Hi Marcel thx. for your fast response. I didn't manage to follow up sooner. I had already verbose logging turned on but I don't seem to find the real reason, why the domain controller searchs for a userPrincipalName instead of servicePrincipalName. Because I wasn't sure whether it is the nfs client process or the server process that failed to get the kerberos ticket when I tried the nfs-mount locally on the server, I went to a client workstation and tried again to mount the nfs exported directory from the server. I'm attaching some more information below. Regarding the timestamps, please be informed that the server is using UTC, while the client workstation is configured to use CET (UTC+1) (Domain, client and server names are changed) /etc/krb5.keytab (created by net ads keytab create -P): Keytab name: FILE:/etc/krb5.keytab KVNO Timestamp Principal ---- ------------------- ------------------------------------------------------ 2 12/02/2016 07:54:52 host/client02.domain.tld at DOMAIN.TLD (des-cbc-crc) 2 12/02/2016 07:54:52 host/client02.domain.tld at DOMAIN.TLD (des-cbc-md5) 2 12/02/2016 07:54:52 host/client02.domain.tld at DOMAIN.TLD (aes128-cts-hmac-sha1-96) 2 12/02/2016 07:54:52 host/client02.domain.tld at DOMAIN.TLD (aes256-cts-hmac-sha1-96) 2 12/02/2016 07:54:52 host/client02.domain.tld at DOMAIN.TLD (arcfour-hmac) 2 12/02/2016 07:54:52 host/client02 at DOMAIN.TLD (des-cbc-crc) 2 12/02/2016 07:54:52 host/client02 at DOMAIN.TLD (des-cbc-md5) 2 12/02/2016 07:54:52 host/client02 at DOMAIN.TLD (aes128-cts-hmac-sha1-96) 2 12/02/2016 07:54:52 host/client02 at DOMAIN.TLD (aes256-cts-hmac-sha1-96) 2 12/02/2016 07:54:52 host/client02 at DOMAIN.TLD (arcfour-hmac) 2 12/02/2016 07:54:53 nfs/client02.domain.tld at DOMAIN.TLD (des-cbc-crc) 2 12/02/2016 07:54:53 nfs/client02.domain.tld at DOMAIN.TLD (des-cbc-md5) 2 12/02/2016 07:54:53 nfs/client02.domain.tld at DOMAIN.TLD (aes128-cts-hmac-sha1-96) 2 12/02/2016 07:54:53 nfs/client02.domain.tld at DOMAIN.TLD (aes256-cts-hmac-sha1-96) 2 12/02/2016 07:54:53 nfs/client02.domain.tld at DOMAIN.TLD (arcfour-hmac) 2 12/02/2016 07:54:53 nfs/client02 at DOMAIN.TLD (des-cbc-crc) 2 12/02/2016 07:54:53 nfs/client02 at DOMAIN.TLD (des-cbc-md5) 2 12/02/2016 07:54:53 nfs/client02 at DOMAIN.TLD (aes128-cts-hmac-sha1-96) 2 12/02/2016 07:54:53 nfs/client02 at DOMAIN.TLD (aes256-cts-hmac-sha1-96) 2 12/02/2016 07:54:53 nfs/client02 at DOMAIN.TLD (arcfour-hmac) 2 12/02/2016 07:54:53 CLIENT02$@DOMAIN.TLD (des-cbc-crc) 2 12/02/2016 07:54:53 CLIENT02$@DOMAIN.TLD (des-cbc-md5) 2 12/02/2016 07:54:53 CLIENT02$@DOMAIN.TLD (aes128-cts-hmac-sha1-96) 2 12/02/2016 07:54:53 CLIENT02$@DOMAIN.TLD (aes256-cts-hmac-sha1-96) 2 12/02/2016 07:54:53 CLIENT02$@DOMAIN.TLD (arcfour-hmac) LDAP entry for client on DC: # client02, Computers, domain.tld dn: CN=client02,CN=Computers,DC=dom,DC=lab objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user objectClass: computer cn: client02 instanceType: 4 whenCreated: 20161118085936.0Z uSNCreated: 5667 name: client02 objectGUID:: ### OBFUSCATED ### userAccountControl: 69632 codePage: 0 countryCode: 0 primaryGroupID: 515 objectSid:: ### OBFUSCATED ### accountExpires: ### OBFUSCATED ### sAMAccountName: client02$ sAMAccountType: 805306369 dNSHostName: client02.domain.tld objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=dom,DC=lab isCriticalSystemObject: FALSE msDS-SupportedEncryptionTypes: 31 servicePrincipalName: HOST/CLIENT02 servicePrincipalName: HOST/client02.domain.tld servicePrincipalName: nfs/client02.domain.tld servicePrincipalName: nfs/client02 pwdLastSet: 131245379770000000 whenChanged: 20161202065456.0Z uSNChanged: 5733 distinguishedName: CN=client02,CN=Computers,DC=dom,DC=lab ### mount command on client02.domain.tld: # mount -t nfs4 -o sec=krb5 server01.domain.tld:/export/home /mnt mount.nfs4: access denied by server while mounting server01.domain.tld:/export/home ### syslog on the client: Dec 2 08:01:48 client02 rpc.gssd[10462]: handling gssd upcall (/run/rpc_pipefs/nfs/clnt4194) Dec 2 08:01:48 client02 rpc.gssd[10462]: handle_gssd_upcall: 'mech=krb5 uid=0 service=* enctypes=18,17,16,23,3,1,2 ' Dec 2 08:01:48 client02 rpc.gssd[10462]: handling krb5 upcall (/run/rpc_pipefs/nfs/clnt4194) Dec 2 08:01:48 client02 rpc.gssd[10462]: process_krb5_upcall: service is '*' Dec 2 08:01:48 client02 rpc.gssd[10462]: Full hostname for 'server01.domain.tld' is 'server01.domain.tld' Dec 2 08:01:48 client02 rpc.gssd[10462]: Full hostname for 'client02.domain.tld' is 'client02.domain.tld' Dec 2 08:01:48 client02 rpc.gssd[10462]: No key table entry found for CLIENT02.DOMAIN.TLD$@DOMAIN.TLD while getting keytab entry for 'CLIENT02.DOMAIN.TLD$@DOMAIN.TLD' Dec 2 08:01:48 client02 rpc.gssd[10462]: No key table entry found for root/client02.domain.tld at DOMAIN.TLD while getting keytab entry for 'root/client02.domain.tld at DOMAIN.TLD' Dec 2 08:01:48 client02 rpc.gssd[10462]: Success getting keytab entry for 'nfs/client02.domain.tld at DOMAIN.TLD' Dec 2 08:01:49 client02 rpc.gssd[10462]: WARNING: Client 'nfs/client02.domain.tld at DOMAIN.TLD' not found in Kerberos database while getting initial ticket for principal 'nfs/client02.domain.tld at DOMAIN.TLD' using keytab 'FILE:/etc/krb5.keytab' Dec 2 08:01:49 client02 rpc.gssd[10462]: ERROR: