@IF.UJF-GRENOBLE.FR) > > > Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for > > > principal 'host/*@IF.UJF-GRENOBLE.FR' > > > Mar 31 10:52:23 bataille rpc.gssd[3790]: We will NOT use this entry > > > (host/*@IF.UJF-GRENOBLE.FR) > > > Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for > > > principal 'host/*@IF.UJF-GRENOBLE.FR' > > > Mar 31 10:52:23 bataille rpc.gssd[3790]: We will NOT use this entry > > > (host/*@IF.UJF-GRENOBLE.FR) > > > Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for > > > principal 'host/*@IF.UJF-GRENOBLE.FR' > > > Mar 31 10:52:23 bataille rpc.gssd[3790]: We will NOT use this entry > > > (host/*@IF.UJF-GRENOBLE.FR) > > > Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for > > > principal 'host/*@IF.UJF-GRENOBLE.FR' > > > Mar 31 10:52:23 bataille rpc.gssd[3790]: We will NOT use this entry > > > (host/*@IF.UJF-GRENOBLE.FR) > > > Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for > > > principal 'host/*@IF.UJF-GRENOBLE.FR' > > > Mar 31 10:52:23 bataille rpc.gssd[3790]: We WILL use this entry > > > (host/*@IF.UJF-GRENOBLE.FR) > > > Mar 31 10:52:23 bataille rpc.gssd[3790]: Success getting keytab entry > > > for host/*@IF.UJF-GRENOBLE.FR > > > > > > Mar 31 10:52:23 bataille rpc.gssd[3790]: WARNING: Client > > > 'host/*@IF.UJF-GRENOBLE.FR' not found in Kerberos database while > getting > > > initial ticket for principal 'host/*@IF.UJF-GRENOBLE.FR' using keytab > > > 'FILE:/etc/krb5.keytab' > > > > > > Mar 31 10:52:23 bataille rpc.gssd[3790]: ERROR: No credentials found > for > > > connection to server ifsamba > > > Mar 31 10:52:23 bataille rpc.gssd[3790]: doing error downcall > > > Mar 31 10:52:23 bataille rpc.gssd[3790]: destroying client > > > /run/rpc_pipefs/nfs/clnt1b > > > Mar 31 10:52:23 bataille rpc.gssd[3790]: destroying client > > > /run/rpc_pipefs/nfs/clnt1a > > > > > > And on my server : > > > > > > [2016/03/31 10:52:23.036664, 3] > > > > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > > > Kerberos: AS-REQ host/*@IF.UJF-GRENOBLE.FR from > > > ipv4:152.77.213.108:38741 for krbtgt/IF.UJF-GRENOBLE.FR at IF.UJF- > > GRENOBLE.FR > > > [2016/03/31 10:52:23.038496, 3] > > > > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > > > Kerberos: UNKNOWN -- host/*@IF.UJF-GRENOBLE.FR: no such entry found > > > in hdb > > > [2016/03/31 10:52:23.046352, 3] > > > > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > > > Kerberos: AS-REQ host/*@IF.UJF-GRENOBLE.FR from > > > ipv4:152.77.213.108:34207 for krbtgt/IF.UJF-GRENOBLE.FR at IF.UJF- > > GRENOBLE.FR > > > [2016/03/31 10:52:23.047710, 3] > > > > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > > > Kerberos: UNKNOWN -- host/*@IF.UJF-GRENOBLE.FR: no such entry found > > > in hdb > > > > > > I wish use nfsv4 with krb but without join all my clients in Samba4 : > is > > > it possible ? > > > > > > PS : I try to create a spn with HOST/* (host uppercase) because when i > > > show spn on a computer joined in Samba, i have this : > > > > > > > > > root at ifsamba:/scripts# samba-tool spn list CARTAN$ > > > cartan$ > > > User CN=cartan,CN=Computers,DC=if,DC=ujf-grenoble,DC=fr has the > > > following servicePrincipalName: > > > HOST/CARTAN > > > HOST/cartan.if.ujf-grenoble.fr > > > > > > but on my client rpc.gssd don't use the keytab when HOST is uppercase > : > > > log : > > > Mar 31 09:55:28 bataille rpc.gssd[3777]: No key table entry found for > > > BATAILLE$@IF.UJF-GRENOBLE.FR while getting keytab entry for > > > 'BATAILLE$@IF.UJF-GRENOBLE.FR' > > > Mar 31 09:55:28 bataille rpc.gssd[3777]: No key table entry found for > > > root/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR while getting keytab > > > entry for 'root/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR' > > > Mar 31 09:55:28 bataille rpc.gssd[3777]: No key table entry found for > > > nfs/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR while getting keytab > > > entry for 'nfs/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR' > > > Mar 