L.P.H. van Belle
2018-Oct-24 10:09 UTC
[Samba] Again NFSv4 and Kerberos at the 'samba way'...
Good morning Marco and others.> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Marco Gaiarin via samba > Verzonden: dinsdag 23 oktober 2018 18:58 > Aan: samba at lists.samba.org > Onderwerp: [Samba] Again NFSv4 and Kerberos at the 'samba way'... > > > Sorry, i come back to this topic in a different thread, because i'm > still totally puzzled with the previuous one. Louis, sorry me. ;( >Ahh, no problem at all, i'll do my best to explain better. ;-)> I've tried to start with this, that seems very simple: > > https://wiki.debian.org/NFS/KerberosYes, i started there also. But that one isnt working correctly with samba. Read it, and learn from it, then skip/dont use it. I've used also http://www.cs.rug.nl/~jurjen/ApprenticesNotes/ad_nfs4.html as base. This is an old one but has some good info on how things work. ( more to find on this site also ) Just read it and again dont use it. same here, some example are shown wrong. Then i used : https://help.ubuntu.com/community/NFSv4Howto#NFSv4_with_Kerberos Yes, its ubuntu, that does not matter, the setup and commands are all the same. Same here read it and dont use it. They are not using as we want it to. Now the problem, because of all the reading, almost nothing is up2date and almost non result in a working setup. Due to. OS difference, differences between the kerberos MIT and HEIMDAL setups, but it also involves the packages itself and kernel versions. So people say its complex, but its not that complex. First you install samba and winbind or only winbind if you dont need smb-shares on that server. Join the server to the domain as any member, join but dont start samba/winbind yet. ( preffered ) Steps todo before you continue. Check in the DNS if the NFS server has its A and PTR record. ( obligated ) The join should have handled this. ( at least the A record ) NFS Client should work with A only, but i do recommend setting PTR for all the servers. The nfs-server needs to be able to delegate the servers with kerberos. (obligated for nfsv4 with kerberos mounts ) Start - ADUC, enable advanced features - goto CN=Computers get the member server's properties, tab Delegation, enable "Trust this computer for delegation to any service (kerberos only) I have set this on both NFS server and NFS client, thats more because of the use of my servers. And obligated in smb.conf for this setup. kerberos method = secrets and keytab dedicated keytab file = /etc/krb5.keytab # Renew the kerberos ticket winbind refresh tickets = yes # We strip the domain (NTDOM\username) to username # ! Normaly not adviced winbind use default domain = yes And ofcourse a correct idmap setup. Now you can start samba/winbind. Dont ask me why i do it like this, but this always works for me and if it works, i stick to these steps. Now you have 2 options to add the nfs spn, and the AD-DC with samba-tool or on the member using net ads. I preffer net ads on the member, so there is no need to export it and import it. # reminder note 1. this is part of the problem. If krb5.conf is still debian default and the setup is correct you should see: Login Adminsitrator at REALM.TLD The Debian and krb5.conf defaults are sufficient for a correct setup as base. I preffer the user Administrator, i do that to avoid acl problems in the AD, to make sure the ACL on the objects are set correct. If its not working with an other users, repeat it and check if it does with Administrator, if so, then its a acl problem. The base i use atm the nfsv4 mounts. SETUP NFS-SERVER: apt-get install nfs-kernel-server nfs-common nfs4-acl-tools - Make you nfs4 root. Some say its not needed, some do, i say use it, it works. Debian Stretch as nfs server, other clients are possible. ( i've only tested agains wheezy jessie and stretch ) # NFS-Server -Setup nfs4 root mkdir -p /srv/nfs4/home chmod 1777 /srv/nfs4 chmod 1777 /srv/nfs4/home And yes, you can remove the