thr3ads.net - samba - [Samba] NFSv4 / Krb / wildcard in keytab [Mar 2016]

If this information is useful, please help other people find it:
Share via:

Service Informatique IF

2016-Mar-31 09:04 UTC

[Samba] NFSv4 / Krb / wildcard in keytab

Hi,

I'm trying to use wildcard in keytab because i don't want join every 
computer, client for service NFS krb5.

I add a spn like this

# samba-tool spn add host/* nfs

(I create user nfs before)

# samba-tool spn list nfs
nfs
User CN=nfs,CN=Users,DC=if,DC=ujf-grenoble,DC=fr has the following 
servicePrincipalName:
          host/*

I export keytab :

  #samba-tool domain exportkeytab /tmp/wildcardnfs.keytab --principal=host/*

ktutil -k /tmp/wildcardnfs.keytab list
/tmp/wildcardnfs.keytab:

Vno  Type              Principal                  Aliases
   1  des-cbc-crc       host/*@IF.UJF-GRENOBLE.FR
   1  des-cbc-md5       host/*@IF.UJF-GRENOBLE.FR
   1  arcfour-hmac-md5  host/*@IF.UJF-GRENOBLE.FR


I put this keytab on my client (name is bataille) and restart rpc.gssd -vvvv

I try to mount NFS and in my client log, I have :
Mar 31 10:52:23 bataille rpc.gssd[3790]: No key table entry found for 
root/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR while getting keytab 
entry for 'root/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR'
Mar 31 10:52:23 bataille rpc.gssd[3790]: No key table entry found for 
nfs/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR while getting keytab 
entry for 'nfs/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR'
Mar 31 10:52:23 bataille rpc.gssd[3790]: No key table entry found for 
host/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR while getting keytab 
entry for 'host/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR'
Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for 
principal 'host/*@IF.UJF-GRENOBLE.FR'
Mar 31 10:52:23 bataille rpc.gssd[3790]: We will NOT use this entry 
(host/*@IF.UJF-GRENOBLE.FR)
Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for 
principal 'host/*@IF.UJF-GRENOBLE.FR'
Mar 31 10:52:23 bataille rpc.gssd[3790]: We will NOT use this entry 
(host/*@IF.UJF-GRENOBLE.FR)
Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for 
principal 'host/*@IF.UJF-GRENOBLE.FR'
Mar 31 10:52:23 bataille rpc.gssd[3790]: We will NOT use this entry 
(host/*@IF.UJF-GRENOBLE.FR)
Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for 
principal 'host/*@IF.UJF-GRENOBLE.FR'
Mar 31 10:52:23 bataille rpc.gssd[3790]: We will NOT use this entry 
(host/*@IF.UJF-GRENOBLE.FR)
Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for 
principal 'host/*@IF.UJF-GRENOBLE.FR'
Mar 31 10:52:23 bataille rpc.gssd[3790]: We will NOT use this entry 
(host/*@IF.UJF-GRENOBLE.FR)
Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for 
principal 'host/*@IF.UJF-GRENOBLE.FR'
Mar 31 10:52:23 bataille rpc.gssd[3790]: We will NOT use this entry 
(host/*@IF.UJF-GRENOBLE.FR)
Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for 
principal 'host/*@IF.UJF-GRENOBLE.FR'
Mar 31 10:52:23 bataille rpc.gssd[3790]: We WILL use this entry 
(host/*@IF.UJF-GRENOBLE.FR)
Mar 31 10:52:23 bataille rpc.gssd[3790]: Success getting keytab entry 
for host/*@IF.UJF-GRENOBLE.FR

Mar 31 10:52:23 bataille rpc.gssd[3790]: WARNING: Client 
'host/*@IF.UJF-GRENOBLE.FR' not found in Kerberos database while getting
initial ticket for principal 'host/*@IF.UJF-GRENOBLE.FR' using keytab 
'FILE:/etc/krb5.keytab'

Mar 31 10:52:23 bataille rpc.gssd[3790]: ERROR: No credentials found for 
connection to server ifsamba
Mar 31 10:52:23 bataille rpc.gssd[3790]: doing error downcall
Mar 31 10:52:23 bataille rpc.gssd[3790]: destroying client 
/run/rpc_pipefs/nfs/clnt1b
Mar 31 10:52:23 bataille rpc.gssd[3790]: destroying client 
/run/rpc_pipefs/nfs/clnt1a

And on my server :

[2016/03/31 10:52:23.036664,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: AS-REQ host/*@IF.UJF-GRENOBLE.FR from 
ipv4:152.77.213.108:38741 for krbtgt/IF.UJF-GRENOBLE.FR at IF.UJF-GRENOBLE.FR
[2016/03/31 10:52:23.038496,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: UNKNOWN -- host/*@IF.UJF-GRENOBLE.FR: no such entry found 
in hdb
[2016/03/31 10:52:23.046352,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: AS-REQ host/*@IF.UJF-GRENOBLE.FR from 
ipv4:152.77.213.108:34207 for krbtgt/IF.UJF-GRENOBLE.FR at IF.UJF-GRENOBLE.FR
[2016/03/31 10:52:23.047710,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: UNKNOWN -- host/*@IF.UJF-GRENOBLE.FR: no such entry found 
in hdb

I wish use nfsv4 with krb but without join all my clients in Samba4 : is 
it possible ?

PS : I try to create a spn with HOST/* (host uppercase) because when i 
show spn on a computer joined in Samba, i have this :


root at ifsamba:/scripts# samba-tool spn list CARTAN$
cartan$
User CN=cartan,CN=Computers,DC=if,DC=ujf-grenoble,DC=fr has the 
following servicePrincipalName:
          HOST/CARTAN
          HOST/cartan.if.ujf-grenoble.fr

but on my client rpc.gssd don't use the keytab when HOST is uppercase :
log :
Mar 31 09:55:28 bataille rpc.gssd[3777]: No key table entry found for 
BATAILLE$@IF.UJF-GRENOBLE.FR while getting keytab entry for 
'BATAILLE$@IF.UJF-GRENOBLE.FR'
Mar 31 09:55:28 bataille rpc.gssd[3777]: No key table entry found for 
root/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR while getting keytab 
entry for 'root/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR'
Mar 31 09:55:28 bataille rpc.gssd[3777]: No key table entry found for 
nfs/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR while getting keytab 
entry for 'nfs/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR'
Mar 31 09:55:28 bataille rpc.gssd[3777]: No key table entry found for 
host/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR while getting keytab 
entry for 'host/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR'
Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for 
principal 'HOST/*@IF.UJF-GRENOBLE.FR'
Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry 
(HOST/*@IF.UJF-GRENOBLE.FR)
Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for 
principal 'HOST/*@IF.UJF-GRENOBLE.FR'
Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry 
(HOST/*@IF.UJF-GRENOBLE.FR)
Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for 
principal 'HOST/*@IF.UJF-GRENOBLE.FR'
Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry 
(HOST/*@IF.UJF-GRENOBLE.FR)
Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for 
principal 'HOST/*@IF.UJF-GRENOBLE.FR'
Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry 
(HOST/*@IF.UJF-GRENOBLE.FR)
Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for 
principal 'HOST/*@IF.UJF-GRENOBLE.FR'
Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry 
(HOST/*@IF.UJF-GRENOBLE.FR)
Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for 
principal 'HOST/*@IF.UJF-GRENOBLE.FR'
Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry 
(HOST/*@IF.UJF-GRENOBLE.FR)
Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for 
principal 'HOST/*@IF.UJF-GRENOBLE.FR'
Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry 
(HOST/*@IF.UJF-GRENOBLE.FR)
Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for 
principal 'HOST/*@IF.UJF-GRENOBLE.FR'
Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry 
(HOST/*@IF.UJF-GRENOBLE.FR)
Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for 
principal 'HOST/*@IF.UJF-GRENOBLE.FR'
Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry 
(HOST/*@IF.UJF-GRENOBLE.FR)
Mar 31 09:55:28 bataille rpc.gssd[3777]: ERROR: 
gssd_refresh_krb5_machine_credential: no usable keytab entry found in 
keytab /etc/krb5.keytab for connection with host ifsamba
Mar 31 09:55:28 bataille rpc.gssd[3777]: ERROR: No credentials found for 
connection to server ifsamba


What is the right process ?

