Hi Marcel
thx. for your fast response. I didn't manage to follow up sooner. I had
already verbose logging turned on but I don't seem to find the real reason,
why the domain controller searchs for a userPrincipalName instead of
servicePrincipalName.
Because I wasn't sure whether it is the nfs client process or the server
process that failed to get the kerberos ticket when I tried the nfs-mount
locally on the server, I went to a client workstation and tried again to mount
the nfs exported directory from the server.
I'm attaching some more information below. Regarding the timestamps, please
be informed that the server is using UTC, while the client workstation is
configured to use CET (UTC+1) (Domain, client and server names are changed)
/etc/krb5.keytab (created by net ads keytab create -P):
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
2 12/02/2016 07:54:52 host/client02.domain.tld at DOMAIN.TLD (des-cbc-crc)
2 12/02/2016 07:54:52 host/client02.domain.tld at DOMAIN.TLD (des-cbc-md5)
2 12/02/2016 07:54:52 host/client02.domain.tld at DOMAIN.TLD
(aes128-cts-hmac-sha1-96)
2 12/02/2016 07:54:52 host/client02.domain.tld at DOMAIN.TLD
(aes256-cts-hmac-sha1-96)
2 12/02/2016 07:54:52 host/client02.domain.tld at DOMAIN.TLD (arcfour-hmac)
2 12/02/2016 07:54:52 host/client02 at DOMAIN.TLD (des-cbc-crc)
2 12/02/2016 07:54:52 host/client02 at DOMAIN.TLD (des-cbc-md5)
2 12/02/2016 07:54:52 host/client02 at DOMAIN.TLD (aes128-cts-hmac-sha1-96)
2 12/02/2016 07:54:52 host/client02 at DOMAIN.TLD (aes256-cts-hmac-sha1-96)
2 12/02/2016 07:54:52 host/client02 at DOMAIN.TLD (arcfour-hmac)
2 12/02/2016 07:54:53 nfs/client02.domain.tld at DOMAIN.TLD (des-cbc-crc)
2 12/02/2016 07:54:53 nfs/client02.domain.tld at DOMAIN.TLD (des-cbc-md5)
2 12/02/2016 07:54:53 nfs/client02.domain.tld at DOMAIN.TLD
(aes128-cts-hmac-sha1-96)
2 12/02/2016 07:54:53 nfs/client02.domain.tld at DOMAIN.TLD
(aes256-cts-hmac-sha1-96)
2 12/02/2016 07:54:53 nfs/client02.domain.tld at DOMAIN.TLD (arcfour-hmac)
2 12/02/2016 07:54:53 nfs/client02 at DOMAIN.TLD (des-cbc-crc)
2 12/02/2016 07:54:53 nfs/client02 at DOMAIN.TLD (des-cbc-md5)
2 12/02/2016 07:54:53 nfs/client02 at DOMAIN.TLD (aes128-cts-hmac-sha1-96)
2 12/02/2016 07:54:53 nfs/client02 at DOMAIN.TLD (aes256-cts-hmac-sha1-96)
2 12/02/2016 07:54:53 nfs/client02 at DOMAIN.TLD (arcfour-hmac)
2 12/02/2016 07:54:53 CLIENT02$@DOMAIN.TLD (des-cbc-crc)
2 12/02/2016 07:54:53 CLIENT02$@DOMAIN.TLD (des-cbc-md5)
2 12/02/2016 07:54:53 CLIENT02$@DOMAIN.TLD (aes128-cts-hmac-sha1-96)
2 12/02/2016 07:54:53 CLIENT02$@DOMAIN.TLD (aes256-cts-hmac-sha1-96)
2 12/02/2016 07:54:53 CLIENT02$@DOMAIN.TLD (arcfour-hmac)
LDAP entry for client on DC:
# client02, Computers, domain.tld
dn: CN=client02,CN=Computers,DC=dom,DC=lab
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
cn: client02
instanceType: 4
whenCreated: 20161118085936.0Z
uSNCreated: 5667
name: client02
objectGUID:: ### OBFUSCATED ###
userAccountControl: 69632
codePage: 0
countryCode: 0
primaryGroupID: 515
objectSid:: ### OBFUSCATED ###
accountExpires: ### OBFUSCATED ###
sAMAccountName: client02$
sAMAccountType: 805306369