No credentials found for connection to server server01.domain.tld Dec 2 08:01:49 client02 rpc.gssd[10462]: doing error downcall Dec 2 08:01:49 client02 rpc.gssd[10462]: handling gssd upcall (/run/rpc_pipefs/nfs/clnt4194) Dec 2 08:01:49 client02 rpc.gssd[10462]: handle_gssd_upcall: 'mech=krb5 uid=0 enctypes=18,17,16,23,3,1,2 ' Dec 2 08:01:49 client02 rpc.gssd[10462]: handling krb5 upcall (/run/rpc_pipefs/nfs/clnt4194) Dec 2 08:01:49 client02 rpc.gssd[10462]: process_krb5_upcall: service is '<null>' Dec 2 08:01:49 client02 rpc.gssd[10462]: Full hostname for 'server01.domain.tld' is 'server01.domain.tld' Dec 2 08:01:49 client02 rpc.gssd[10462]: Full hostname for 'client02.domain.tld' is 'client02.domain.tld' Dec 2 08:01:49 client02 rpc.gssd[10462]: No key table entry found for CLIENT02.DOMAIN.TLD$@DOMAIN.TLD while getting keytab entry for 'CLIENT02.DOMAIN.TLD$@DOMAIN.TLD' Dec 2 08:01:49 client02 rpc.gssd[10462]: No key table entry found for root/client02.domain.tld at DOMAIN.TLD while getting keytab entry for 'root/client02.domain.tld at DOMAIN.TLD' Dec 2 08:01:49 client02 rpc.gssd[10462]: Success getting keytab entry for 'nfs/client02.domain.tld at DOMAIN.TLD' Dec 2 08:01:49 client02 rpc.gssd[10462]: WARNING: Client 'nfs/client02.domain.tld at DOMAIN.TLD' not found in Kerberos database while getting initial ticket for principal 'nfs/client02.domain.tld at DOMAIN.TLD' using keytab 'FILE:/etc/krb5.keytab' Dec 2 08:01:49 client02 rpc.gssd[10462]: ERROR: No credentials found for connection to server server01.domain.tld Dec 2 08:01:49 client02 rpc.gssd[10462]: doing error downcall Dec 2 08:01:49 client02 rpc.gssd[10462]: Closing 'gssd' pipe for /run/rpc_pipefs/nfs/clnt4194 Dec 2 08:01:49 client02 rpc.gssd[10462]: destroying client /run/rpc_pipefs/nfs/clnt4195 Dec 2 08:01:49 client02 rpc.gssd[10462]: destroying client /run/rpc_pipefs/nfs/clnt4194 ### debug log on DC: [2016/12/02 07:01:52.138858, 10, pid=16357, effective(0, 0), real(0, 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:72(ldb_wrap_debug) ldb: ldb_trace_request: SEARCH dn: DC=dom,DC=lab scope: sub expr: (&(objectClass=user)(userPrincipalName=nfs/client02.domain.tld at DOMAIN.TLD)) control: <NONE> ... [2016/12/02 07:01:52.142083, 10, pid=16357, effective(0, 0), real(0, 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:72(ldb_wrap_debug) ldb: ldb_trace_request: SEARCH dn: DC=dom,DC=lab scope: sub expr: (&(objectClass=user)(samAccountName=nfs/client02.domain.tld)) control: <NONE> Many thanks in advance and kind regards, Matthias Am 28.11.2016 um 11:55 schrieb Marcel via samba:> Am 2016-11-28 07:14, schrieb Matthias Kahle via samba: >> Hi Folks > > Hi Matthias, > >> I'm trying to share user home directories hosted on a Samba-4 member >> server via NFSv4. Everything's working well with the Windows shares but >> when it comes to kerberized NFSv4 it fails. I can't even mount the home >> root directory via nfs on the server itself ("mount.nfsv4: access denied >> by server while mounting ..."). >> >> As far as I have tracked it down, it appears to me that the server's is >> searching in its database for a userPrincipalName=nfs/server.dom.tld >> while I have added a servicePrincipalNamenfs/server.dom.tld with the >> samba-tool. Due to this neither the server is getting a TGT nor the >> client a TGS ... >> >> Am I doing anything wrong? Is that beahaviour intentional? > > Getting NFSv4 + Kerberos to work with an $"Active Directory" KDC > can be quite tricky. > > To track down the problem, you should run rpc.gssd (on client) and > rpc.svcgssd (on server) with "-v -v -v". This might give you some > more hints where to look. > > You can read about the servicePrincipalNames your NFS client uses > in the man page of rpc.gssd: > > <HOSTNAME>$@<REALM> > root/<hostname>@<REALM> > nfs/<hostname>@<REALM> > host/<hostname>@<REALM> > > You should also check the listing of your keytab - if you're using > the wrong syntax for your principalName, samba-tool will tell you > it added an entry to the keytab (which in fact it didn't). > > linux # ktutil >> rkt /etc/krb5.keytab >> list -e > > >> Version affacted is samba 4.2.10 from the official debian 8 repositories >> (on DCs and the member server). >> >> Kind regards, >> Matthias > > Bye, > Marcel >
Just noticed in the LDAP entry I forgot to replace my test environment entries dom (=domain) and lab (=tld) Am 02.12.2016 um 08:51 schrieb Matthias Kahle:> Hi Marcel > > thx. for your fast response. I didn't manage to follow up sooner. I had already verbose logging turned on but I don't seem to find the real reason, why the domain controller searchs for a userPrincipalName instead of servicePrincipalName. > > Because I wasn't sure whether it is the nfs client process or the server process that failed to get the kerberos ticket when I tried the nfs-mount locally on the server, I went to a client workstation and tried again to mount the nfs exported directory from the server. > > I'm attaching some more information below. Regarding the timestamps, please be informed that the server is using UTC, while the client workstation is configured to use CET (UTC+1) (Domain, client and server names are changed) > > /etc/krb5.keytab (created by net ads keytab create -P): > > Keytab name: FILE:/etc/krb5.keytab > KVNO Timestamp Principal > ---- ------------------- ------------------------------------------------------ > 2 12/02/2016 07:54:52 host/client02.domain.tld at DOMAIN.TLD (des-cbc-crc) > 2 12/02/2016 07:54:52 host/client02.domain.tld at DOMAIN.TLD (des-cbc-md5) > 2 12/02/2016 07:54:52 host/client02.domain.tld at DOMAIN.TLD (aes128-cts-hmac-sha1-96) > 2 12/02/2016 07:54:52 host/client02.domain.tld at DOMAIN.TLD (aes256-cts-hmac-sha1-96) > 2 12/02/2016 07:54:52 host/client02.domain.tld at DOMAIN.TLD (arcfour-hmac) > 2 12/02/2016 07:54:52 host/client02 at DOMAIN.TLD (des-cbc-crc) > 2 12/02/2016 07:54:52 host/client02 at DOMAIN.TLD (des-cbc-md5) > 2 12/02/2016 07:54:52 host/client02 at DOMAIN.TLD (aes128-cts-hmac-sha1-96) > 2 12/02/2016 07:54:52 host/client02 at DOMAIN.TLD (aes256-cts-hmac-sha1-96) > 2 12/02/2016 07:54:52 host/client02 at DOMAIN.TLD (arcfour-hmac) > 2 12/02/2016 07:54:53 nfs/client02.domain.tld at DOMAIN.TLD (des-cbc-crc) > 2 12/02/2016 07:54:53 nfs/client02.domain.tld at DOMAIN.TLD (des-cbc-md5) > 2 12/02/2016 07:54:53 nfs/client02.domain.tld at DOMAIN.TLD (aes128-cts-hmac-sha1-96) > 2 12/02/2016 07:54:53 nfs/client02.domain.tld at DOMAIN.TLD (aes256-cts-hmac-sha1-96) > 2 12/02/2016 07:54:53 nfs/client02.domain.tld at DOMAIN.TLD (arcfour-hmac) > 2 12/02/2016 07:54:53 nfs/client02 at DOMAIN.TLD (des-cbc-crc) > 2 12/02/2016 07:54:53 nfs/client02 at DOMAIN.TLD (des-cbc-md5) > 2 12/02/2016 07:54:53 nfs/client02 at DOMAIN.TLD (aes128-cts-hmac-sha1-96) > 2 12/02/2016 07:54:53 nfs/client02 at DOMAIN.TLD (aes256-cts-hmac-sha1-96) > 2 12/02/2016 07:54:53 nfs/client02 at DOMAIN.TLD (arcfour-hmac) > 2 12/02/2016 07:54:53 CLIENT02$@DOMAIN.TLD (des-cbc-crc) > 2 12/02/2016 07:54:53 CLIENT02$@DOMAIN.TLD (des-cbc-md5) > 2 12/02/2016 07:54:53 CLIENT02$@DOMAIN.TLD (aes128-cts-hmac-sha1-96) > 2 12/02/2016 07:54:53 CLIENT02$@DOMAIN.TLD (aes256-cts-hmac-sha1-96) > 2 12/02/2016 07:54:53 CLIENT02$@DOMAIN.TLD (arcfour-hmac) > > LDAP entry for client on DC: > # client02, Computers, domain.tld > dn: CN=client02,CN=Computers,DC=dom,DC=lab > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: user > objectClass: computer > cn: client02 > instanceType: 4 > whenCreated: 20161118085936.0Z > uSNCreated: 5667 > name: client02 > objectGUID:: ### OBFUSCATED ### > userAccountControl: 69632 > codePage: 0 > countryCode: 0 > primaryGroupID: 515 > objectSid:: ### OBFUSCATED ### > accountExpires: ### OBFUSCATED ### > sAMAccountName: client02$ > sAMAccountType: 805306369 > dNSHostName: client02.domain.tld > objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=dom,DC=lab > isCriticalSystemObject: FALSE > msDS-SupportedEncryptionTypes: 31 > servicePrincipalName: HOST/CLIENT02 > servicePrincipalName: HOST/client02.domain.tld > servicePrincipalName: nfs/client02.domain.tld > servicePrincipalName: nfs/client02 > pwdLastSet: 131245379770000000 > whenChanged: 20161202065456.0Z > uSNChanged: 5733 > distinguishedName: CN=client02,CN=Computers,DC=dom,DC=lab > > ### mount command on client02.domain.tld: > # mount -t nfs4 -o sec=krb5 server01.domain.tld:/export/home /mnt > mount.nfs4: access denied by server while mounting server01.domain.tld:/export/home > > > ### syslog on the client: > Dec 2 08:01:48 client02 rpc.gssd[10462]: handling gssd upcall (/run/rpc_pipefs/nfs/clnt4194) > Dec 2 08:01:48 client02 rpc.gssd[10462]: handle_gssd_upcall: 'mech=krb5 uid=0 service=* enctypes=18,17,16,23,3,1,2 ' > Dec 2 08:01:48 client02 rpc.gssd[10462]: handling krb5 upcall (/run/rpc_pipefs/nfs/clnt4194) > Dec 2 08:01:48 client02 rpc.gssd[10462]: process_krb5_upcall: service is '*' > Dec 2 08:01:48 client02 rpc.gssd[10462]: Full hostname for 'server01.domain.tld' is 'server01.domain.tld' > Dec 2 08:01:48 client02 rpc.gssd[10462]: Full hostname for 'client02.domain.tld' is 'client02.domain.tld' > Dec 2 08:01:48 client02 rpc.gssd[10462]: No key table entry found for CLIENT02.DOMAIN.TLD$@DOMAIN.TLD while getting keytab entry for 'CLIENT02.DOMAIN.TLD$@DOMAIN.TLD' > Dec 2 08:01:48 client02 rpc.gssd[10462]: No key table entry found for root/client02.domain.tld at DOMAIN.TLD while getting keytab entry for 'root/client02.domain.tld at DOMAIN.TLD' > Dec 2 08:01:48 client02 rpc.gssd[10462]: Success getting keytab entry for 'nfs/client02.domain.tld at DOMAIN.TLD' > Dec 2 08:01:49 client02 rpc.gssd[10462]: WARNING: Client 'nfs/client02.domain.tld at DOMAIN.TLD' not found in Kerberos database while getting initial ticket for principal 'nfs/client02.domain.tld at DOMAIN.TLD' using keytab 'FILE:/etc/krb5.keytab' > Dec 2 08:01:49 client02 rpc.gssd[10462]: ERROR: No credentials found for connection to server server01.domain.tld > Dec 2 08:01:49 client02 rpc.gssd[10462]: doing error downcall > Dec 2 08:01:49 client02 rpc.gssd[10462]: handling gssd upcall (/run/rpc_pipefs/nfs/clnt4194) > Dec 2 08:01:49 client02 rpc.gssd[10462]: handle_gssd_upcall: 'mech=krb5 uid=0 enctypes=18,17,16,23,3,1,2 ' > Dec 2 08:01:49 client02 rpc.gssd[10462]: handling krb5 upcall (/run/rpc_pipefs/nfs/clnt4194) > Dec 2 08:01:49 client02 rpc.gssd[10462]: process_krb5_upcall: service is '<null>' > Dec 2 08:01:49 client02 rpc.gssd[10462]: Full hostname for 'server01.domain.tld' is 'server01.domain.tld' > Dec 2 08:01:49 client02 rpc.gssd[10462]: Full