Thank you in advance
Sim

L.P.H. van Belle

2016-Mar-31 09:25 UTC

head link

[Samba] NFSv4 / Krb / wildcard in keytab

Try it like : 

http/%s at DOMAIN.COM 

not http/*@DOMAIN.COM

Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Service
> Informatique IF
> Verzonden: donderdag 31 maart 2016 11:04
> Aan: samba at lists.samba.org
> CC: ifinfo at ujf-grenoble.fr
> Onderwerp: [Samba] NFSv4 / Krb / wildcard in keytab
> 
> Hi,
> 
> I'm trying to use wildcard in keytab because i don't want join
every
> computer, client for service NFS krb5.
> 
> I add a spn like this
> 
> # samba-tool spn add host/* nfs
> 
> (I create user nfs before)
> 
> # samba-tool spn list nfs
> nfs
> User CN=nfs,CN=Users,DC=if,DC=ujf-grenoble,DC=fr has the following
> servicePrincipalName:
>           host/*
> 
> I export keytab :
> 
>   #samba-tool domain exportkeytab /tmp/wildcardnfs.keytab --
> principal=host/*
> 
> ktutil -k /tmp/wildcardnfs.keytab list
> /tmp/wildcardnfs.keytab:
> 
> Vno  Type              Principal                  Aliases
>    1  des-cbc-crc       host/*@IF.UJF-GRENOBLE.FR
>    1  des-cbc-md5       host/*@IF.UJF-GRENOBLE.FR
>    1  arcfour-hmac-md5  host/*@IF.UJF-GRENOBLE.FR
> 
> 
> I put this keytab on my client (name is bataille) and restart rpc.gssd -
> vvvv
> 
> I try to mount NFS and in my client log, I have :
> Mar 31 10:52:23 bataille rpc.gssd[3790]: No key table entry found for
> root/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR while getting keytab
> entry for 'root/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR'
> Mar 31 10:52:23 bataille rpc.gssd[3790]: No key table entry found for
> nfs/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR while getting keytab
> entry for 'nfs/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR'
> Mar 31 10:52:23 bataille rpc.gssd[3790]: No key table entry found for
> host/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR while getting keytab
> entry for 'host/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR'
> Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for
> principal 'host/*@IF.UJF-GRENOBLE.FR'
> Mar 31 10:52:23 bataille rpc.gssd[3790]: We will NOT use this entry
> (host/*@IF.UJF-GRENOBLE.FR)
> Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for
> principal 'host/*@IF.UJF-GRENOBLE.FR'
> Mar 31 10:52:23 bataille rpc.gssd[3790]: We will NOT use this entry
> (host/*@IF.UJF-GRENOBLE.FR)
> Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for
> principal 'host/*@IF.UJF-GRENOBLE.FR'
> Mar 31 10:52:23 bataille rpc.gssd[3790]: We will NOT use this entry
> (host/*@IF.UJF-GRENOBLE.FR)
> Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for
> principal 'host/*@IF.UJF-GRENOBLE.FR'
> Mar 31 10:52:23 bataille rpc.gssd[3790]: We will NOT use this entry
> (host/*@IF.UJF-GRENOBLE.FR)
> Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for
> principal 'host/*@IF.UJF-GRENOBLE.FR'
> Mar 31 10:52:23 bataille rpc.gssd[3790]: We will NOT use this entry
> (host/*@IF.UJF-GRENOBLE.FR)
> Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for
> principal 'host/*@IF.UJF-GRENOBLE.FR'
> Mar 31 10:52:23 bataille rpc.gssd[3790]: We will NOT use this entry
> (host/*@IF.UJF-GRENOBLE.FR)
> Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for
> principal 'host/*@IF.UJF-GRENOBLE.FR'
> Mar 31 10:52:23 bataille rpc.gssd[3790]: We WILL use this entry
> (host/*@IF.UJF-GRENOBLE.FR)
> Mar 31 10:52:23 bataille rpc.gssd[3790]: Success getting keytab entry
> for host/*@IF.UJF-GRENOBLE.FR
> 
> Mar 31 10:52:23 bataille rpc.gssd[3790]: WARNING: Client
> 'host/*@IF.UJF-GRENOBLE.FR' not found in Kerberos database while
getting
> initial ticket for principal 'host/*@IF.UJF-GRENOBLE.FR' using
keytab
> 'FILE:/etc/krb5.keytab'
> 
> Mar 31 10:52:23 bataille rpc.gssd[3790]: ERROR: No credentials found for
> connection to server ifsamba
> Mar 31 10:52:23 bataille rpc.gssd[3790]: doing error downcall
> Mar 31 10:52:23 bataille rpc.gssd[3790]: destroying client
> /run/rpc_pipefs/nfs/clnt1b
> Mar 31 10:52:23 bataille rpc.gssd[3790]: destroying client
> /run/rpc_pipefs/nfs/clnt1a
> 
> And on my server :
> 
> [2016/03/31 10:52:23.036664,  3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
>    Kerberos: AS-REQ host/*@IF.UJF-GRENOBLE.FR from
> ipv4:152.77.213.108:38741 for krbtgt/IF.UJF-GRENOBLE.FR at
IF.UJF-GRENOBLE.FR
> [2016/03/31 10:52:23.038496,  3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
>    Kerberos: UNKNOWN -- host/*@IF.UJF-GRENOBLE.FR: no such entry found
> in hdb
> [2016/03/31 10:52:23.046352,  3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
>    Kerberos: AS-REQ host/*@IF.UJF-GRENOBLE.FR from
> ipv4:152.77.213.108:34207 for krbtgt/IF.UJF-GRENOBLE.FR at
IF.UJF-GRENOBLE.FR
> [2016/03/31 10:52:23.047710,  3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
>    Kerberos: UNKNOWN -- host/*@IF.UJF-GRENOBLE.FR: no such entry found
> in hdb
> 
> I wish use nfsv4 with krb but without join all my clients in Samba4 : is
> it possible ?
> 
> PS : I try to create a spn with HOST/* (host uppercase) because when i
> show spn on a computer joined in Samba, i have this :
> 
> 
> root at ifsamba:/scripts# samba-tool spn list CARTAN$
> cartan$
> User CN=cartan,CN=Computers,DC=if,DC=ujf-grenoble,DC=fr has the
> following servicePrincipalName:
>           HOST/CARTAN
>           HOST/cartan.if.ujf-grenoble.fr
> 
> but on my client rpc.gssd don't use the keytab when HOST is uppercase :
> log :
> Mar 31 09:55:28 bataille rpc.gssd[3777]: No key table entry found for
> BATAILLE$@IF.UJF-GRENOBLE.FR while getting keytab entry for
> 'BATAILLE$@IF.UJF-GRENOBLE.FR'
> Mar 31 09:55:28 bataille rpc.gssd[3777]: No key table entry found for
> root/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR while getting keytab
> entry for 'root/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR'
> Mar 31 09:55:28 bataille rpc.gssd[3777]: No key table entry found for
> nfs/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR while getting keytab
> entry for 'nfs/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR'
> Mar 31 09:55:28 bataille rpc.gssd[3777]: No key table entry found for
> host/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR while getting keytab
> entry for 'host/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR'
> Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for
> principal 'HOST/*@IF.UJF-GRENOBLE.FR'
> Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry
> (HOST/*@IF.UJF-GRENOBLE.FR)
> Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for
> principal 'HOST/*@IF.UJF-GRENOBLE.FR'
> Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry
> (HOST/*@IF.UJF-GRENOBLE.FR)
> Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for
> principal 'HOST/*@IF.UJF-GRENOBLE.FR'
> Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry
> (HOST/*@IF.UJF-GRENOBLE.FR)
> Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for
> principal 'HOST/*@IF.UJF-GRENOBLE.FR'
> Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry
> (HOST/*@IF.UJF-GRENOBLE.FR)
> Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for
> principal 'HOST/*@IF.UJF-GRENOBLE.FR'
> Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry
> (HOST/*@IF.UJF-GRENOBLE.FR)
> Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for
> principal 'HOST/*@IF.UJF-GRENOBLE.FR'
> Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry
> (HOST/*@IF.UJF-GRENOBLE.FR)
> Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for
> principal 'HOST/*@IF.UJF-GRENOBLE.FR'
> Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry
> (HOST/*@IF.UJF-GRENOBLE.FR)
> Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for
> principal 'HOST/*@IF.UJF-GRENOBLE.FR'
> Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry
> (HOST/*@IF.UJF-GRENOBLE.FR)
> Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for
> principal 'HOST/*@IF.UJF-GRENOBLE.FR'
> Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry
> (HOST/*@IF.UJF-GRENOBLE.FR)
> Mar 31 09:55:28 bataille rpc.gssd[3777]: ERROR:
> gssd_refresh_krb5_machine_credential: no usable keytab entry found in
> keytab /etc/krb5.keytab for connection with host ifsamba
> Mar 31 09:55:28 bataille rpc.gssd[3777]: ERROR: No credentials found for
> connection to server ifsamba
> 
> 
> What is the right process ?
> 
> Thank you in advance
> Sim
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