dNSHostName: client02.domain.tld
objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=dom,DC=lab
isCriticalSystemObject: FALSE
msDS-SupportedEncryptionTypes: 31
servicePrincipalName: HOST/CLIENT02
servicePrincipalName: HOST/client02.domain.tld
servicePrincipalName: nfs/client02.domain.tld
servicePrincipalName: nfs/client02
pwdLastSet: 131245379770000000
whenChanged: 20161202065456.0Z
uSNChanged: 5733
distinguishedName: CN=client02,CN=Computers,DC=dom,DC=lab
### mount command on client02.domain.tld:
# mount -t nfs4 -o sec=krb5 server01.domain.tld:/export/home /mnt
mount.nfs4: access denied by server while mounting
server01.domain.tld:/export/home
### syslog on the client:
Dec 2 08:01:48 client02 rpc.gssd[10462]: handling gssd upcall
(/run/rpc_pipefs/nfs/clnt4194)
Dec 2 08:01:48 client02 rpc.gssd[10462]: handle_gssd_upcall: 'mech=krb5
uid=0 service=* enctypes=18,17,16,23,3,1,2 '
Dec 2 08:01:48 client02 rpc.gssd[10462]: handling krb5 upcall
(/run/rpc_pipefs/nfs/clnt4194)
Dec 2 08:01:48 client02 rpc.gssd[10462]: process_krb5_upcall: service is
'*'
Dec 2 08:01:48 client02 rpc.gssd[10462]: Full hostname for
'server01.domain.tld' is 'server01.domain.tld'
Dec 2 08:01:48 client02 rpc.gssd[10462]: Full hostname for
'client02.domain.tld' is 'client02.domain.tld'
Dec 2 08:01:48 client02 rpc.gssd[10462]: No key table entry found for
CLIENT02.DOMAIN.TLD$@DOMAIN.TLD while getting keytab entry for
'CLIENT02.DOMAIN.TLD$@DOMAIN.TLD'
Dec 2 08:01:48 client02 rpc.gssd[10462]: No key table entry found for
root/client02.domain.tld at DOMAIN.TLD while getting keytab entry for
'root/client02.domain.tld at DOMAIN.TLD'
Dec 2 08:01:48 client02 rpc.gssd[10462]: Success getting keytab entry for
'nfs/client02.domain.tld at DOMAIN.TLD'
Dec 2 08:01:49 client02 rpc.gssd[10462]: WARNING: Client
'nfs/client02.domain.tld at DOMAIN.TLD' not found in Kerberos database
while getting initial ticket for principal 'nfs/client02.domain.tld at
DOMAIN.TLD' using keytab 'FILE:/etc/krb5.keytab'
Dec 2 08:01:49 client02 rpc.gssd[10462]: ERROR: No credentials found for
connection to server server01.domain.tld
Dec 2 08:01:49 client02 rpc.gssd[10462]: doing error downcall
Dec 2 08:01:49 client02 rpc.gssd[10462]: handling gssd upcall
(/run/rpc_pipefs/nfs/clnt4194)
Dec 2 08:01:49 client02 rpc.gssd[10462]: handle_gssd_upcall: 'mech=krb5
uid=0 enctypes=18,17,16,23,3,1,2 '
Dec 2 08:01:49 client02 rpc.gssd[10462]: handling krb5 upcall
(/run/rpc_pipefs/nfs/clnt4194)
Dec 2 08:01:49 client02 rpc.gssd[10462]: process_krb5_upcall: service is
'<null>'
Dec 2 08:01:49 client02 rpc.gssd[10462]: Full hostname for
'server01.domain.tld' is 'server01.domain.tld'
Dec 2 08:01:49 client02 rpc.gssd[10462]: Full hostname for
'client02.domain.tld' is 'client02.domain.tld'
Dec 2 08:01:49 client02 rpc.gssd[10462]: No key table entry found for
CLIENT02.DOMAIN.TLD$@DOMAIN.TLD while getting keytab entry for
'CLIENT02.DOMAIN.TLD$@DOMAIN.TLD'
Dec 2 08:01:49 client02 rpc.gssd[10462]: No key table entry found for
root/client02.domain.tld at DOMAIN.TLD while getting keytab entry for
'root/client02.domain.tld at DOMAIN.TLD'
Dec 2 08:01:49 client02 rpc.gssd[10462]: Success getting keytab entry for