hostname for 'client02.domain.tld' is 'client02.domain.tld' > Dec 2 08:01:49 client02 rpc.gssd[10462]: No key table entry found for CLIENT02.DOMAIN.TLD$@DOMAIN.TLD while getting keytab entry for 'CLIENT02.DOMAIN.TLD$@DOMAIN.TLD' > Dec 2 08:01:49 client02 rpc.gssd[10462]: No key table entry found for root/client02.domain.tld at DOMAIN.TLD while getting keytab entry for 'root/client02.domain.tld at DOMAIN.TLD' > Dec 2 08:01:49 client02 rpc.gssd[10462]: Success getting keytab entry for 'nfs/client02.domain.tld at DOMAIN.TLD' > Dec 2 08:01:49 client02 rpc.gssd[10462]: WARNING: Client 'nfs/client02.domain.tld at DOMAIN.TLD' not found in Kerberos database while getting initial ticket for principal 'nfs/client02.domain.tld at DOMAIN.TLD' using keytab 'FILE:/etc/krb5.keytab' > Dec 2 08:01:49 client02 rpc.gssd[10462]: ERROR: No credentials found for connection to server server01.domain.tld > Dec 2 08:01:49 client02 rpc.gssd[10462]: doing error downcall > Dec 2 08:01:49 client02 rpc.gssd[10462]: Closing 'gssd' pipe for /run/rpc_pipefs/nfs/clnt4194 > Dec 2 08:01:49 client02 rpc.gssd[10462]: destroying client /run/rpc_pipefs/nfs/clnt4195 > Dec 2 08:01:49 client02 rpc.gssd[10462]: destroying client /run/rpc_pipefs/nfs/clnt4194 > > > ### debug log on DC: > [2016/12/02 07:01:52.138858, 10, pid=16357, effective(0, 0), real(0, 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:72(ldb_wrap_debug) > ldb: ldb_trace_request: SEARCH > dn: DC=dom,DC=lab > scope: sub > expr: (&(objectClass=user)(userPrincipalName=nfs/client02.domain.tld at DOMAIN.TLD)) > control: <NONE> > ... > [2016/12/02 07:01:52.142083, 10, pid=16357, effective(0, 0), real(0, 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:72(ldb_wrap_debug) > ldb: ldb_trace_request: SEARCH > dn: DC=dom,DC=lab > scope: sub > expr: (&(objectClass=user)(samAccountName=nfs/client02.domain.tld)) > control: <NONE> > > > > Many thanks in advance and kind regards, > Matthias > > Am 28.11.2016 um 11:55 schrieb Marcel via samba: >> Am 2016-11-28 07:14, schrieb Matthias Kahle via samba: >>> Hi Folks >> >> Hi Matthias, >> >>> I'm trying to share user home directories hosted on a Samba-4 member >>> server via NFSv4. Everything's working well with the Windows shares but >>> when it comes to kerberized NFSv4 it fails. I can't even mount the home >>> root directory via nfs on the server itself ("mount.nfsv4: access denied >>> by server while mounting ..."). >>> >>> As far as I have tracked it down, it appears to me that the server's is >>> searching in its database for a userPrincipalName=nfs/server.dom.tld >>> while I have added a servicePrincipalNamenfs/server.dom.tld with the >>> samba-tool. Due to this neither the server is getting a TGT nor the >>> client a TGS ... >>> >>> Am I doing anything wrong? Is that beahaviour intentional? >> >> Getting NFSv4 + Kerberos to work with an $"Active Directory" KDC >> can be quite tricky. >> >> To track down the problem, you should run rpc.gssd (on client) and >> rpc.svcgssd (on server) with "-v -v -v". This might give you some >> more hints where to look. >> >> You can read about the servicePrincipalNames your NFS client uses >> in the man page of rpc.gssd: >> >> <HOSTNAME>$@<REALM> >> root/<hostname>@<REALM> >> nfs/<hostname>@<REALM> >> host/<hostname>@<REALM> >> >> You should also check the listing of your keytab - if you're using >> the wrong syntax for your principalName, samba-tool will tell you >> it added an entry to the keytab (which in fact it didn't). >> >> linux # ktutil >>> rkt /etc/krb5.keytab >>> list -e >> >> >>> Version affacted is samba 4.2.10 from the official debian 8 repositories >>> (on DCs and the member server). >>> >>> Kind regards, >>> Matthias >> >> Bye, >> Marcel >>
Am 02.12.2016 um 08:51 schrieb Matthias Kahle via samba:> Hi Marcel > > thx. for your fast response. I didn't manage to follow up sooner. I had already verbose logging turned on but I don't seem to find the real reason, why the domain controller searchs for a userPrincipalName instead of servicePrincipalName. > > Because I wasn't sure whether it is the nfs client process or the server process that failed to get the kerberos ticket when I tried the nfs-mount locally on the server, I went to a client workstation and tried again to mount the nfs exported directory from the server. > > I'm attaching some more information below. Regarding the timestamps, please be informed that the server is using UTC, while the client workstation is configured to use CET (UTC+1) (Domain, client and server names are changed) > > /etc/krb5.keytab (created by net ads keytab create -P): > > Keytab name: FILE:/etc/krb5.keytab > KVNO Timestamp Principal > ---- ------------------- ------------------------------------------------------ > 2 12/02/2016 07:54:52 host/client02.domain.tld at DOMAIN.TLD (des-cbc-crc) > 2 12/02/2016 07:54:52 host/client02.domain.tld at DOMAIN.TLD (des-cbc-md5) > 2 12/02/2016 07:54:52 host/client02.domain.tld at DOMAIN.TLD (aes128-cts-hmac-sha1-96) > 2 12/02/2016 07:54:52 host/client02.domain.tld at DOMAIN.TLD (aes256-cts-hmac-sha1-96) > 2 12/02/2016 07:54:52 host/client02.domain.tld at DOMAIN.TLD (arcfour-hmac) > 2 12/02/2016 07:54:52 host/client02 at DOMAIN.TLD (des-cbc-crc) > 2 12/02/2016 07:54:52 host/client02 at