nfs4 folder also in this example. But same here experiance shows /srv ( this is a separated disk in my case ) then NEVER use it directly as /srv. Always create a subfolder first and work in that one. Why, i'll explain this also sometime but not now. Google can tell it also. ;-) # NFSv4 Root mount Test: mount --bind /home /srv/nfs4/users Test: umount /home Enable the mount when the server starts ( i used systemd, fstab can be used also. ) If you use systemd, the filename .mount must reflect the path. ######## example mount-bind systemd service file #/etc/systemd/system/srv-nfs4-home.mount [Unit] Description=NFS export (/srv/nfs4/home) [Mount] What=/home Where=/srv/nfs4/home Type=none Options=bind [Install] WantedBy=multi-user.target ######## example mount-bind systemd service file And mount it. systemctl enable srv-nfs4-home.mount systemctl start srv-nfs4-home.mount My /etc/exports show. /srv/nfs4 192.168.0.0/24(rw,sync,fsid=0,crossmnt,no_subtree_check,sec=sys:krb5:krb5i:krb5p) /srv/nfs4/home 192.168.0.0/24(rw,sync,no_subtree_check,sec=sys:krb5:krb5i:krb5p) And export the settings: exportfs -rav Stop all nfs services. systemct stop nfs-* ( we are still seting up nfs-server )> > And so i've done: > > a) installed 'nfs-kernel-server' on server, 'nfs-common' on client. > Ok, this is easy. >Yes, that is easy...> > b) AFAI've understood i need to create a 'principal', type 'NFS', for > server and client, and store the key in ''local keytab''. Debian wiki > suggest: > addpriv -randkey NFS/vdmpp1.ad.fvg.lnf.it at AD.FVG.LNF.IT > ktadd NFS/vdmpp1.ad.fvg.lnf.it at AD.FVG.LNF.IT > > but in 'samba' lingo the same operation can be obtained with (run in > the client and server, with appropiate data): > > net -U gaio ads keytab add > NFS/vdmpp1.ad.fvg.lnf.it at AD.FVG.LNF.IT -k > > done that, effectively the file /etc/krb5.keytab on server and client > got created, with something that seems a 'key'.Ok, here its bit wrong, not your doing, i'll explain. Somethings you dont need to add the realm after the commands. if someone can show a nice ldapsearch on the spn/upn objects, you can see what i mean from CLI. Check the spn/upn in the AD with the RSAT's ADUC, this is why i do. Start - ADUC, enable advanced features - goto CN=Computers get the member server's properties. Goto the "Attribute Editor", lookup the servicePrincipalName Check the formats there. HOST/ nfs/ Do note, that the CAPS and not cap are as you should use them. If you use an other one make sure you have CAP or not-caps correct. Now lookin the servicePrincipalName in ADUC, Correct : nfs/hostname.domain.tld Incorrect: nfs/hostname.domain.tld at REALM.TLD Incorrect: NFS/hostname.domain.tld Incorrect: NFS/hostname.domain.tld at REALM.TLD This needed per server where you use with NFSv4. ( or cifs or ...) ( client and server ) If you dont see the SPN/UPN there, add it. ( but without the realm ) The realm is added automaticly on the server same way as you do kinit Administrator, through krb5.conf defaults. The krb5.conf you should use. /etc/krb5.conf [libdefaults] default_realm = AD.FVG.LNF.IT ; ignore k5login not being accessable in the user home dir. ignore_k5login = true ; for Windows 2008 with AES, needed by CIFS also. ( dont forget the cifs/spn ) default_tgs_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 default_tkt_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 permitted_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 ;(and all the defaults from debian are below this remove/keep, what you want.) Now your ready to create the nfs spn. (net ads keytab). # reminder note 2. this is part of the problem. You have 2 options. Option 1) net ads keytab add nfs/$(hostname -f) ( << the one i used on server and client ) Option 2)net ads keytab add nfs optional, choose one of these 2 options, this also creates nfs/HOSTNAME for example. I suggest 1., and backup you keytab and check what the difference is. In this case NFS is more flexible, it searches for nfs but also for HOST/.. Spn's, not only nfs/ I get the best results with the nfs/hostname.domain.tld added spn. The commands. kinit Administrator net ads keytab add nfs/$(hostname -f) Test: kinit nfs/$(hostname -f) -kt /etc/krb5.keytab Check with : klist That should show : Default principal: nfs/hostname.internal.domain.tld at REALM.TLD kdestroy ( getting closely to point of you problem marco, .. ) And this is still mostly the NFS server part.