L.P.H. van Belle

2016-Mar-31 09:31 UTC

head link

[Samba] NFSv4 / Krb / wildcard in keytab

Sorry, my previous was totaly wrong..  
Forget that one. 

Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens L.P.H. van
Belle
> Verzonden: donderdag 31 maart 2016 11:25
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] NFSv4 / Krb / wildcard in keytab
> 
> Try it like :
> 
> http/%s at DOMAIN.COM
> 
> not http/*@DOMAIN.COM
> 
> Greetz,
> 
> Louis
> 
> 
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Service
> > Informatique IF
> > Verzonden: donderdag 31 maart 2016 11:04
> > Aan: samba at lists.samba.org
> > CC: ifinfo at ujf-grenoble.fr
> > Onderwerp: [Samba] NFSv4 / Krb / wildcard in keytab
> >
> > Hi,
> >
> > I'm trying to use wildcard in keytab because i don't want join
every
> > computer, client for service NFS krb5.
> >
> > I add a spn like this
> >
> > # samba-tool spn add host/* nfs
> >
> > (I create user nfs before)
> >
> > # samba-tool spn list nfs
> > nfs
> > User CN=nfs,CN=Users,DC=if,DC=ujf-grenoble,DC=fr has the following
> > servicePrincipalName:
> >           host/*
> >
> > I export keytab :
> >
> >   #samba-tool domain exportkeytab /tmp/wildcardnfs.keytab --
> > principal=host/*
> >
> > ktutil -k /tmp/wildcardnfs.keytab list
> > /tmp/wildcardnfs.keytab:
> >
> > Vno  Type              Principal                  Aliases
> >    1  des-cbc-crc       host/*@IF.UJF-GRENOBLE.FR
> >    1  des-cbc-md5       host/*@IF.UJF-GRENOBLE.FR
> >    1  arcfour-hmac-md5  host/*@IF.UJF-GRENOBLE.FR
> >
> >
> > I put this keytab on my client (name is bataille) and restart rpc.gssd
-
> > vvvv
> >
> > I try to mount NFS and in my client log, I have :
> > Mar 31 10:52:23 bataille rpc.gssd[3790]: No key table entry found for
> > root/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR while getting
keytab
> > entry for 'root/bataille.ujf-grenoble.fr at
IF.UJF-GRENOBLE.FR'
> > Mar 31 10:52:23 bataille rpc.gssd[3790]: No key table entry found for
> > nfs/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR while getting
keytab
> > entry for 'nfs/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR'
> > Mar 31 10:52:23 bataille rpc.gssd[3790]: No key table entry found for
> > host/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR while getting
keytab
> > entry for 'host/bataille.ujf-grenoble.fr at
IF.UJF-GRENOBLE.FR'
> > Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for
> > principal 'host/*@IF.UJF-GRENOBLE.FR'
> > Mar 31 10:52:23 bataille rpc.gssd[3790]: We will NOT use this entry
> > (host/*@IF.UJF-GRENOBLE.FR)
> > Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for
> > principal 'host/*@IF.UJF-GRENOBLE.FR'
> > Mar 31 10:52:23 bataille rpc.gssd[3790]: We will NOT use this entry
> > (host/*@IF.UJF-GRENOBLE.FR)
> > Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for
> > principal 'host/*@IF.UJF-GRENOBLE.FR'
> > Mar 31 10:52:23 bataille rpc.gssd[3790]: We will NOT use this entry
> > (host/*@IF.UJF-GRENOBLE.FR)
> > Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for
> > principal 'host/*@IF.UJF-GRENOBLE.FR'
> > Mar 31 10:52:23 bataille rpc.gssd[3790]: We will NOT use this entry
> > (host/*@IF.UJF-GRENOBLE.FR)
> > Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for
> > principal 'host/*@IF.UJF-GRENOBLE.FR'
> > Mar 31 10:52:23 bataille rpc.gssd[3790]: We will NOT use this entry
> > (host/*@IF.UJF-GRENOBLE.FR)
> > Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for
> > principal 'host/*@IF.UJF-GRENOBLE.FR'
> > Mar 31 10:52:23 bataille rpc.gssd[3790]: We will NOT use this entry
> > (host/*@IF.UJF-GRENOBLE.FR)
> > Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for
> > principal 'host/*@IF.UJF-GRENOBLE.FR'
> > Mar 31 10:52:23 bataille rpc.gssd[3790]: We WILL use this entry
> > (host/*@IF.UJF-GRENOBLE.FR)
> > Mar 31 10:52:23 bataille rpc.gssd[3790]: Success getting keytab entry
> > for host/*@IF.UJF-GRENOBLE.FR
> >
> > Mar 31 10:52:23 bataille rpc.gssd[3790]: WARNING: Client
> > 'host/*@IF.UJF-GRENOBLE.FR' not found in Kerberos database
while getting
> > initial ticket for principal 'host/*@IF.UJF-GRENOBLE.FR' using
keytab
> > 'FILE:/etc/krb5.keytab'
> >
> > Mar 31 10:52:23 bataille rpc.gssd[3790]: ERROR: No credentials found
for
> > connection to server ifsamba
> > Mar 31 10:52:23 bataille rpc.gssd[3790]: doing error downcall
> > Mar 31 10:52:23 bataille rpc.gssd[3790]: destroying client
> > /run/rpc_pipefs/nfs/clnt1b
> > Mar 31 10:52:23 bataille rpc.gssd[3790]: destroying client
> > /run/rpc_pipefs/nfs/clnt1a
> >
> > And on my server :
> >
> > [2016/03/31 10:52:23.036664,  3]
> >
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> >    Kerberos: AS-REQ host/*@IF.UJF-GRENOBLE.FR from
> > ipv4:152.77.213.108:38741 for krbtgt/IF.UJF-GRENOBLE.FR at IF.UJF-
> GRENOBLE.FR
> > [2016/03/31 10:52:23.038496,  3]
> >
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> >    Kerberos: UNKNOWN -- host/*@IF.UJF-GRENOBLE.FR: no such entry found
> > in hdb
> > [2016/03/31 10:52:23.046352,  3]
> >
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> >    Kerberos: AS-REQ host/*@IF.UJF-GRENOBLE.FR from
> > ipv4:152.77.213.108:34207 for krbtgt/IF.UJF-GRENOBLE.FR at IF.UJF-
> GRENOBLE.FR
> > [2016/03/31 10:52:23.047710,  3]
> >
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> >    Kerberos: UNKNOWN -- host/*@IF.UJF-GRENOBLE.FR: no such entry found
> > in hdb
> >
> > I wish use nfsv4 with krb but without join all my clients in Samba4 :
is
> > it possible ?
> >
> > PS : I try to create a spn with HOST/* (host uppercase) because when i
> > show spn on a computer joined in Samba, i have this :
> >
> >
> > root at ifsamba:/scripts# samba-tool spn list CARTAN$
> > cartan$
> > User CN=cartan,CN=Computers,DC=if,DC=ujf-grenoble,DC=fr has the
> > following servicePrincipalName:
> >           HOST/CARTAN
> >           HOST/cartan.if.ujf-grenoble.fr
> >
> > but on my client rpc.gssd don't use the keytab when HOST is
uppercase :
> > log :
> > Mar 31 09:55:28 bataille rpc.gssd[3777]: No key table entry found for
> > BATAILLE$@IF.UJF-GRENOBLE.FR while getting keytab entry for
> > 'BATAILLE$@IF.UJF-GRENOBLE.FR'
> > Mar 31 09:55:28 bataille rpc.gssd[3777]: No key table entry found for
> > root/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR while getting
keytab
> > entry for 'root/bataille.ujf-grenoble.fr at
IF.UJF-GRENOBLE.FR'
> > Mar 31 09:55:28 bataille rpc.gssd[3777]: No key table entry found for
> > nfs/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR while getting
keytab
> > entry for 'nfs/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR'
> > Mar 31 09:55:28 bataille rpc.gssd[3777]: No key table entry found for
> > host/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR while getting
keytab
> > entry for 'host/bataille.ujf-grenoble.fr at
IF.UJF-GRENOBLE.FR'
> > Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for
> > principal 'HOST/*@IF.UJF-GRENOBLE.FR'
> > Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry
> > (HOST/*@IF.UJF-GRENOBLE.FR)
> > Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for
> > principal 'HOST/*@IF.UJF-GRENOBLE.FR'
> > Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry
> > (HOST/*@IF.UJF-GRENOBLE.FR)
> > Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for
> > principal 'HOST/*@IF.UJF-GRENOBLE.FR'
> > Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry
> > (HOST/*@IF.UJF-GRENOBLE.FR)
> > Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for
> > principal 'HOST/*@IF.UJF-GRENOBLE.FR'
> > Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry
> > (HOST/*@IF.UJF-GRENOBLE.FR)
> > Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for
> > principal 'HOST/*@IF.UJF-GRENOBLE.FR'
> > Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry
> > (HOST/*@IF.UJF-GRENOBLE.FR)
> > Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for
> > principal 'HOST/*@IF.UJF-GRENOBLE.FR'
> > Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry
> > (HOST/*@IF.UJF-GRENOBLE.FR)
> > Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for
> > principal 'HOST/*@IF.UJF-GRENOBLE.FR'
> > Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry
> > (HOST/*@IF.UJF-GRENOBLE.FR)
> > Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for
> > principal 'HOST/*@IF.UJF-GRENOBLE.FR'
> > Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry
> > (HOST/*@IF.UJF-GRENOBLE.FR)
> > Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for
> > principal 'HOST/*@IF.UJF-GRENOBLE.FR'
> > Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry
> > (HOST/*@IF.UJF-GRENOBLE.FR)
> > Mar 31 09:55:28 bataille rpc.gssd[3777]: ERROR:
> > gssd_refresh_krb5_machine_credential: no usable keytab entry found in
> > keytab /etc/krb5.keytab for connection with host ifsamba
> > Mar 31 09:55:28 bataille rpc.gssd[3777]: ERROR: No credentials found
for
> > connection to server ifsamba
> >
> >
> > What is the right process ?
> >
> > Thank you in advance
> > Sim
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> 
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