DOMAIN.TLD (des-cbc-md5) > 2 12/02/2016 07:54:52 host/client02 at DOMAIN.TLD (aes128-cts-hmac-sha1-96) > 2 12/02/2016 07:54:52 host/client02 at DOMAIN.TLD (aes256-cts-hmac-sha1-96) > 2 12/02/2016 07:54:52 host/client02 at DOMAIN.TLD (arcfour-hmac) > 2 12/02/2016 07:54:53 nfs/client02.domain.tld at DOMAIN.TLD (des-cbc-crc) > 2 12/02/2016 07:54:53 nfs/client02.domain.tld at DOMAIN.TLD (des-cbc-md5) > 2 12/02/2016 07:54:53 nfs/client02.domain.tld at DOMAIN.TLD (aes128-cts-hmac-sha1-96) > 2 12/02/2016 07:54:53 nfs/client02.domain.tld at DOMAIN.TLD (aes256-cts-hmac-sha1-96) > 2 12/02/2016 07:54:53 nfs/client02.domain.tld at DOMAIN.TLD (arcfour-hmac) > 2 12/02/2016 07:54:53 nfs/client02 at DOMAIN.TLD (des-cbc-crc) > 2 12/02/2016 07:54:53 nfs/client02 at DOMAIN.TLD (des-cbc-md5) > 2 12/02/2016 07:54:53 nfs/client02 at DOMAIN.TLD (aes128-cts-hmac-sha1-96) > 2 12/02/2016 07:54:53 nfs/client02 at DOMAIN.TLD (aes256-cts-hmac-sha1-96) > 2 12/02/2016 07:54:53 nfs/client02 at DOMAIN.TLD (arcfour-hmac) > 2 12/02/2016 07:54:53 CLIENT02$@DOMAIN.TLD (des-cbc-crc) > 2 12/02/2016 07:54:53 CLIENT02$@DOMAIN.TLD (des-cbc-md5) > 2 12/02/2016 07:54:53 CLIENT02$@DOMAIN.TLD (aes128-cts-hmac-sha1-96) > 2 12/02/2016 07:54:53 CLIENT02$@DOMAIN.TLD (aes256-cts-hmac-sha1-96) > 2 12/02/2016 07:54:53 CLIENT02$@DOMAIN.TLD (arcfour-hmac) > > LDAP entry for client on DC: > # client02, Computers, domain.tld > dn: CN=client02,CN=Computers,DC=dom,DC=lab > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: user > objectClass: computer > cn: client02 > instanceType: 4 > whenCreated: 20161118085936.0Z > uSNCreated: 5667 > name: client02 > objectGUID:: ### OBFUSCATED ### > userAccountControl: 69632 > codePage: 0 > countryCode: 0 > primaryGroupID: 515 > objectSid:: ### OBFUSCATED ### > accountExpires: ### OBFUSCATED ### > sAMAccountName: client02$ > sAMAccountType: 805306369 > dNSHostName: client02.domain.tld > objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=dom,DC=lab > isCriticalSystemObject: FALSE > msDS-SupportedEncryptionTypes: 31 > servicePrincipalName: HOST/CLIENT02 > servicePrincipalName: HOST/client02.domain.tld > servicePrincipalName: nfs/client02.domain.tld > servicePrincipalName: nfs/client02 > pwdLastSet: 131245379770000000 > whenChanged: 20161202065456.0Z > uSNChanged: 5733 > distinguishedName: CN=client02,CN=Computers,DC=dom,DC=lab > > ### mount command on client02.domain.tld: > # mount -t nfs4 -o sec=krb5 server01.domain.tld:/export/home /mnt > mount.nfs4: access denied by server while mounting server01.domain.tld:/export/home > > > ### syslog on the client: > Dec 2 08:01:48 client02 rpc.gssd[10462]: handling gssd upcall (/run/rpc_pipefs/nfs/clnt4194) > Dec 2 08:01:48 client02 rpc.gssd[10462]: handle_gssd_upcall: 'mech=krb5 uid=0 service=* enctypes=18,17,16,23,3,1,2 ' > Dec 2 08:01:48 client02 rpc.gssd[10462]: handling krb5 upcall (/run/rpc_pipefs/nfs/clnt4194) > Dec 2 08:01:48 client02 rpc.gssd[10462]: process_krb5_upcall: service is '*' > Dec 2 08:01:48 client02 rpc.gssd[10462]: Full hostname for 'server01.domain.tld' is 'server01.domain.tld' > Dec 2 08:01:48 client02 rpc.gssd[10462]: Full hostname for 'client02.domain.tld' is 'client02.domain.tld' > Dec 2 08:01:48 client02 rpc.gssd[10462]: No key table entry found for CLIENT02.DOMAIN.TLD$@DOMAIN.TLD while getting keytab entry for 'CLIENT02.DOMAIN.TLD$@DOMAIN.TLD' > Dec 2 08:01:48 client02 rpc.gssd[10462]: No key table entry found for root/client02.domain.tld at DOMAIN.TLD while getting keytab entry for 'root/client02.domain.tld at DOMAIN.TLD' > Dec 2 08:01:48 client02 rpc.gssd[10462]: Success getting keytab entry for 'nfs/client02.domain.tld at DOMAIN.TLD' > Dec 2 08:01:49 client02 rpc.gssd[10462]: WARNING: Client 'nfs/client02.domain.tld at DOMAIN.TLD' not found in Kerberos database while getting initial ticket for principal 'nfs/client02.domain.tld at DOMAIN.TLD' using keytab 'FILE:/etc/krb5.keytab' > Dec 2 08:01:49 client02 rpc.gssd[10462]: ERROR: No credentials found for connection to server server01.domain.tld > Dec 2 08:01:49 client02 rpc.gssd[10462]: doing error downcall > Dec 2 08:01:49 client02 rpc.gssd[10462]: handling gssd upcall (/run/rpc_pipefs/nfs/clnt4194) > Dec 2 08:01:49 client02 rpc.gssd[10462]: handle_gssd_upcall: 'mech=krb5 uid=0 enctypes=18,17,16,23,3,1,2 ' > Dec 2 08:01:49 client02 rpc.gssd[10462]: handling krb5 upcall (/run/rpc_pipefs/nfs/clnt4194) > Dec 2 08:01:49 client02 rpc.gssd[10462]: process_krb5_upcall: service is '<null>' > Dec 2 08:01:49 client02 rpc.gssd[10462]: Full hostname for 'server01.domain.tld' is 'server01.domain.tld' > Dec 2 08:01:49 client02 rpc.gssd[10462]: Full hostname for 'client02.domain.tld' is 'client02.domain.tld' > Dec 2 08:01:49 client02 rpc.gssd[10462]: No key table entry found for CLIENT02.DOMAIN.TLD$@DOMAIN.TLD while getting keytab entry for 'CLIENT02.DOMAIN.TLD$@DOMAIN.TLD' > Dec 2 08:01:49 client02 rpc.gssd[10462]: No key table entry found for root/client02.domain.tld at DOMAIN.TLD while getting keytab entry for 'root/client02.domain.tld at DOMAIN.TLD' > Dec 2 08:01:49 client02 rpc.gssd[10462]: Success getting keytab entry for 'nfs/client02.domain.tld at DOMAIN.TLD' > Dec 2 08:01:49 client02 rpc.gssd[10462]: WARNING: Client 'nfs/client02.domain.tld at DOMAIN.TLD' not found in