31 09:55:28 bataille rpc.gssd[3777]: No key table entry found for > > > host/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR while getting keytab > > > entry for 'host/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR' > > > Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for > > > principal 'HOST/*@IF.UJF-GRENOBLE.FR' > > > Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry > > > (HOST/*@IF.UJF-GRENOBLE.FR) > > > Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for > > > principal 'HOST/*@IF.UJF-GRENOBLE.FR' > > > Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry > > > (HOST/*@IF.UJF-GRENOBLE.FR) > > > Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for > > > principal 'HOST/*@IF.UJF-GRENOBLE.FR' > > > Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry > > > (HOST/*@IF.UJF-GRENOBLE.FR) > > > Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for > > > principal 'HOST/*@IF.UJF-GRENOBLE.FR' > > > Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry > > > (HOST/*@IF.UJF-GRENOBLE.FR) > > > Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for > > > principal 'HOST/*@IF.UJF-GRENOBLE.FR' > > > Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry > > > (HOST/*@IF.UJF-GRENOBLE.FR) > > > Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for > > > principal 'HOST/*@IF.UJF-GRENOBLE.FR' > > > Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry > > > (HOST/*@IF.UJF-GRENOBLE.FR) > > > Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for > > > principal 'HOST/*@IF.UJF-GRENOBLE.FR' > > > Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry > > > (HOST/*@IF.UJF-GRENOBLE.FR) > > > Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for > > > principal 'HOST/*@IF.UJF-GRENOBLE.FR' > > > Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry > > > (HOST/*@IF.UJF-GRENOBLE.FR) > > > Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for > > > principal 'HOST/*@IF.UJF-GRENOBLE.FR' > > > Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry > > > (HOST/*@IF.UJF-GRENOBLE.FR) > > > Mar 31 09:55:28 bataille rpc.gssd[3777]: ERROR: > > > gssd_refresh_krb5_machine_credential: no usable keytab entry found in > > > keytab /etc/krb5.keytab for connection with host ifsamba > > > Mar 31 09:55:28 bataille rpc.gssd[3777]: ERROR: No credentials found > for > > > connection to server ifsamba > > > > > > > > > What is the right process ? > > > > > > Thank you in advance > > > Sim > > > > > > -- > > > To unsubscribe from this list go to the following URL and read the > > > instructions: https://lists.samba.org/mailman/options/samba > > > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Le 31/03/2016 11:44, Rowland penny a écrit :> On 31/03/16 10:04, Service Informatique IF wrote: >> Hi, >> >> I'm trying to use wildcard in keytab because i don't want join every >> computer, client for service NFS krb5. >> >> I add a spn like this >> >> # samba-tool spn add host/* nfs >> >> (I create user nfs before) >> >> # samba-tool spn list nfs >> nfs >> User CN=nfs,CN=Users,DC=if,DC=ujf-grenoble,DC=fr has the following >> servicePrincipalName: >> host/* >> >> I export keytab : >> >> #samba-tool domain exportkeytab /tmp/wildcardnfs.keytab >> --principal=host/* >> >> ktutil -k /tmp/wildcardnfs.keytab list >> /tmp/wildcardnfs.keytab: >> >> Vno Type Principal Aliases >> 1 des-cbc-crc host/*@IF.UJF-GRENOBLE.FR >> 1 des-cbc-md5 host/*@IF.UJF-GRENOBLE.FR >> 1 arcfour-hmac-md5 host/*@IF.UJF-GRENOBLE.FR >> >> >> I put this keytab on my client (name is bataille) and restart >> rpc.gssd -vvvv >> >> I try to mount NFS and in my client log, I have : >> Mar 31 10:52:23 bataille rpc.gssd[3790]: No key table entry found for >> root/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR while getting keytab >> entry for 'root/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR' >> Mar 31 10:52:23 bataille rpc.gssd[3790]: No key table entry found for >> nfs/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR while getting keytab >> entry for 'nfs/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR' >> Mar 31 10:52:23 bataille rpc.gssd[3790]: No key table entry found for >> host/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR while getting keytab >> entry for 'host/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR' >> Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for >> principal 'host/*@IF.UJF-GRENOBLE.FR' >> Mar 31 10:52:23 bataille rpc.gssd[3790]: We will NOT use this entry >> (host/*@IF.UJF-GRENOBLE.FR) >> Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for >> principal 'host/*@IF.UJF-GRENOBLE.FR' >> Mar 31 10:52:23 bataille rpc.gssd[3790]: We will NOT use this entry >> (host/*@IF.UJF-GRENOBLE.FR) >> Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for >> principal 'host/*@IF.UJF-GRENOBLE.FR' >> Mar 31 10:52:23 bataille rpc.gssd[3790]: We will NOT use this entry >> (host/*@IF.UJF-GRENOBLE.FR) >> Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for >> principal 'host/*@IF.UJF-GRENOBLE.FR' >> Mar 31 10:52:23 bataille rpc.gssd[3790]: We will NOT use this entry >> (host/*@IF.UJF-GRENOBLE.FR) >> Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for >> principal 'host/*@IF.UJF-GRENOBLE.FR' >> Mar 31 10:52:23 bataille rpc.gssd[3790]: We will NOT use this entry >> (host/*@IF.UJF-GRENOBLE.FR) >> Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for >> principal 'host/*@IF.UJF-GRENOBLE.FR' >> Mar 31 10:52:23 bataille rpc.gssd[3790]: We will NOT use this entry >> (host/*@IF.UJF-GRENOBLE.FR) >> Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for >> principal 'host/*@IF.UJF-GRENOBLE.FR' >> Mar 31 10:52:23 bataille rpc.gssd[3790]: We WILL use this entry >> (host/*@IF.UJF-GRENOBLE.FR) >> Mar 31 10:52:23 bataille rpc.gssd[3790]: Success getting keytab entry >> for host/*@IF.UJF-GRENOBLE.FR >> >> Mar 31 10:52:23 bataille rpc.gssd[3790]: WARNING: Client >> 'host/*@IF.UJF-GRENOBLE.FR' not found in Kerberos database while >> getting initial ticket for principal 'host/*@IF.UJF-GRENOBLE.FR' >> using keytab 'FILE:/etc/krb5.keytab' >> >> Mar 31 10:52:23 bataille rpc.gssd[3790]: ERROR: No credentials found >> for connection to server ifsamba >> Mar 31 10:52:23 bataille rpc.gssd[3790]: doing error downcall >> Mar 31 10:52:23 bataille rpc.gssd[3790]: destroying client >> /run/rpc_pipefs/nfs/clnt1b >> Mar 31 10:52:23 bataille rpc.gssd[3790]: destroying client >> /run/rpc_pipefs/nfs/clnt1a >> >> And on my server : >> >> [2016/03/31 10:52:23.036664, 3] >> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) >> Kerberos: AS-REQ host/*@IF.UJF-GRENOBLE.FR from >> ipv4:152.77.213.108:38741 for >> krbtgt/IF.UJF-GRENOBLE.FR at IF.UJF-GRENOBLE.FR >> [2016/03/31 10:52:23.038496, 3] >> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) >> Kerberos: UNKNOWN -- host/*@IF.UJF-GRENOBLE.FR: no such entry found >> in hdb >> [2016/03/31 10:52:23.046352, 3] >> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) >> Kerberos: AS-REQ host/*@IF.UJF-GRENOBLE.FR from >> ipv4:152.77.213.108:34207 for >> krbtgt/IF.UJF-GRENOBLE.FR at IF.UJF-GRENOBLE.FR >> [2016/03/31 10:52:23.047710, 3] >> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) >> Kerberos: UNKNOWN -- host/*@IF.UJF-GRENOBLE.FR: no such entry found >> in hdb >> >> I wish use nfsv4 with krb but without join all my clients in Samba4 : >> is it possible ? >> >> PS : I try to create a spn with HOST/* (host uppercase) because when >> i show spn on a computer joined in Samba, i have this : >> >> >> root at ifsamba:/scripts# samba-tool spn list CARTAN$ >> cartan$ >> User CN=cartan,CN=Computers,DC=if,DC=ujf-grenoble,DC=fr has the >> following servicePrincipalName: >> HOST/CARTAN >> HOST/cartan.if.ujf-grenoble.fr >> >> but on my client rpc.gssd don't use the keytab when HOST is uppercase : >> log : >> Mar 31 09:55:28 bataille rpc.gssd[3777]: No key table entry found for >> BATAILLE$@IF.UJF-GRENOBLE.FR while getting keytab entry for >> 'BATAILLE$@IF.UJF-GRENOBLE.FR' >> Mar 