Rowland penny

2016-Mar-31 09:44 UTC

head link

[Samba] NFSv4 / Krb / wildcard in keytab

On 31/03/16 10:04, Service Informatique IF wrote:> Hi,
>
> I'm trying to use wildcard in keytab because i don't want join
every
> computer, client for service NFS krb5.
>
> I add a spn like this
>
> # samba-tool spn add host/* nfs
>
> (I create user nfs before)
>
> # samba-tool spn list nfs
> nfs
> User CN=nfs,CN=Users,DC=if,DC=ujf-grenoble,DC=fr has the following 
> servicePrincipalName:
>          host/*
>
> I export keytab :
>
>  #samba-tool domain exportkeytab /tmp/wildcardnfs.keytab 
> --principal=host/*
>
> ktutil -k /tmp/wildcardnfs.keytab list
> /tmp/wildcardnfs.keytab:
>
> Vno  Type              Principal                  Aliases
>   1  des-cbc-crc       host/*@IF.UJF-GRENOBLE.FR
>   1  des-cbc-md5       host/*@IF.UJF-GRENOBLE.FR
>   1  arcfour-hmac-md5  host/*@IF.UJF-GRENOBLE.FR
>
>
> I put this keytab on my client (name is bataille) and restart rpc.gssd 
> -vvvv
>
> I try to mount NFS and in my client log, I have :
> Mar 31 10:52:23 bataille rpc.gssd[3790]: No key table entry found for 
> root/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR while getting keytab 
> entry for 'root/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR'
> Mar 31 10:52:23 bataille rpc.gssd[3790]: No key table entry found for 
> nfs/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR while getting keytab 
> entry for 'nfs/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR'
> Mar 31 10:52:23 bataille rpc.gssd[3790]: No key table entry found for 
> host/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR while getting keytab 
> entry for 'host/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR'
> Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for 
> principal 'host/*@IF.UJF-GRENOBLE.FR'
> Mar 31 10:52:23 bataille rpc.gssd[3790]: We will NOT use this entry 
> (host/*@IF.UJF-GRENOBLE.FR)
> Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for 
> principal 'host/*@IF.UJF-GRENOBLE.FR'
> Mar 31 10:52:23 bataille rpc.gssd[3790]: We will NOT use this entry 
> (host/*@IF.UJF-GRENOBLE.FR)
> Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for 
> principal 'host/*@IF.UJF-GRENOBLE.FR'
> Mar 31 10:52:23 bataille rpc.gssd[3790]: We will NOT use this entry 
> (host/*@IF.UJF-GRENOBLE.FR)
> Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for 
> principal 'host/*@IF.UJF-GRENOBLE.FR'
> Mar 31 10:52:23 bataille rpc.gssd[3790]: We will NOT use this entry 
> (host/*@IF.UJF-GRENOBLE.FR)
> Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for 
> principal 'host/*@IF.UJF-GRENOBLE.FR'
> Mar 31 10:52:23 bataille rpc.gssd[3790]: We will NOT use this entry 
> (host/*@IF.UJF-GRENOBLE.FR)
> Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for 
> principal 'host/*@IF.UJF-GRENOBLE.FR'
> Mar 31 10:52:23 bataille rpc.gssd[3790]: We will NOT use this entry 
> (host/*@IF.UJF-GRENOBLE.FR)
> Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for 
> principal 'host/*@IF.UJF-GRENOBLE.FR'
> Mar 31 10:52:23 bataille rpc.gssd[3790]: We WILL use this entry 
> (host/*@IF.UJF-GRENOBLE.FR)
> Mar 31 10:52:23 bataille rpc.gssd[3790]: Success getting keytab entry 
> for host/*@IF.UJF-GRENOBLE.FR
>
> Mar 31 10:52:23 bataille rpc.gssd[3790]: WARNING: Client 
> 'host/*@IF.UJF-GRENOBLE.FR' not found in Kerberos database while 
> getting initial ticket for principal 'host/*@IF.UJF-GRENOBLE.FR'
using
> keytab 'FILE:/etc/krb5.keytab'
>
> Mar 31 10:52:23 bataille rpc.gssd[3790]: ERROR: No credentials found 
> for connection to server ifsamba
> Mar 31 10:52:23 bataille rpc.gssd[3790]: doing error downcall
> Mar 31 10:52:23 bataille rpc.gssd[3790]: destroying client 
> /run/rpc_pipefs/nfs/clnt1b
> Mar 31 10:52:23 bataille rpc.gssd[3790]: destroying client 
> /run/rpc_pipefs/nfs/clnt1a
>
> And on my server :
>
> [2016/03/31 10:52:23.036664,  3] 
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
>   Kerberos: AS-REQ host/*@IF.UJF-GRENOBLE.FR from 
> ipv4:152.77.213.108:38741 for 
> krbtgt/IF.UJF-GRENOBLE.FR at IF.UJF-GRENOBLE.FR
> [2016/03/31 10:52:23.038496,  3] 
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
>   Kerberos: UNKNOWN -- host/*@IF.UJF-GRENOBLE.FR: no such entry found 
> in hdb
> [2016/03/31 10:52:23.046352,  3] 
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
>   Kerberos: AS-REQ host/*@IF.UJF-GRENOBLE.FR from 
> ipv4:152.77.213.108:34207 for 
> krbtgt/IF.UJF-GRENOBLE.FR at IF.UJF-GRENOBLE.FR
> [2016/03/31 10:52:23.047710,  3] 
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
>   Kerberos: UNKNOWN -- host/*@IF.UJF-GRENOBLE.FR: no such entry found 
> in hdb
>
> I wish use nfsv4 with krb but without join all my clients in Samba4 : 
> is it possible ?
>
> PS : I try to create a spn with HOST/* (host uppercase) because when i 
> show spn on a computer joined in Samba, i have this :
>
>
> root at ifsamba:/scripts# samba-tool spn list CARTAN$
> cartan$
> User CN=cartan,CN=Computers,DC=if,DC=ujf-grenoble,DC=fr has the 
> following servicePrincipalName:
>          HOST/CARTAN
>          HOST/cartan.if.ujf-grenoble.fr
>
> but on my client rpc.gssd don't use the keytab when HOST is uppercase :
> log :
> Mar 31 09:55:28 bataille rpc.gssd[3777]: No key table entry found for 
> BATAILLE$@IF.UJF-GRENOBLE.FR while getting keytab entry for 
> 'BATAILLE$@IF.UJF-GRENOBLE.FR'
> Mar 31 09:55:28 bataille rpc.gssd[3777]: No key table entry found for 
> root/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR while getting keytab 
> entry for 'root/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR'
> Mar 31 09:55:28 bataille rpc.gssd[3777]: No key table entry found for 
> nfs/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR while getting keytab 
> entry for 'nfs/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR'
> Mar 31 09:55:28 bataille rpc.gssd[3777]: No key table entry found for 
> host/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR while getting keytab 
> entry for 'host/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR'
> Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for 
> principal 'HOST/*@IF.UJF-GRENOBLE.FR'
> Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry 
> (HOST/*@IF.UJF-GRENOBLE.FR)
> Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for 
> principal 'HOST/*@IF.UJF-GRENOBLE.FR'
> Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry 
> (HOST/*@IF.UJF-GRENOBLE.FR)
> Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for 
> principal 'HOST/*@IF.UJF-GRENOBLE.FR'
> Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry 
> (HOST/*@IF.UJF-GRENOBLE.FR)
> Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for 
> principal 'HOST/*@IF.UJF-GRENOBLE.FR'
> Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry 
> (HOST/*@IF.UJF-GRENOBLE.FR)
> Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for 
> principal 'HOST/*@IF.UJF-GRENOBLE.FR'
> Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry 
> (HOST/*@IF.UJF-GRENOBLE.FR)
> Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for 
> principal 'HOST/*@IF.UJF-GRENOBLE.FR'
> Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry 
> (HOST/*@IF.UJF-GRENOBLE.FR)
> Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for 
> principal 'HOST/*@IF.UJF-GRENOBLE.FR'
> Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry 
> (HOST/*@IF.UJF-GRENOBLE.FR)
> Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for 
> principal 'HOST/*@IF.UJF-GRENOBLE.FR'
> Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry 
> (HOST/*@IF.UJF-GRENOBLE.FR)
> Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for 
> principal 'HOST/*@IF.UJF-GRENOBLE.FR'
> Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry 
> (HOST/*@IF.UJF-GRENOBLE.FR)
> Mar 31 09:55:28 bataille rpc.gssd[3777]: ERROR: 
> gssd_refresh_krb5_machine_credential: no usable keytab entry found in 
> keytab /etc/krb5.keytab for connection with host ifsamba
> Mar 31 09:55:28 bataille rpc.gssd[3777]: ERROR: No credentials found 
> for connection to server ifsamba
>
>
> What is the right process ?
>
> Thank you in advance
> Sim
>
I thought the whole idea of kerberos was to authenticate 'something' or 
'someone' without passing passwords.

As far as I am aware, 'something' or 'someone' must be in the
kerberos
database and I don't think using '*' is going to work, as this would
allow anybody to gain access to your network, do you really want this ??

Rowland

L.P.H. van Belle

2016-Mar-31 09:46 UTC

head link

[Samba] NFSv4 / Krb / wildcard in keytab

So, bit more "correct" info. 

I can tell that it IS possible, but ! 
You need to use an ACL file and as for i did find, you need kadmind for it, at
least thats what i did find.

