Ken McDonald
2018-Mar-04 01:52 UTC
[Samba] Samba AD + Kerbero + NFS "Client no longer in database"
I am soo lost trying to get Samba AD 4.7.5 as a Kerberos source for
NFSv4. The NFS server is the Samba AD server running Ubuntu Server
16.0.4.3 and the client is Linux Mint 18.3
This export WORKS and mounts on client
########## /etc/exports ##########
/mnt/fileshare *(rw,no_subtree_check,async)
############################
This export DOES NOT
########## /etc/exports ##########
/mnt/fileshare *(rw,async,no_subtree_check,sec=krb5p:krb5i:krb5)
############################
The error I get on client side is
########## console ##########
sudo mount -vvvv -t nfs4 -o sec=krb5 ubuntu-nfs:/mnt/fileshare
/mnt/fileshare
mount.nfs4: timeout set for Sat Mar 3 20:27:51 2018
mount.nfs4: trying text-based options
'sec=krb5,addr=172.20.100.151,clientaddr=172.20.100.205'
mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting ubuntu-nfs:/mnt/fileshare
############################
On server side, syslog is no help.
########## /var/log/syslog ##########
Mar 3 20:25:53 ubuntu-nfs rpc.mountd[2377]: auth_unix_ip: inbuf 'nfsd
172.20.100.205'
Mar 3 20:25:53 ubuntu-nfs rpc.mountd[2377]: v4root_create: path '/'
flags 0x12405
Mar 3 20:25:53 ubuntu-nfs rpc.mountd[2377]: v4root_create: path '/mnt'
flags 0x10405
Mar 3 20:25:53 ubuntu-nfs rpc.mountd[2377]: auth_unix_ip: client
0x16ec5b0 '*'
############################
On server side, I increased Samba logging level to log level = 4 and I
get this error when the remote mount fails initially
########## /usr/local/samba/var/log.samba ##########
SUBDOMAIN[2018/03/03 20:18:57.282480, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: AS-REQ
nfs/mint-nfs.subdomain.domain.com at SUBDOMAIN.DOMAIN.COM from
ipv4:172.20.100.205:36129 for
krbtgt/SUBDOMAIN.DOMAIN.COM at SUBDOMAIN.DOMAIN.COM
[2018/03/03 20:18:57.287154, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Client sent patypes: 149
[2018/03/03 20:18:57.287185, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Looking for PKINIT pa-data --
nfs/mint-nfs.subdomain.domain.com at SUBDOMAIN.DOMAIN.COM
[2018/03/03 20:18:57.287207, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Looking for ENC-TS pa-data --
nfs/mint-nfs.subdomain.domain.com at SUBDOMAIN.DOMAIN.COM
[2018/03/03 20:18:57.287406, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: No preauth found, returning PREAUTH-REQUIRED --
nfs/mint-nfs.subdomain.domain.com at SUBDOMAIN.DOMAIN.COM
[2018/03/03 20:18:57.288906, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: AS-REQ
nfs/mint-nfs.subdomain.domain.com at SUBDOMAIN.DOMAIN.COM from
ipv4:172.20.100.205:39005 for
krbtgt/SUBDOMAIN.DOMAIN.COM at SUBDOMAIN.DOMAIN.COM
[2018/03/03 20:18:57.292893, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Client sent patypes: encrypted-timestamp, 149
[2018/03/03 20:18:57.292921, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Looking for PKINIT pa-data --
nfs/mint-nfs.subdomain.domain.com at SUBDOMAIN.DOMAIN.COM
[2018/03/03 20:18:57.292937, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Looking for ENC-TS pa-data --
nfs/mint-nfs.subdomain.domain.com at SUBDOMAIN.DOMAIN.COM
[2018/03/03 20:18:57.293106, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: ENC-TS Pre-authentication succeeded --
nfs/mint-nfs.subdomain.domain.com at SUBDOMAIN.DOMAIN.COM using
aes256-cts-hmac-sha1-96
[2018/03/03 20:18:57.297323, 3]
../auth/auth_log.c:760(log_authentication_event_human_readable)
Auth: [Kerberos KDC,ENC-TS Pre-authentication] user