Kerberos database while getting initial ticket for principal 'nfs/client02.domain.tld at DOMAIN.TLD' using keytab 'FILE:/etc/krb5.keytab' > Dec 2 08:01:49 client02 rpc.gssd[10462]: ERROR: No credentials found for connection to server server01.domain.tld > Dec 2 08:01:49 client02 rpc.gssd[10462]: doing error downcall > Dec 2 08:01:49 client02 rpc.gssd[10462]: Closing 'gssd' pipe for /run/rpc_pipefs/nfs/clnt4194 > Dec 2 08:01:49 client02 rpc.gssd[10462]: destroying client /run/rpc_pipefs/nfs/clnt4195 > Dec 2 08:01:49 client02 rpc.gssd[10462]: destroying client /run/rpc_pipefs/nfs/clnt4194 > > > ### debug log on DC: > [2016/12/02 07:01:52.138858, 10, pid=16357, effective(0, 0), real(0, 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:72(ldb_wrap_debug) > ldb: ldb_trace_request: SEARCH > dn: DC=dom,DC=lab > scope: sub > expr: (&(objectClass=user)(userPrincipalName=nfs/client02.domain.tld at DOMAIN.TLD)) > control: <NONE> > ... > [2016/12/02 07:01:52.142083, 10, pid=16357, effective(0, 0), real(0, 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:72(ldb_wrap_debug) > ldb: ldb_trace_request: SEARCH > dn: DC=dom,DC=lab > scope: sub > expr: (&(objectClass=user)(samAccountName=nfs/client02.domain.tld)) > control: <NONE> > > > > Many thanks in advance and kind regards, > Matthias > > Am 28.11.2016 um 11:55 schrieb Marcel via samba: >> Am 2016-11-28 07:14, schrieb Matthias Kahle via samba: >>> Hi Folks >> Hi Matthias, >> >>> I'm trying to share user home directories hosted on a Samba-4 member >>> server via NFSv4. Everything's working well with the Windows shares but >>> when it comes to kerberized NFSv4 it fails. I can't even mount the home >>> root directory via nfs on the server itself ("mount.nfsv4: access denied >>> by server while mounting ..."). >>> >>> As far as I have tracked it down, it appears to me that the server's is >>> searching in its database for a userPrincipalName=nfs/server.dom.tld >>> while I have added a servicePrincipalNamenfs/server.dom.tld with the >>> samba-tool. Due to this neither the server is getting a TGT nor the >>> client a TGS ... >>> >>> Am I doing anything wrong? Is that beahaviour intentional? >> Getting NFSv4 + Kerberos to work with an $"Active Directory" KDC >> can be quite tricky. >> >> To track down the problem, you should run rpc.gssd (on client) and >> rpc.svcgssd (on server) with "-v -v -v". This might give you some >> more hints where to look. >> >> You can read about the servicePrincipalNames your NFS client uses >> in the man page of rpc.gssd: >> >> <HOSTNAME>$@<REALM> >> root/<hostname>@<REALM> >> nfs/<hostname>@<REALM> >> host/<hostname>@<REALM> >> >> You should also check the listing of your keytab - if you're using >> the wrong syntax for your principalName, samba-tool will tell you >> it added an entry to the keytab (which in fact it didn't). >> >> linux # ktutil >>> rkt /etc/krb5.keytab >>> list -e >> >>> Version affacted is samba 4.2.10 from the official debian 8 repositories >>> (on DCs and the member server). >>> >>> Kind regards, >>> Matthias >> Bye, >> Marcel >>Does it work if you manually add userPrincipalName=CLIENT02.DOMAIN.TLD to your clients ldap entry and reexport the keytab?
Hai,
Maybe not the best solution but a working workaround.
You can try adjusting you idmap.conf
Set : Local-Realm = DOMAIN.TLD
and make user you local domain is set and matches the primary dns domain.
Change this one to:
[Translation]
Method = static,nsswitch
GSS-Methods = static,nsswitch
And add
# map the computernames to user root.
[Static]
CLIENT02$/DOMAIN.TLD = root
host/client02.domain.tld at DOMAIN.TLD = root
nfs/client02.domain.tld at DOMAIN.TLD = root
now in the static, one of these fixes the mount problem.
Which i dont know and depending on you problem find which one.
Remove one at the time, reboot the server every time to make sure everything is
mounted on boot.
And after you found it, then you can adjust the keytab entries.
This workaround works, i had the same problem, i just did not have time to fix
it correctly.
And as pointer, here is where its going wrong.
CLIENT02.DOMAIN.TLD$@DOMAIN.TLD
A FQDN with $ @REALM which should not be there.
And last, i needed for my systemd setup this:
(nfs client side)
/etc/systemd/system/nfs-common.service.d/remote-fs-pre.conf
[Unit]
Before=remote-fs-pre.target
Wants=remote-fs-pre.target
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Matthias Kahle
> via samba
> Verzonden: vrijdag 2 december 2016 9:06
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Samba and kerberized NFSv4
>
> Just noticed in the LDAP entry I forgot to replace my test environment
> entries dom (=domain) and lab (=tld)
>
> Am 02.12.2016 um 08:51 schrieb Matthias Kahle:
> > Hi Marcel
> >
> > thx. for your fast response. I didn't manage to follow up sooner.
I had
> already verbose logging turned on but I don't seem to find the real
> reason, why the domain controller searchs for a userPrincipalName instead
> of servicePrincipalName.
> >
> > Because I wasn't sure whether it is the nfs client process or the
server
> process that failed to get the kerberos ticket when I tried the nfs-mount
> locally on the server, I went to a client workstation and tried again to
> mount the nfs exported directory from the server.