Read : 
http://techpubs.spinlocksolutions.com/dklar/kerberos.html 
and 
https://www.centos.org/docs/5/html/5.1/Deployment_Guide/s1-kerberos-server.html 

Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens L.P.H. van
Belle
> Verzonden: donderdag 31 maart 2016 11:31
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] NFSv4 / Krb / wildcard in keytab
> 
> Sorry, my previous was totaly wrong..
> Forget that one.
> 
> Greetz,
> 
> Louis
> 
> 
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens L.P.H. van
> Belle
> > Verzonden: donderdag 31 maart 2016 11:25
> > Aan: samba at lists.samba.org
> > Onderwerp: Re: [Samba] NFSv4 / Krb / wildcard in keytab
> >
> > Try it like :
> >
> > http/%s at DOMAIN.COM
> >
> > not http/*@DOMAIN.COM
> >
> > Greetz,
> >
> > Louis
> >
> >
> > > -----Oorspronkelijk bericht-----
> > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens
Service
> > > Informatique IF
> > > Verzonden: donderdag 31 maart 2016 11:04
> > > Aan: samba at lists.samba.org
> > > CC: ifinfo at ujf-grenoble.fr
> > > Onderwerp: [Samba] NFSv4 / Krb / wildcard in keytab
> > >
> > > Hi,
> > >
> > > I'm trying to use wildcard in keytab because i don't want
join every
> > > computer, client for service NFS krb5.
> > >
> > > I add a spn like this
> > >
> > > # samba-tool spn add host/* nfs
> > >
> > > (I create user nfs before)
> > >
> > > # samba-tool spn list nfs
> > > nfs
> > > User CN=nfs,CN=Users,DC=if,DC=ujf-grenoble,DC=fr has the
following
> > > servicePrincipalName:
> > >           host/*
> > >
> > > I export keytab :
> > >
> > >   #samba-tool domain exportkeytab /tmp/wildcardnfs.keytab --
> > > principal=host/*
> > >
> > > ktutil -k /tmp/wildcardnfs.keytab list
> > > /tmp/wildcardnfs.keytab:
> > >
> > > Vno  Type              Principal                  Aliases
> > >    1  des-cbc-crc       host/*@IF.UJF-GRENOBLE.FR
> > >    1  des-cbc-md5       host/*@IF.UJF-GRENOBLE.FR
> > >    1  arcfour-hmac-md5  host/*@IF.UJF-GRENOBLE.FR
> > >
> > >
> > > I put this keytab on my client (name is bataille) and restart
rpc.gssd
> -
> > > vvvv
> > >
> > > I try to mount NFS and in my client log, I have :
> > > Mar 31 10:52:23 bataille rpc.gssd[3790]: No key table entry found
for
> > > root/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR while getting
keytab
> > > entry for 'root/bataille.ujf-grenoble.fr at
IF.UJF-GRENOBLE.FR'
> > > Mar 31 10:52:23 bataille rpc.gssd[3790]: No key table entry found
for
> > > nfs/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR while getting
keytab
> > > entry for 'nfs/bataille.ujf-grenoble.fr at
IF.UJF-GRENOBLE.FR'
> > > Mar 31 10:52:23 bataille rpc.gssd[3790]: No key table entry found
for
> > > host/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR while getting
keytab
> > > entry for 'host/bataille.ujf-grenoble.fr at
IF.UJF-GRENOBLE.FR'
> > > Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry
for
> > > principal 'host/*@IF.UJF-GRENOBLE.FR'
> > > Mar 31 10:52:23 bataille rpc.gssd[3790]: We will NOT use this
entry
> > > (host/*@IF.UJF-GRENOBLE.FR)
> > > Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry
for
> > > principal 'host/*@IF.UJF-GRENOBLE.FR'
> > > Mar 31 10:52:23 bataille rpc.gssd[3790]: We will NOT use this
entry
> > > (host/*@IF.UJF-GRENOBLE.FR)
> > > Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry
for
> > > principal 'host/*@IF.UJF-GRENOBLE.FR'
> > > Mar 31 10:52:23 bataille rpc.gssd[3790]: We will NOT use this
entry
> > > (host/*@IF.UJF-GRENOBLE.FR)
> > > Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry
for
> > > principal 'host/*@IF.UJF-GRENOBLE.FR'
> > > Mar 31 10:52:23 bataille rpc.gssd[3790]: We will NOT use this
entry
> > > (host/*@IF.UJF-GRENOBLE.FR)
> > > Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry
for
> > > principal 'host/*@IF.UJF-GRENOBLE.FR'
> > > Mar 31 10:52:23 bataille rpc.gssd[3790]: We will NOT use this
entry
> > > (host/*@IF.UJF-GRENOBLE.FR)
> > > Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry
for
> > > principal 'host/*@IF.UJF-GRENOBLE.FR'
> > > Mar 31 10:52:23 bataille rpc.gssd[3790]: We will NOT use this
entry
> > > (host/*@IF.UJF-GRENOBLE.FR)
> > > Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry
for
> > > principal 'host/*@IF.UJF-GRENOBLE.FR'
> > > Mar 31 10:52:23 bataille rpc.gssd[3790]: We WILL use this entry
> > > (host/*@IF.UJF-GRENOBLE.FR)
> > > Mar 31 10:52:23 bataille rpc.gssd[3790]: Success getting keytab
entry
> > > for host/*@IF.UJF-GRENOBLE.FR
> > >
> > > Mar 31 10:52:23 bataille rpc.gssd[3790]: WARNING: Client
> > > 'host/*@IF.UJF-GRENOBLE.FR' not found in Kerberos
database while
> getting
> > > initial ticket for principal 'host/*@IF.UJF-GRENOBLE.FR'
using keytab
> > > 'FILE:/etc/krb5.keytab'
> > >
> > > Mar 31 10:52:23 bataille rpc.gssd[3790]: ERROR: No credentials
found
> for
> > > connection to server ifsamba
> > > Mar 31 10:52:23 bataille rpc.gssd[3790]: doing error downcall
> > > Mar 31 10:52:23 bataille rpc.gssd[3790]: destroying client
> > > /run/rpc_pipefs/nfs/clnt1b