[(null)]\[nfs/mint-nfs.subdomain.domain.com at SUBDOMAIN.DOMAIN.COM] at
[Sat, 03 Mar 2018 20:18:57.297240 EST] with [aes256-cts-hmac-sha1-96]
status [NT_STATUS_OK] workstation [(null)] remote host
[ipv4:172.20.100.205:39005] became [SUBDOMAIN]\[MINT-NFS$]
[S-1-5-21-1314416752-3121880105-2930208240-1104]. local host [NULL]
[2018/03/03 20:18:57.297491, 3] ../auth/auth_log.c:220(log_json)
JSON Authentication: {"timestamp":
"2018-03-03T20:18:57.297385-0500",
"type": "Authentication", "Authentication":
{"authDescription": "ENC-TS
Pre-authentication", "version": {"major": 1,
"minor": 0}, "becameSid":
"S-1-5-21-1314416752-3121880105-2930208240-1104",
"netlogonComputer":
null, "status": "NT_STATUS_OK",
"netlogonTrustAccount": null,
"serviceDescription": "Kerberos KDC",
"localAddress": "NULL",
"clientAccount":
"nfs/mint-nfs.subdomain.domain.com at SUBDOMAIN.DOMAIN.COM",
"remoteAddress": "ipv4:172.20.100.205:39005",
"clientDomain": null,
"workstation": null, "becameAccount": "MINT-NFS$",
"mappedAccount":
"MINT-NFS$", "becameDomain": "SUBDOMAIN",
"netlogonSecureChannelType":
0, "mappedDomain": "SUBDOMAIN",
"netlogonNegotiateFlags": "0x00000000",
"netlogonTrustAccountSid": "(NULL SID)",
"passwordType":
"aes256-cts-hmac-sha1-96"}}
[2018/03/03 20:18:57.297615, 3]
../auth/auth_log.c:139(get_auth_event_server)
get_auth_event_server: Failed to find 'auth_event' registered on the
message bus to send JSON authentication events to:
NT_STATUS_OBJECT_NAME_NOT_FOUND
[2018/03/03 20:18:57.297648, 4]
../source4/auth/sam.c:189(authsam_account_ok)
authsam_account_ok: Checking SMB password for user
nfs/mint-nfs.subdomain.domain.com at SUBDOMAIN.DOMAIN.COM
[2018/03/03 20:18:57.307065, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: AS-REQ authtime: 2018-03-03T20:18:57 starttime: unset
endtime: 2018-03-04T06:18:57 renew till: 2018-03-04T20:18:57
[2018/03/03 20:18:57.307839, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96,
aes128-cts-hmac-sha1-96, arcfour-hmac-md5, des3-cbc-sha1, 25, 26, using
aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
[2018/03/03 20:18:57.307878, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Requested flags: renewable-ok
[2018/03/03 20:18:57.310239, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: AS-REQ
nfs/mint-nfs.subdomain.domain.com at SUBDOMAIN.DOMAIN.COM from
ipv4:172.20.100.205:57552 for
krbtgt/SUBDOMAIN.DOMAIN.COM at SUBDOMAIN.DOMAIN.COM
[2018/03/03 20:18:57.314895, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Client sent patypes: encrypted-timestamp, 149
[2018/03/03 20:18:57.314932, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Looking for PKINIT pa-data --
nfs/mint-nfs.subdomain.domain.com at SUBDOMAIN.DOMAIN.COM
[2018/03/03 20:18:57.314951, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Looking for ENC-TS pa-data --
nfs/mint-nfs.subdomain.domain.com at SUBDOMAIN.DOMAIN.COM
[2018/03/03 20:18:57.315138, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: ENC-TS Pre-authentication succeeded --
nfs/mint-nfs.subdomain.domain.com at SUBDOMAIN.DOMAIN.COM using
aes256-cts-hmac-sha1-96
[2018/03/03 20:18:57.315187, 3]
../auth/auth_log.c:760(log_authentication_event_human_readable)
Auth: [Kerberos KDC,ENC-TS Pre-authentication] user
[(null)]\[nfs/mint-nfs.subdomain.domain.com at SUBDOMAIN.DOMAIN.COM] at
[Sat, 03 Mar 2018 20:18:57.315174 EST] with [aes256-cts-hmac-sha1-96]
status [NT_STATUS_OK] workstation [(null)] remote host
[ipv4:172.20.100.205:57552] became [SUBDOMAIN]\[MINT-NFS$]
[S-1-5-21-1314416752-3121880105-2930208240-1104]. local host [NULL]