31 09:55:28 bataille rpc.gssd[3777]: No key table entry found for >> root/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR while getting keytab >> entry for 'root/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR' >> Mar 31 09:55:28 bataille rpc.gssd[3777]: No key table entry found for >> nfs/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR while getting keytab >> entry for 'nfs/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR' >> Mar 31 09:55:28 bataille rpc.gssd[3777]: No key table entry found for >> host/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR while getting keytab >> entry for 'host/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR' >> Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for >> principal 'HOST/*@IF.UJF-GRENOBLE.FR' >> Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry >> (HOST/*@IF.UJF-GRENOBLE.FR) >> Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for >> principal 'HOST/*@IF.UJF-GRENOBLE.FR' >> Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry >> (HOST/*@IF.UJF-GRENOBLE.FR) >> Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for >> principal 'HOST/*@IF.UJF-GRENOBLE.FR' >> Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry >> (HOST/*@IF.UJF-GRENOBLE.FR) >> Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for >> principal 'HOST/*@IF.UJF-GRENOBLE.FR' >> Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry >> (HOST/*@IF.UJF-GRENOBLE.FR) >> Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for >> principal 'HOST/*@IF.UJF-GRENOBLE.FR' >> Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry >> (HOST/*@IF.UJF-GRENOBLE.FR) >> Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for >> principal 'HOST/*@IF.UJF-GRENOBLE.FR' >> Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry >> (HOST/*@IF.UJF-GRENOBLE.FR) >> Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for >> principal 'HOST/*@IF.UJF-GRENOBLE.FR' >> Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry >> (HOST/*@IF.UJF-GRENOBLE.FR) >> Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for >> principal 'HOST/*@IF.UJF-GRENOBLE.FR' >> Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry >> (HOST/*@IF.UJF-GRENOBLE.FR) >> Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for >> principal 'HOST/*@IF.UJF-GRENOBLE.FR' >> Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry >> (HOST/*@IF.UJF-GRENOBLE.FR) >> Mar 31 09:55:28 bataille rpc.gssd[3777]: ERROR: >> gssd_refresh_krb5_machine_credential: no usable keytab entry found in >> keytab /etc/krb5.keytab for connection with host ifsamba >> Mar 31 09:55:28 bataille rpc.gssd[3777]: ERROR: No credentials found >> for connection to server ifsamba >> >> >> What is the right process ? >> >> Thank you in advance >> Sim >> > I thought the whole idea of kerberos was to authenticate 'something' > or 'someone' without passing passwords.You're right when using keytab it's without password, but users need to enter password to access their datas on a NFSv4 - krb share.> As far as I am aware, 'something' or 'someone' must be in the kerberos > database and I don't think using '*' is going to work, as this would > allow anybody to gain access to your network, do you really want this ??I understand that is a possible security hole, but we already use a "generic" keytab for sssd. Our computers are in a "restricted" network, so I think it's not a big hole. And this keytab is used only for mounting the Nfsv4 share, not to access user data, because data are chmod protected each user need to authenticate to obtain their own ticket, in order to see their data. Wildcard keytab is possible in MIT Kerberos, so I thought it was possbie to do that with Samba4. The problem for us is to join computer automatically to Samba : Maybe you have a solution ? (without passwd) Or maybe if it's possible, create computer accounts in Samba with samba-tool user add ... and so, I could create computer keytab directly from Samba. Thank you in advance Sim