> > > Mar 31 10:52:23 bataille rpc.gssd[3790]: destroying client
> > > /run/rpc_pipefs/nfs/clnt1a
> > >
> > > And on my server :
> > >
> > > [2016/03/31 10:52:23.036664,  3]
> > >
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > >    Kerberos: AS-REQ host/*@IF.UJF-GRENOBLE.FR from
> > > ipv4:152.77.213.108:38741 for krbtgt/IF.UJF-GRENOBLE.FR at
IF.UJF-
> > GRENOBLE.FR
> > > [2016/03/31 10:52:23.038496,  3]
> > >
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > >    Kerberos: UNKNOWN -- host/*@IF.UJF-GRENOBLE.FR: no such entry
found
> > > in hdb
> > > [2016/03/31 10:52:23.046352,  3]
> > >
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > >    Kerberos: AS-REQ host/*@IF.UJF-GRENOBLE.FR from
> > > ipv4:152.77.213.108:34207 for krbtgt/IF.UJF-GRENOBLE.FR at
IF.UJF-
> > GRENOBLE.FR
> > > [2016/03/31 10:52:23.047710,  3]
> > >
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> > >    Kerberos: UNKNOWN -- host/*@IF.UJF-GRENOBLE.FR: no such entry
found
> > > in hdb
> > >
> > > I wish use nfsv4 with krb but without join all my clients in
Samba4 :
> is
> > > it possible ?
> > >
> > > PS : I try to create a spn with HOST/* (host uppercase) because
when i
> > > show spn on a computer joined in Samba, i have this :
> > >
> > >
> > > root at ifsamba:/scripts# samba-tool spn list CARTAN$
> > > cartan$
> > > User CN=cartan,CN=Computers,DC=if,DC=ujf-grenoble,DC=fr has the
> > > following servicePrincipalName:
> > >           HOST/CARTAN
> > >           HOST/cartan.if.ujf-grenoble.fr
> > >
> > > but on my client rpc.gssd don't use the keytab when HOST is
uppercase
> :
> > > log :
> > > Mar 31 09:55:28 bataille rpc.gssd[3777]: No key table entry found
for
> > > BATAILLE$@IF.UJF-GRENOBLE.FR while getting keytab entry for
> > > 'BATAILLE$@IF.UJF-GRENOBLE.FR'
> > > Mar 31 09:55:28 bataille rpc.gssd[3777]: No key table entry found
for
> > > root/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR while getting
keytab
> > > entry for 'root/bataille.ujf-grenoble.fr at
IF.UJF-GRENOBLE.FR'
> > > Mar 31 09:55:28 bataille rpc.gssd[3777]: No key table entry found
for
> > > nfs/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR while getting
keytab
> > > entry for 'nfs/bataille.ujf-grenoble.fr at
IF.UJF-GRENOBLE.FR'
> > > Mar 31 09:55:28 bataille rpc.gssd[3777]: No key table entry found
for
> > > host/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR while getting
keytab
> > > entry for 'host/bataille.ujf-grenoble.fr at
IF.UJF-GRENOBLE.FR'
> > > Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry
for
> > > principal 'HOST/*@IF.UJF-GRENOBLE.FR'
> > > Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this
entry
> > > (HOST/*@IF.UJF-GRENOBLE.FR)
> > > Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry
for
> > > principal 'HOST/*@IF.UJF-GRENOBLE.FR'
> > > Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this
entry
> > > (HOST/*@IF.UJF-GRENOBLE.FR)
> > > Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry
for
> > > principal 'HOST/*@IF.UJF-GRENOBLE.FR'
> > > Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this
entry
> > > (HOST/*@IF.UJF-GRENOBLE.FR)
> > > Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry
for
> > > principal 'HOST/*@IF.UJF-GRENOBLE.FR'
> > > Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this
entry
> > > (HOST/*@IF.UJF-GRENOBLE.FR)
> > > Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry
for
> > > principal 'HOST/*@IF.UJF-GRENOBLE.FR'
> > > Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this
entry
> > > (HOST/*@IF.UJF-GRENOBLE.FR)
> > > Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry
for
> > > principal 'HOST/*@IF.UJF-GRENOBLE.FR'
> > > Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this
entry
> > > (HOST/*@IF.UJF-GRENOBLE.FR)
> > > Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry
for
> > > principal 'HOST/*@IF.UJF-GRENOBLE.FR'
> > > Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this
entry
> > > (HOST/*@IF.UJF-GRENOBLE.FR)
> > > Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry
for
> > > principal 'HOST/*@IF.UJF-GRENOBLE.FR'
> > > Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this
entry
> > > (HOST/*@IF.UJF-GRENOBLE.FR)
> > > Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry
for
> > > principal 'HOST/*@IF.UJF-GRENOBLE.FR'
> > > Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this
entry
> > > (HOST/*@IF.UJF-GRENOBLE.FR)
> > > Mar 31 09:55:28 bataille rpc.gssd[3777]: ERROR:
> > > gssd_refresh_krb5_machine_credential: no usable keytab entry
found in
> > > keytab /etc/krb5.keytab for connection with host ifsamba
> > > Mar 31 09:55:28 bataille rpc.gssd[3777]: ERROR: No credentials
found
> for
> > > connection to server ifsamba
> > >
> > >
> > > What is the right process ?
> > >
> > > Thank you in advance
> > > Sim
> > >
> > > --
> > > To unsubscribe from this list go to the following URL and read
the
> > > instructions:  https://lists.samba.org/mailman/options/samba
> >
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> 
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