[2018/03/03 20:18:57.315435, 3] ../auth/auth_log.c:220(log_json)
JSON Authentication: {"timestamp":
"2018-03-03T20:18:57.315308-0500",
"type": "Authentication", "Authentication":
{"authDescription": "ENC-TS
Pre-authentication", "version": {"major": 1,
"minor": 0}, "becameSid":
"S-1-5-21-1314416752-3121880105-2930208240-1104",
"netlogonComputer":
null, "status": "NT_STATUS_OK",
"netlogonTrustAccount": null,
"serviceDescription": "Kerberos KDC",
"localAddress": "NULL",
"clientAccount":
"nfs/mint-nfs.subdomain.domain.com at SUBDOMAIN.DOMAIN.COM",
"remoteAddress": "ipv4:172.20.100.205:57552",
"clientDomain": null,
"workstation": null, "becameAccount": "MINT-NFS$",
"mappedAccount":
"MINT-NFS$", "becameDomain": "SUBDOMAIN",
"netlogonSecureChannelType":
0, "mappedDomain": "SUBDOMAIN",
"netlogonNegotiateFlags": "0x00000000",
"netlogonTrustAccountSid": "(NULL SID)",
"passwordType":
"aes256-cts-hmac-sha1-96"}}
[2018/03/03 20:18:57.315512, 3]
../auth/auth_log.c:139(get_auth_event_server)
get_auth_event_server: Failed to find 'auth_event' registered on the
message bus to send JSON authentication events to:
NT_STATUS_OBJECT_NAME_NOT_FOUND
[2018/03/03 20:18:57.315622, 4]
../source4/auth/sam.c:189(authsam_account_ok)
authsam_account_ok: Checking SMB password for user
nfs/mint-nfs.subdomain.domain.com at SUBDOMAIN.DOMAIN.COM
[2018/03/03 20:18:57.322796, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: AS-REQ authtime: 2018-03-03T20:18:57 starttime: unset
endtime: 2018-03-04T06:18:57 renew till: 2018-03-04T20:18:57
[2018/03/03 20:18:57.323216, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96,
aes128-cts-hmac-sha1-96, arcfour-hmac-md5, des3-cbc-sha1, 25, 26, using
aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
[2018/03/03 20:18:57.323256, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Requested flags: renewable-ok
[2018/03/03 20:18:57.323763, 3]
../source4/smbd/service_stream.c:65(stream_terminate_connection)
Terminating connection - 'kdc_tcp_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
[2018/03/03 20:18:57.323830, 3]
../source4/smbd/process_single.c:114(single_terminate)
single_terminate: reason[kdc_tcp_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
############################
In addition, there is a series of these messages repeating after the
initial connection and any subsequent remount attempt just lists these
messages below
########## /usr/local/samba/var/log.samba ##########
[2018/03/03 20:18:57.330456, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: TGS-REQ
nfs/mint-nfs.subdomain.domain.com at SUBDOMAIN.DOMAIN.COM from
ipv4:172.20.100.205:57554 for
nfs/ubuntu-nfs.subdomain.domain.com at SUBDOMAIN.DOMAIN.COM [canonicalize,
renewable]
[2018/03/03 20:18:57.334817, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Client no longer in database:
nfs/mint-nfs.subdomain.domain.com at SUBDOMAIN.DOMAIN.COM
[2018/03/03 20:18:57.334883, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: ret: -1765328378
[2018/03/03 20:18:57.334944, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Failed building TGS-REP to ipv4:172.20.100.205:57554
[2018/03/03 20:18:57.336124, 3]
../source4/smbd/service_stream.c:65(stream_terminate_connection)
Terminating connection - 'kdc_tcp_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
[2018/03/03 20:18:57.336195, 3]
../source4/smbd/process_single.c:114(single_terminate)
single_terminate: reason[kdc_tcp_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
############################
I believe the "Client no longer in database" message is the root
error.