> >
> > I'm attaching some more information below. Regarding the
timestamps,
> please be informed that the server is using UTC, while the client
> workstation is configured to use CET (UTC+1) (Domain, client and server
> names are changed)
> >
> > /etc/krb5.keytab (created by net ads keytab create -P):
> >
> > Keytab name: FILE:/etc/krb5.keytab
> > KVNO Timestamp Principal
> > ---- -------------------
-----------------------------------------------
> -------
> > 2 12/02/2016 07:54:52 host/client02.domain.tld at DOMAIN.TLD
(des-cbc-
> crc)
> > 2 12/02/2016 07:54:52 host/client02.domain.tld at DOMAIN.TLD
(des-cbc-
> md5)
> > 2 12/02/2016 07:54:52 host/client02.domain.tld at DOMAIN.TLD
(aes128-
> cts-hmac-sha1-96)
> > 2 12/02/2016 07:54:52 host/client02.domain.tld at DOMAIN.TLD
(aes256-
> cts-hmac-sha1-96)
> > 2 12/02/2016 07:54:52 host/client02.domain.tld at DOMAIN.TLD
(arcfour-
> hmac)
> > 2 12/02/2016 07:54:52 host/client02 at DOMAIN.TLD (des-cbc-crc)
> > 2 12/02/2016 07:54:52 host/client02 at DOMAIN.TLD (des-cbc-md5)
> > 2 12/02/2016 07:54:52 host/client02 at DOMAIN.TLD
(aes128-cts-hmac-sha1-
> 96)
> > 2 12/02/2016 07:54:52 host/client02 at DOMAIN.TLD
(aes256-cts-hmac-sha1-
> 96)
> > 2 12/02/2016 07:54:52 host/client02 at DOMAIN.TLD (arcfour-hmac)
> > 2 12/02/2016 07:54:53 nfs/client02.domain.tld at DOMAIN.TLD
(des-cbc-
> crc)
> > 2 12/02/2016 07:54:53 nfs/client02.domain.tld at DOMAIN.TLD
(des-cbc-
> md5)
> > 2 12/02/2016 07:54:53 nfs/client02.domain.tld at DOMAIN.TLD
(aes128-cts-
> hmac-sha1-96)
> > 2 12/02/2016 07:54:53 nfs/client02.domain.tld at DOMAIN.TLD
(aes256-cts-
> hmac-sha1-96)
> > 2 12/02/2016 07:54:53 nfs/client02.domain.tld at DOMAIN.TLD
(arcfour-
> hmac)
> > 2 12/02/2016 07:54:53 nfs/client02 at DOMAIN.TLD (des-cbc-crc)
> > 2 12/02/2016 07:54:53 nfs/client02 at DOMAIN.TLD (des-cbc-md5)
> > 2 12/02/2016 07:54:53 nfs/client02 at DOMAIN.TLD
(aes128-cts-hmac-sha1-
> 96)
> > 2 12/02/2016 07:54:53 nfs/client02 at DOMAIN.TLD
(aes256-cts-hmac-sha1-
> 96)
> > 2 12/02/2016 07:54:53 nfs/client02 at DOMAIN.TLD (arcfour-hmac)
> > 2 12/02/2016 07:54:53 CLIENT02$@DOMAIN.TLD (des-cbc-crc)
> > 2 12/02/2016 07:54:53 CLIENT02$@DOMAIN.TLD (des-cbc-md5)
> > 2 12/02/2016 07:54:53 CLIENT02$@DOMAIN.TLD
(aes128-cts-hmac-sha1-96)
> > 2 12/02/2016 07:54:53 CLIENT02$@DOMAIN.TLD
(aes256-cts-hmac-sha1-96)
> > 2 12/02/2016 07:54:53 CLIENT02$@DOMAIN.TLD (arcfour-hmac)
> >
> > LDAP entry for client on DC:
> > # client02, Computers, domain.tld
> > dn: CN=client02,CN=Computers,DC=dom,DC=lab
> > objectClass: top
> > objectClass: person
> > objectClass: organizationalPerson
> > objectClass: user
> > objectClass: computer
> > cn: client02
> > instanceType: 4
> > whenCreated: 20161118085936.0Z
> > uSNCreated: 5667
> > name: client02
> > objectGUID:: ### OBFUSCATED ###
> > userAccountControl: 69632
> > codePage: 0
> > countryCode: 0
> > primaryGroupID: 515
> > objectSid:: ### OBFUSCATED ###
> > accountExpires: ### OBFUSCATED ###
> > sAMAccountName: client02$
> > sAMAccountType: 805306369
> > dNSHostName: client02.domain.tld
> > objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=dom,DC=lab
> > isCriticalSystemObject: FALSE
> > msDS-SupportedEncryptionTypes: 31
> > servicePrincipalName: HOST/CLIENT02
> > servicePrincipalName: HOST/client02.domain.tld
> > servicePrincipalName: nfs/client02.domain.tld
> > servicePrincipalName: nfs/client02
> > pwdLastSet: 131245379770000000
> > whenChanged: 20161202065456.0Z
> > uSNChanged: 5733
> > distinguishedName: CN=client02,CN=Computers,DC=dom,DC=lab
> >
> > ### mount command on client02.domain.tld:
> > # mount -t nfs4 -o sec=krb5 server01.domain.tld:/export/home /mnt
> > mount.nfs4: access denied by server while mounting
> server01.domain.tld:/export/home
> >
> >
> > ### syslog on the client:
> > Dec 2 08:01:48 client02 rpc.gssd[10462]: handling gssd upcall
> (/run/rpc_pipefs/nfs/clnt4194)
> > Dec 2 08:01:48 client02 rpc.gssd[10462]: handle_gssd_upcall:
'mech=krb5
> uid=0 service=* enctypes=18,17,16,23,3,1,2 '
> > Dec 2 08:01:48 client02 rpc.gssd[10462]: handling krb5 upcall
> (/run/rpc_pipefs/nfs/clnt4194)
> > Dec 2 08:01:48 client02 rpc.gssd[10462]: process_krb5_upcall: service
> is '*'
> > Dec 2 08:01:48 client02 rpc.gssd[10462]: Full hostname for
> 'server01.domain.tld' is 'server01.domain.tld'
> > Dec 2 08:01:48 client02 rpc.gssd[10462]: Full hostname for
> 'client02.domain.tld' is 'client02.domain.tld'
> > Dec 2 08:01:48 client02 rpc.gssd[10462]: No key table entry found for
> CLIENT02.DOMAIN.TLD$@DOMAIN.TLD while getting keytab entry for
> 'CLIENT02.DOMAIN.TLD$@DOMAIN.TLD'
> > Dec 2 08:01:48 client02 rpc.gssd[10462]: No key table entry found for
> root/client02.domain.tld at DOMAIN.TLD while getting keytab entry for
> 'root/client02.domain.tld at DOMAIN.TLD'
> > Dec 2 08:01:48 client02 rpc.gssd[10462]: Success getting keytab entry
> for 'nfs/client02.domain.tld at DOMAIN.TLD'
> > Dec 2 08:01:49 client02 rpc.gssd[10462]: WARNING: Client
> 'nfs/client02.domain.tld at DOMAIN.TLD' not found in Kerberos
database while
> getting initial ticket for principal 'nfs/client02.domain.tld at
DOMAIN.TLD'
> using keytab 'FILE:/etc/krb5.keytab'
> > Dec 2 08:01:49 client02 rpc.gssd[10462]: ERROR: No credentials found
> for connection to server server01.domain.tld
> > Dec 2 08:01:49 client02 rpc.gssd[10462]: doing error downcall
> > Dec 2 08:01:49 client02 rpc.gssd[10462]: handling gssd upcall