Service Informatique IF

2016-Mar-31 12:01 UTC

head link

[Samba] NFSv4 / Krb / wildcard in keytab

Le 31/03/2016 11:44, Rowland penny a écrit :> On 31/03/16 10:04, Service Informatique IF wrote:
>> Hi,
>>
>> I'm trying to use wildcard in keytab because i don't want join
every
>> computer, client for service NFS krb5.
>>
>> I add a spn like this
>>
>> # samba-tool spn add host/* nfs
>>
>> (I create user nfs before)
>>
>> # samba-tool spn list nfs
>> nfs
>> User CN=nfs,CN=Users,DC=if,DC=ujf-grenoble,DC=fr has the following 
>> servicePrincipalName:
>>          host/*
>>
>> I export keytab :
>>
>>  #samba-tool domain exportkeytab /tmp/wildcardnfs.keytab 
>> --principal=host/*
>>
>> ktutil -k /tmp/wildcardnfs.keytab list
>> /tmp/wildcardnfs.keytab:
>>
>> Vno  Type              Principal                  Aliases
>>   1  des-cbc-crc       host/*@IF.UJF-GRENOBLE.FR
>>   1  des-cbc-md5       host/*@IF.UJF-GRENOBLE.FR
>>   1  arcfour-hmac-md5  host/*@IF.UJF-GRENOBLE.FR
>>
>>
>> I put this keytab on my client (name is bataille) and restart 
>> rpc.gssd -vvvv
>>
>> I try to mount NFS and in my client log, I have :
>> Mar 31 10:52:23 bataille rpc.gssd[3790]: No key table entry found for 
>> root/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR while getting
keytab
>> entry for 'root/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR'
>> Mar 31 10:52:23 bataille rpc.gssd[3790]: No key table entry found for 
>> nfs/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR while getting keytab
>> entry for 'nfs/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR'
>> Mar 31 10:52:23 bataille rpc.gssd[3790]: No key table entry found for 
>> host/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR while getting
keytab
>> entry for 'host/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR'
>> Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for 
>> principal 'host/*@IF.UJF-GRENOBLE.FR'
>> Mar 31 10:52:23 bataille rpc.gssd[3790]: We will NOT use this entry 
>> (host/*@IF.UJF-GRENOBLE.FR)
>> Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for 
>> principal 'host/*@IF.UJF-GRENOBLE.FR'
>> Mar 31 10:52:23 bataille rpc.gssd[3790]: We will NOT use this entry 
>> (host/*@IF.UJF-GRENOBLE.FR)
>> Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for 
>> principal 'host/*@IF.UJF-GRENOBLE.FR'
>> Mar 31 10:52:23 bataille rpc.gssd[3790]: We will NOT use this entry 
>> (host/*@IF.UJF-GRENOBLE.FR)
>> Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for 
>> principal 'host/*@IF.UJF-GRENOBLE.FR'
>> Mar 31 10:52:23 bataille rpc.gssd[3790]: We will NOT use this entry 
>> (host/*@IF.UJF-GRENOBLE.FR)
>> Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for 
>> principal 'host/*@IF.UJF-GRENOBLE.FR'
>> Mar 31 10:52:23 bataille rpc.gssd[3790]: We will NOT use this entry 
>> (host/*@IF.UJF-GRENOBLE.FR)
>> Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for 
>> principal 'host/*@IF.UJF-GRENOBLE.FR'
>> Mar 31 10:52:23 bataille rpc.gssd[3790]: We will NOT use this entry 
>> (host/*@IF.UJF-GRENOBLE.FR)
>> Mar 31 10:52:23 bataille rpc.gssd[3790]: Processing keytab entry for 
>> principal 'host/*@IF.UJF-GRENOBLE.FR'
>> Mar 31 10:52:23 bataille rpc.gssd[3790]: We WILL use this entry 
>> (host/*@IF.UJF-GRENOBLE.FR)
>> Mar 31 10:52:23 bataille rpc.gssd[3790]: Success getting keytab entry 
>> for host/*@IF.UJF-GRENOBLE.FR
>>
>> Mar 31 10:52:23 bataille rpc.gssd[3790]: WARNING: Client 
>> 'host/*@IF.UJF-GRENOBLE.FR' not found in Kerberos database
while
>> getting initial ticket for principal
'host/*@IF.UJF-GRENOBLE.FR'
>> using keytab 'FILE:/etc/krb5.keytab'
>>
>> Mar 31 10:52:23 bataille rpc.gssd[3790]: ERROR: No credentials found 
>> for connection to server ifsamba
>> Mar 31 10:52:23 bataille rpc.gssd[3790]: doing error downcall
>> Mar 31 10:52:23 bataille rpc.gssd[3790]: destroying client 
>> /run/rpc_pipefs/nfs/clnt1b
>> Mar 31 10:52:23 bataille rpc.gssd[3790]: destroying client 
>> /run/rpc_pipefs/nfs/clnt1a
>>
>> And on my server :
>>
>> [2016/03/31 10:52:23.036664,  3] 
>> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
>>   Kerberos: AS-REQ host/*@IF.UJF-GRENOBLE.FR from 
>> ipv4:152.77.213.108:38741 for 
>> krbtgt/IF.UJF-GRENOBLE.FR at IF.UJF-GRENOBLE.FR
>> [2016/03/31 10:52:23.038496,  3] 
>> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
>>   Kerberos: UNKNOWN -- host/*@IF.UJF-GRENOBLE.FR: no such entry found 
>> in hdb
>> [2016/03/31 10:52:23.046352,  3] 
>> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
>>   Kerberos: AS-REQ host/*@IF.UJF-GRENOBLE.FR from 
>> ipv4:152.77.213.108:34207 for 
>> krbtgt/IF.UJF-GRENOBLE.FR at IF.UJF-GRENOBLE.FR
>> [2016/03/31 10:52:23.047710,  3] 
>> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
>>   Kerberos: UNKNOWN -- host/*@IF.UJF-GRENOBLE.FR: no such entry found 
>> in hdb
>>
>> I wish use nfsv4 with krb but without join all my clients in Samba4 : 
>> is it possible ?
>>
>> PS : I try to create a spn with HOST/* (host uppercase) because when 