I added code to Samba sources to pull exact message code of -1765328378
which I found means KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN
I created the server and client keytab files using these kinds of commands
sudo samba-tool spn add nfs/ubuntu-nfs.subdomain.domain.com
"UBUNTU-NFS\$"
sudo samba-tool domain exportkeytab
--principal=nfs/ubuntu-nfs.subdomain.domain.com ~/ubuntu-nfs.keytab
and put the files in /etc/krb5.keytab . I can verify in ADUC that these
SPNs do exist on the machine accounts for server and client
I'm soo lost. I had this working on a prior test vm setup but started
over to clean up my documentation. I've got no idea where to go next to
make the NFSv4 mount work using Kerberos from Samba AD
Norbert Hanke
2018-Mar-11 22:43 UTC
[Samba] Samba AD + Kerbero + NFS "Client no longer in database"
On 04.03.2018 02:52, Ken McDonald via samba wrote:> I am soo lost trying to get Samba AD 4.7.5 as a Kerberos source for > NFSv4. The NFS server is the Samba AD server running Ubuntu Server > 16.0.4.3 and the client is Linux Mint 18.3 > > This export WORKS and mounts on client > > ########## /etc/exports ########## > > /mnt/fileshare *(rw,no_subtree_check,async) > > ############################ > > This export DOES NOT > > ########## /etc/exports ########## > > /mnt/fileshare *(rw,async,no_subtree_check,sec=krb5p:krb5i:krb5) > > ############################ > > The error I get on client side is > > ########## console ########## > > sudo mount -vvvv -t nfs4 -o sec=krb5 ubuntu-nfs:/mnt/fileshare > /mnt/fileshare > > mount.nfs4: timeout set for Sat Mar 3 20:27:51 2018 > mount.nfs4: trying text-based options > 'sec=krb5,addr=172.20.100.151,clientaddr=172.20.100.205' > mount.nfs4: mount(2): Permission denied > mount.nfs4: access denied by server while mounting > ubuntu-nfs:/mnt/fileshare > > ############################ > > On server side, syslog is no help. > > ########## /var/log/syslog ########## > > Mar 3 20:25:53 ubuntu-nfs rpc.mountd[2377]: auth_unix_ip: inbuf 'nfsd > 172.20.100.205' > Mar 3 20:25:53 ubuntu-nfs rpc.mountd[2377]: v4root_create: path '/' > flags 0x12405 > Mar 3 20:25:53 ubuntu-nfs rpc.mountd[2377]: v4root_create: path > '/mnt' flags 0x10405 > Mar 3 20:25:53 ubuntu-nfs rpc.mountd[2377]: auth_unix_ip: client > 0x16ec5b0 '*' > > ############################ > > On server side, I increased Samba logging level to log level = 4 and I > get this error when the remote mount fails initially > > ########## /usr/local/samba/var/log.samba ########## > > SUBDOMAIN[2018/03/03 20:18:57.282480, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: AS-REQ > nfs/mint-nfs.subdomain.domain.com at SUBDOMAIN.DOMAIN.COM from > ipv4:172.20.100.205:36129 for > krbtgt/SUBDOMAIN.DOMAIN.COM at SUBDOMAIN.DOMAIN.COM > [2018/03/03 20:18:57.287154, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: Client sent patypes: 149 > [2018/03/03 20:18:57.287185, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: Looking for PKINIT pa-data -- > nfs/mint-nfs.subdomain.domain.com at SUBDOMAIN.DOMAIN.COM > [2018/03/03 20:18:57.287207, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: Looking for ENC-TS pa-data -- > nfs/mint-nfs.subdomain.domain.com at SUBDOMAIN.DOMAIN.COM > [2018/03/03 20:18:57.287406, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: No preauth found, returning PREAUTH-REQUIRED -- > nfs/mint-nfs.subdomain.domain.com at SUBDOMAIN.DOMAIN.COM > [2018/03/03 