> (/run/rpc_pipefs/nfs/clnt4194)
> > Dec 2 08:01:49 client02 rpc.gssd[10462]: handle_gssd_upcall:
'mech=krb5
> uid=0 enctypes=18,17,16,23,3,1,2 '
> > Dec 2 08:01:49 client02 rpc.gssd[10462]: handling krb5 upcall
> (/run/rpc_pipefs/nfs/clnt4194)
> > Dec 2 08:01:49 client02 rpc.gssd[10462]: process_krb5_upcall: service
> is '<null>'
> > Dec 2 08:01:49 client02 rpc.gssd[10462]: Full hostname for
> 'server01.domain.tld' is 'server01.domain.tld'
> > Dec 2 08:01:49 client02 rpc.gssd[10462]: Full hostname for
> 'client02.domain.tld' is 'client02.domain.tld'
> > Dec 2 08:01:49 client02 rpc.gssd[10462]: No key table entry found for
> CLIENT02.DOMAIN.TLD$@DOMAIN.TLD while getting keytab entry for
> 'CLIENT02.DOMAIN.TLD$@DOMAIN.TLD'
> > Dec 2 08:01:49 client02 rpc.gssd[10462]: No key table entry found for
> root/client02.domain.tld at DOMAIN.TLD while getting keytab entry for
> 'root/client02.domain.tld at DOMAIN.TLD'
> > Dec 2 08:01:49 client02 rpc.gssd[10462]: Success getting keytab entry
> for 'nfs/client02.domain.tld at DOMAIN.TLD'
> > Dec 2 08:01:49 client02 rpc.gssd[10462]: WARNING: Client
> 'nfs/client02.domain.tld at DOMAIN.TLD' not found in Kerberos
database while
> getting initial ticket for principal 'nfs/client02.domain.tld at
DOMAIN.TLD'
> using keytab 'FILE:/etc/krb5.keytab'
> > Dec 2 08:01:49 client02 rpc.gssd[10462]: ERROR: No credentials found
> for connection to server server01.domain.tld
> > Dec 2 08:01:49 client02 rpc.gssd[10462]: doing error downcall
> > Dec 2 08:01:49 client02 rpc.gssd[10462]: Closing 'gssd' pipe
for
> /run/rpc_pipefs/nfs/clnt4194
> > Dec 2 08:01:49 client02 rpc.gssd[10462]: destroying client
> /run/rpc_pipefs/nfs/clnt4195
> > Dec 2 08:01:49 client02 rpc.gssd[10462]: destroying client
> /run/rpc_pipefs/nfs/clnt4194
> >
> >
> > ### debug log on DC:
> > [2016/12/02 07:01:52.138858, 10, pid=16357, effective(0, 0), real(0,
0),
> class=ldb] ../lib/ldb-samba/ldb_wrap.c:72(ldb_wrap_debug)
> > ldb: ldb_trace_request: SEARCH
> > dn: DC=dom,DC=lab
> > scope: sub
> > expr:
> (&(objectClass=user)(userPrincipalName=nfs/client02.domain.tld at
DOMAIN.TLD)
> )
> > control: <NONE>
> > ...
> > [2016/12/02 07:01:52.142083, 10, pid=16357, effective(0, 0), real(0,
0),
> class=ldb] ../lib/ldb-samba/ldb_wrap.c:72(ldb_wrap_debug)
> > ldb: ldb_trace_request: SEARCH
> > dn: DC=dom,DC=lab
> > scope: sub
> > expr:
(&(objectClass=user)(samAccountName=nfs/client02.domain.tld))
> > control: <NONE>
> >
> >
> >
> > Many thanks in advance and kind regards,
> > Matthias
> >
> > Am 28.11.2016 um 11:55 schrieb Marcel via samba:
> >> Am 2016-11-28 07:14, schrieb Matthias Kahle via samba:
> >>> Hi Folks
> >>
> >> Hi Matthias,
> >>
> >>> I'm trying to share user home directories hosted on a
Samba-4 member
> >>> server via NFSv4. Everything's working well with the
Windows shares
> but
> >>> when it comes to kerberized NFSv4 it fails. I can't even
mount the
> home
> >>> root directory via nfs on the server itself
("mount.nfsv4: access
> denied
> >>> by server while mounting ...").
> >>>
> >>> As far as I have tracked it down, it appears to me that the
server's
> is
> >>> searching in its database for a
userPrincipalName=nfs/server.dom.tld
> >>> while I have added a servicePrincipalNamenfs/server.dom.tld
with the
> >>> samba-tool. Due to this neither the server is getting a TGT
nor the
> >>> client a TGS ...
> >>>
> >>> Am I doing anything wrong? Is that beahaviour intentional?
> >>
> >> Getting NFSv4 + Kerberos to work with an $"Active
Directory" KDC
> >> can be quite tricky.
> >>
> >> To track down the problem, you should run rpc.gssd (on client) and
> >> rpc.svcgssd (on server) with "-v -v -v". This might give
you some
> >> more hints where to look.
> >>
> >> You can read about the servicePrincipalNames your NFS client uses
> >> in the man page of rpc.gssd:
> >>
> >> <HOSTNAME>$@<REALM>
> >> root/<hostname>@<REALM>
> >> nfs/<hostname>@<REALM>
> >> host/<hostname>@<REALM>
> >>
> >> You should also check the listing of your keytab - if you're
using
> >> the wrong syntax for your principalName, samba-tool will tell you
> >> it added an entry to the keytab (which in fact it didn't).
> >>
> >> linux # ktutil
> >>> rkt /etc/krb5.keytab
> >>> list -e
> >>
> >>
> >>> Version affacted is samba 4.2.10 from the official debian 8
> repositories
> >>> (on DCs and the member server).
> >>>
> >>> Kind regards,
> >>> Matthias
> >>
> >> Bye,
> >> Marcel
> >>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
> Does it work if you manually add userPrincipalName=CLIENT02.DOMAIN.TLD to your clients ldap entry and reexport the keytab?I already thought about trying that. So by now, I tried tweaking the client's LDAP entry. Adding userPrincipalName=CLIENT02.DOMAIN.TLD does not succeeed, however, after reviewing the ldap filter once again, I added userPrincipalName=nfs/client02.domain.tld at DOMAIN.TLD to the workstation's account and finally, the mount does not return an error anymore. Though I can't access anything on the mounted share but I guess that's OK for now, because the users' home directories hosted there must not be accessible to the root user at all. However I don't expect that to be the right approach, not only because it requires a userPricipalName for a service but mainly because I even have to add the kerberos REALM ... or am I mistaken there? (please bear with me if that sounds stupid, I'm still somehow new to dealing with kerberos) Regards, Mathias