>> i show spn on a computer joined in Samba, i have this :
>>
>>
>> root at ifsamba:/scripts# samba-tool spn list CARTAN$
>> cartan$
>> User CN=cartan,CN=Computers,DC=if,DC=ujf-grenoble,DC=fr has the 
>> following servicePrincipalName:
>>          HOST/CARTAN
>>          HOST/cartan.if.ujf-grenoble.fr
>>
>> but on my client rpc.gssd don't use the keytab when HOST is
uppercase :
>> log :
>> Mar 31 09:55:28 bataille rpc.gssd[3777]: No key table entry found for 
>> BATAILLE$@IF.UJF-GRENOBLE.FR while getting keytab entry for 
>> 'BATAILLE$@IF.UJF-GRENOBLE.FR'
>> Mar 31 09:55:28 bataille rpc.gssd[3777]: No key table entry found for 
>> root/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR while getting
keytab
>> entry for 'root/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR'
>> Mar 31 09:55:28 bataille rpc.gssd[3777]: No key table entry found for 
>> nfs/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR while getting keytab
>> entry for 'nfs/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR'
>> Mar 31 09:55:28 bataille rpc.gssd[3777]: No key table entry found for 
>> host/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR while getting
keytab
>> entry for 'host/bataille.ujf-grenoble.fr at IF.UJF-GRENOBLE.FR'
>> Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for 
>> principal 'HOST/*@IF.UJF-GRENOBLE.FR'
>> Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry 
>> (HOST/*@IF.UJF-GRENOBLE.FR)
>> Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for 
>> principal 'HOST/*@IF.UJF-GRENOBLE.FR'
>> Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry 
>> (HOST/*@IF.UJF-GRENOBLE.FR)
>> Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for 
>> principal 'HOST/*@IF.UJF-GRENOBLE.FR'
>> Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry 
>> (HOST/*@IF.UJF-GRENOBLE.FR)
>> Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for 
>> principal 'HOST/*@IF.UJF-GRENOBLE.FR'
>> Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry 
>> (HOST/*@IF.UJF-GRENOBLE.FR)
>> Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for 
>> principal 'HOST/*@IF.UJF-GRENOBLE.FR'
>> Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry 
>> (HOST/*@IF.UJF-GRENOBLE.FR)
>> Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for 
>> principal 'HOST/*@IF.UJF-GRENOBLE.FR'
>> Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry 
>> (HOST/*@IF.UJF-GRENOBLE.FR)
>> Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for 
>> principal 'HOST/*@IF.UJF-GRENOBLE.FR'
>> Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry 
>> (HOST/*@IF.UJF-GRENOBLE.FR)
>> Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for 
>> principal 'HOST/*@IF.UJF-GRENOBLE.FR'
>> Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry 
>> (HOST/*@IF.UJF-GRENOBLE.FR)
>> Mar 31 09:55:28 bataille rpc.gssd[3777]: Processing keytab entry for 
>> principal 'HOST/*@IF.UJF-GRENOBLE.FR'
>> Mar 31 09:55:28 bataille rpc.gssd[3777]: We will NOT use this entry 
>> (HOST/*@IF.UJF-GRENOBLE.FR)
>> Mar 31 09:55:28 bataille rpc.gssd[3777]: ERROR: 
>> gssd_refresh_krb5_machine_credential: no usable keytab entry found in 
>> keytab /etc/krb5.keytab for connection with host ifsamba
>> Mar 31 09:55:28 bataille rpc.gssd[3777]: ERROR: No credentials found 
>> for connection to server ifsamba
>>
>>
>> What is the right process ?
>>
>> Thank you in advance
>> Sim
>>
> I thought the whole idea of kerberos was to authenticate
'something'
> or 'someone' without passing passwords.
You're right when using keytab it's without password, but users need to 
enter password to access their datas on a NFSv4 - krb share.
> As far as I am aware, 'something' or 'someone' must be in
the kerberos
> database and I don't think using '*' is going to work, as this
would
> allow anybody to gain access to your network, do you really want this ??
I understand that is a possible security hole, but we already use a 
"generic" keytab for sssd.
Our computers are in a "restricted" network, so I think it's not a
big
hole.
And this keytab is used only for mounting the Nfsv4 share, not to access 
user data, because data are chmod protected
each user need to authenticate to obtain their own ticket, in order to 
see their data.

Wildcard keytab is possible in MIT Kerberos, so I thought it was possbie 
to do that with Samba4.

The problem for us is to join computer automatically to Samba : Maybe 
you have a solution ? (without passwd)

Or maybe if it's possible, create computer accounts in Samba with 
samba-tool user add ...  and so, I could create computer keytab directly 
from Samba.

Thank you in advance
Sim

Possibly Parallel Threads

Search for more possibly parallel threads

samba - Mar 2016 - NFSv4 / Krb / wildcard in keytab

[Samba] NFSv4 / Krb / wildcard in keytab

[Samba] NFSv4 / Krb / wildcard in keytab

[Samba] NFSv4 / Krb / wildcard in keytab

[Samba] NFSv4 / Krb / wildcard in keytab

[Samba] NFSv4 / Krb / wildcard in keytab

[Samba] NFSv4 / Krb / wildcard in keytab

Possibly Parallel Threads