20:18:57.288906, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: AS-REQ > nfs/mint-nfs.subdomain.domain.com at SUBDOMAIN.DOMAIN.COM from > ipv4:172.20.100.205:39005 for > krbtgt/SUBDOMAIN.DOMAIN.COM at SUBDOMAIN.DOMAIN.COM > [2018/03/03 20:18:57.292893, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: Client sent patypes: encrypted-timestamp, 149 > [2018/03/03 20:18:57.292921, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: Looking for PKINIT pa-data -- > nfs/mint-nfs.subdomain.domain.com at SUBDOMAIN.DOMAIN.COM > [2018/03/03 20:18:57.292937, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: Looking for ENC-TS pa-data -- > nfs/mint-nfs.subdomain.domain.com at SUBDOMAIN.DOMAIN.COM > [2018/03/03 20:18:57.293106, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: ENC-TS Pre-authentication succeeded -- > nfs/mint-nfs.subdomain.domain.com at SUBDOMAIN.DOMAIN.COM using > aes256-cts-hmac-sha1-96 > [2018/03/03 20:18:57.297323, 3] > ../auth/auth_log.c:760(log_authentication_event_human_readable) > Auth: [Kerberos KDC,ENC-TS Pre-authentication] user > [(null)]\[nfs/mint-nfs.subdomain.domain.com at SUBDOMAIN.DOMAIN.COM] at > [Sat, 03 Mar 2018 20:18:57.297240 EST] with [aes256-cts-hmac-sha1-96] > status [NT_STATUS_OK] workstation [(null)] remote host > [ipv4:172.20.100.205:39005] became [SUBDOMAIN]\[MINT-NFS$] > [S-1-5-21-1314416752-3121880105-2930208240-1104]. local host [NULL] > [2018/03/03 20:18:57.297491, 3] ../auth/auth_log.c:220(log_json) > JSON Authentication: {"timestamp": > "2018-03-03T20:18:57.297385-0500", "type": "Authentication", > "Authentication": {"authDescription": "ENC-TS Pre-authentication", > "version": {"major": 1, "minor": 0}, "becameSid": > "S-1-5-21-1314416752-3121880105-2930208240-1104", "netlogonComputer": > null, "status": "NT_STATUS_OK", "netlogonTrustAccount": null, > "serviceDescription": "Kerberos KDC", "localAddress": "NULL", > "clientAccount": > "nfs/mint-nfs.subdomain.domain.com at SUBDOMAIN.DOMAIN.COM", > "remoteAddress": "ipv4:172.20.100.205:39005", "clientDomain": null, > "workstation": null, "becameAccount": "MINT-NFS$", "mappedAccount": > "MINT-NFS$", "becameDomain": "SUBDOMAIN", "netlogonSecureChannelType": > 0, "mappedDomain": "SUBDOMAIN", "netlogonNegotiateFlags": > "0x00000000", "netlogonTrustAccountSid": "(NULL SID)", "passwordType": > "aes256-cts-hmac-sha1-96"}} > [2018/03/03 20:18:57.297615, 3] > ../auth/auth_log.c:139(get_auth_event_server) > get_auth_event_server: Failed to find 'auth_event' registered on the > message bus to send JSON authentication events to: > NT_STATUS_OBJECT_NAME_NOT_FOUND > [2018/03/03 20:18:57.297648, 4] > ../source4/auth/sam.c:189(authsam_account_ok) > authsam_account_ok: Checking SMB password for user > nfs/mint-nfs.subdomain.domain.com at SUBDOMAIN.DOMAIN.COM > [2018/03/03 20:18:57.307065, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: AS-REQ authtime: 2018-03-03T20:18:57 starttime: unset > endtime: 2018-03-04T06:18:57 renew till: 2018-03-04T20:18:57 > [2018/03/03 20:18:57.307839, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96, > aes128-cts-hmac-sha1-96, arcfour-hmac-md5, des3-cbc-sha1, 25, 26, > using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96 > [2018/03/03 20:18:57.307878, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: Requested flags: renewable-ok > [2018/03/03 20:18:57.310239, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: AS-REQ > nfs/mint-nfs.subdomain.domain.com at