'nfs/client02.domain.tld at DOMAIN.TLD'
Dec 2 08:01:49 client02 rpc.gssd[10462]: WARNING: Client
'nfs/client02.domain.tld at DOMAIN.TLD' not found in Kerberos database
while getting initial ticket for principal 'nfs/client02.domain.tld at
DOMAIN.TLD' using keytab 'FILE:/etc/krb5.keytab'
Dec 2 08:01:49 client02 rpc.gssd[10462]: ERROR: No credentials found for
connection to server server01.domain.tld
Dec 2 08:01:49 client02 rpc.gssd[10462]: doing error downcall
Dec 2 08:01:49 client02 rpc.gssd[10462]: Closing 'gssd' pipe for
/run/rpc_pipefs/nfs/clnt4194
Dec 2 08:01:49 client02 rpc.gssd[10462]: destroying client
/run/rpc_pipefs/nfs/clnt4195
Dec 2 08:01:49 client02 rpc.gssd[10462]: destroying client
/run/rpc_pipefs/nfs/clnt4194
### debug log on DC:
[2016/12/02 07:01:52.138858, 10, pid=16357, effective(0, 0), real(0, 0),
class=ldb] ../lib/ldb-samba/ldb_wrap.c:72(ldb_wrap_debug)
ldb: ldb_trace_request: SEARCH
dn: DC=dom,DC=lab
scope: sub
expr: (&(objectClass=user)(userPrincipalName=nfs/client02.domain.tld at
DOMAIN.TLD))
control: <NONE>
...
[2016/12/02 07:01:52.142083, 10, pid=16357, effective(0, 0), real(0, 0),
class=ldb] ../lib/ldb-samba/ldb_wrap.c:72(ldb_wrap_debug)
ldb: ldb_trace_request: SEARCH
dn: DC=dom,DC=lab
scope: sub
expr: (&(objectClass=user)(samAccountName=nfs/client02.domain.tld))
control: <NONE>
Many thanks in advance and kind regards,
Matthias
Am 28.11.2016 um 11:55 schrieb Marcel via samba:> Am 2016-11-28 07:14, schrieb Matthias Kahle via samba:
>> Hi Folks
>
> Hi Matthias,
>
>> I'm trying to share user home directories hosted on a Samba-4
member
>> server via NFSv4. Everything's working well with the Windows shares
but
>> when it comes to kerberized NFSv4 it fails. I can't even mount the
home
>> root directory via nfs on the server itself ("mount.nfsv4: access
denied
>> by server while mounting ...").
>>
>> As far as I have tracked it down, it appears to me that the
server's is
>> searching in its database for a userPrincipalName=nfs/server.dom.tld
>> while I have added a servicePrincipalNamenfs/server.dom.tld with the
>> samba-tool. Due to this neither the server is getting a TGT nor the
>> client a TGS ...
>>
>> Am I doing anything wrong? Is that beahaviour intentional?
>
> Getting NFSv4 + Kerberos to work with an $"Active Directory" KDC
> can be quite tricky.
>
> To track down the problem, you should run rpc.gssd (on client) and
> rpc.svcgssd (on server) with "-v -v -v". This might give you some
> more hints where to look.
>
> You can read about the servicePrincipalNames your NFS client uses
> in the man page of rpc.gssd:
>
> <HOSTNAME>$@<REALM>
> root/<hostname>@<REALM>
> nfs/<hostname>@<REALM>
> host/<hostname>@<REALM>
>
> You should also check the listing of your keytab - if you're using
> the wrong syntax for your principalName, samba-tool will tell you
> it added an entry to the keytab (which in fact it didn't).
>
> linux # ktutil
>> rkt /etc/krb5.keytab
>> list -e
>
>
>> Version affacted is samba 4.2.10 from the official debian 8
repositories
>> (on DCs and the member server).
>>
>> Kind regards,
>> Matthias
>
> Bye,
> Marcel
>