SUBDOMAIN.DOMAIN.COM from > ipv4:172.20.100.205:57552 for > krbtgt/SUBDOMAIN.DOMAIN.COM at SUBDOMAIN.DOMAIN.COM > [2018/03/03 20:18:57.314895, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: Client sent patypes: encrypted-timestamp, 149 > [2018/03/03 20:18:57.314932, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: Looking for PKINIT pa-data -- > nfs/mint-nfs.subdomain.domain.com at SUBDOMAIN.DOMAIN.COM > [2018/03/03 20:18:57.314951, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: Looking for ENC-TS pa-data -- > nfs/mint-nfs.subdomain.domain.com at SUBDOMAIN.DOMAIN.COM > [2018/03/03 20:18:57.315138, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: ENC-TS Pre-authentication succeeded -- > nfs/mint-nfs.subdomain.domain.com at SUBDOMAIN.DOMAIN.COM using > aes256-cts-hmac-sha1-96 > [2018/03/03 20:18:57.315187, 3] > ../auth/auth_log.c:760(log_authentication_event_human_readable) > Auth: [Kerberos KDC,ENC-TS Pre-authentication] user > [(null)]\[nfs/mint-nfs.subdomain.domain.com at SUBDOMAIN.DOMAIN.COM] at > [Sat, 03 Mar 2018 20:18:57.315174 EST] with [aes256-cts-hmac-sha1-96] > status [NT_STATUS_OK] workstation [(null)] remote host > [ipv4:172.20.100.205:57552] became [SUBDOMAIN]\[MINT-NFS$] > [S-1-5-21-1314416752-3121880105-2930208240-1104]. local host [NULL] > [2018/03/03 20:18:57.315435, 3] ../auth/auth_log.c:220(log_json) > JSON Authentication: {"timestamp": > "2018-03-03T20:18:57.315308-0500", "type": "Authentication", > "Authentication": {"authDescription": "ENC-TS Pre-authentication", > "version": {"major": 1, "minor": 0}, "becameSid": > "S-1-5-21-1314416752-3121880105-2930208240-1104", "netlogonComputer": > null, "status": "NT_STATUS_OK", "netlogonTrustAccount": null, > "serviceDescription": "Kerberos KDC", "localAddress": "NULL", > "clientAccount": > "nfs/mint-nfs.subdomain.domain.com at SUBDOMAIN.DOMAIN.COM", > "remoteAddress": "ipv4:172.20.100.205:57552", "clientDomain": null, > "workstation": null, "becameAccount": "MINT-NFS$", "mappedAccount": > "MINT-NFS$", "becameDomain": "SUBDOMAIN", "netlogonSecureChannelType": > 0, "mappedDomain": "SUBDOMAIN", "netlogonNegotiateFlags": > "0x00000000", "netlogonTrustAccountSid": "(NULL SID)", "passwordType": > "aes256-cts-hmac-sha1-96"}} > [2018/03/03 20:18:57.315512, 3] > ../auth/auth_log.c:139(get_auth_event_server) > get_auth_event_server: Failed to find 'auth_event' registered on the > message bus to send JSON authentication events to: > NT_STATUS_OBJECT_NAME_NOT_FOUND > [2018/03/03 20:18:57.315622, 4] > ../source4/auth/sam.c:189(authsam_account_ok) > authsam_account_ok: Checking SMB password for user > nfs/mint-nfs.subdomain.domain.com at SUBDOMAIN.DOMAIN.COM > [2018/03/03 20:18:57.322796, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: AS-REQ authtime: 2018-03-03T20:18:57 starttime: unset > endtime: 2018-03-04T06:18:57 renew till: 2018-03-04T20:18:57 > [2018/03/03 20:18:57.323216, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96, > aes128-cts-hmac-sha1-96, arcfour-hmac-md5, des3-cbc-sha1, 25, 26, > using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96 > [2018/03/03 20:18:57.323256, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: Requested flags: renewable-ok > [2018/03/03 20:18:57.323763, 3] > ../source4/smbd/service_stream.c:65(stream_terminate_connection) > Terminating connection - 'kdc_tcp_call_loop: > tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED' > [2018/03/03 20:18:57.323830, 3] > ../source4/smbd/process_single.c:114(single_terminate) > single_terminate: reason[kdc_tcp_call_loop: > tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED] > > ############################ > > In addition, there is a series of these messages repeating after the > initial connection and any subsequent remount attempt just lists these > messages below > > ########## /usr/local/samba/var/log.samba ########## > > [2018/03/03 20:18:57.330456, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: TGS-REQ > nfs/mint-nfs.subdomain.domain.com at SUBDOMAIN.DOMAIN.COM from > ipv4:172.20.100.205:57554 for > nfs/ubuntu-nfs.subdomain.domain.com at SUBDOMAIN.DOMAIN.COM > [canonicalize, renewable] > [2018/03/03 20:18:57.334817, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: Client no longer in database: > nfs/mint-nfs.subdomain.domain.com at SUBDOMAIN.DOMAIN.COM > [2018/03/03 20:18:57.334883, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: ret: -1765328378 > [2018/03/03 20:18:57.334944, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: Failed building TGS-REP to ipv4:172.20.100.205:57554 > [2018/03/03 20:18:57.336124, 3] > ../source4/smbd/service_stream.c:65(stream_terminate_connection) > Terminating connection - 'kdc_tcp_call_loop: > tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED' > [2018/03/03 20:18:57.336195, 3] > ../source4/smbd/process_single.c:114(single_terminate) > single_terminate: reason[kdc_tcp_call_loop: > tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED] > > ############################ > > I believe the "Client no longer in database" message is the root > error. I added code to Samba sources to pull exact message code of > -1765328378 which I found means KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN > > I created the server and client keytab files using these kinds of > commands > > sudo samba-tool spn add nfs/ubuntu-nfs.subdomain.domain.com > "UBUNTU-NFS\$" > > sudo samba-tool domain exportkeytab > --principal=nfs/ubuntu-nfs.subdomain.domain.com ~/ubuntu-nfs.keytab > > and put the files in /etc/krb5.keytab . I can verify in ADUC that > these SPNs do exist on the machine accounts for server and client > > I'm soo lost. I had this working on a prior test vm setup but started > over to clean up my documentation. I've got no idea where to go next > to make the NFSv4 mount work using Kerberos from Samba AD >This looks very similar to a problem I had with a Solaris system joined to a Samba AD DC. In my case the Solaris system uses to requested a ticket for root/system.subdomain.domain.tld at SUBDOMAIN.DOMAIN.TLD, which is a valid SPN for the system, while the UPN for that system was host/system.subdomain.domain.tld at SUBDOMAIN.DOMAIN.TLD. Apparently, the Samba built-in KDC expects such a ticket request to be for a UPN, not an SPN. In comparison, the MIT Kerberos KDC is more tolerant and accepts such a request: I tested with Samba 4.7.5 on Fedora 27 that uses the MIT KDC and it works. Since I did not want to migrate my DCs to a different platform supporting the MIT KDC I implemented a workaround: I renamed the UPN of the client systems account from host/... to root/... and that works with the Samba built-in KDC. Of course this workaround works for exactly one name used client side, root/... in my case. You might try the same: rename the UPN to nfs/... and check if it works. Or switch to a Samba AD DC with an MIT KDC. Regards, Norbert