> > > c) i've enabled, as stated by wiki and you, Louis, the IDMAP > and GSSD/svcgssd > on cliend and server as requested. >Good thats needed also. No comments here. Sofar all good.> > OK, good start. But doing that i got: > > root at vdmpp2:~# mount -t nfs4 -o sec=krb5 vdmpp1:/home /home > mount.nfs4: an incorrect mount option was specifiedAh, yes, ive seen that also, yes very annoying. You missed part, and thats not your fault. This is what is happening. What i notice, that after adding the nfs/spn with net ads keytab. The nfs/spn was NOT added to the computer object in the AD. ( see above howto check that ) And for NFSv4 kerberised mountes the nfs/spn MUST be available in the network and not only local. # reminder note 3. this is part of the problem. And this is due to net ads keytab and not using samba-tool. I will change that to samba-tool when i write the new howto. (but must say, i havent tested this with samba-tool yet on 4.8 and up.) Or is someone is going to test all this, if you find improvements, point them out please. My goal here, is a better way of adding the member server and the spn so it get automaticly in the local keytab also. Here i manualy corrected the nfs/hostname, just be adding it in the AD with ADUC. I only added : nfs/hostname.internal.domain.tld ( check server and clients! ) Now the last part. The idmap.conf file, you need this on NFS server and NFS client. This is the current one im working with, and im trying to remove the not default parts. But this is the current works setup. #/etc/idmap.conf [General] # increase you logging so you can see what is happening. Verbosity = 5 # some default settting. Pipefs-Directory = /run/rpc_pipefs # set your own domain here, if it differs from FQDN minus hostname # Domain = localdomain # Set these both you need them Domain = ad.fvg.lnf.it Local-Realm = AD.FVG.LNF.IT # some default setting. [Mapping] Nobody-User = nobody Nobody-Group = nogroup # this is getting interested. For NFS. [Translation] Method = nsswitch,static GSS-Methods = nsswitch,static [Static] HOSTNAME2Change$@AD.FVG.LNF.IT = root # file ends here. What i did here was, i made sure that the COMPUTER$ is allowed to run as root. And thats needed for the kerberized automounts when a user is logging in, at least looks like it. But for that i need to test more and im running out of time. This part might need some improvement, but this works for now. Based on what i told above, and if you setup as shown above, it should be on the client: mount -t nfs4 -o sec=krb5,vers=4.1 vdmpp1.ad.fvg.lnf.it:/users /home And hureay it works ;-) and if not, mail me again. :-( Last, if you see in you logs. lkmapd[304]: open pipe file /run/rpc_pipefs/nfs/blocklayout failed: No such file or directory You can ignore this, its known, just wait for the bug fix, its a regresson bug in nfs. And in reply to the new mail. You nfs stalled, then it gets mask to prevent other errors. systemctl unmask nfs-common systemctl enable nfs-common If you keep hitting problems with the nfs server/client apt-get remove --auto-remove --purge nfs-common nfs-kernel-server Clear your nfs part in keytab Start again based on above. Questions, you know to find me. Greetz, Louis> > > After restarting the client, now i got: > > root at vdmpp2:~# mount -t nfs4 -o sec=krb5 vdmpp1:/home /home > mount.nfs4: access denied by server while mounting vdmpp1:/home > > and in log: > > Oct 23 18:50:47 vdmpp2 kernel: [ 49.414391] FS-Cache: Loaded > Oct 23 18:50:47 vdmpp2 kernel: [ 49.453067] FS-Cache: > Netfs 'nfs' registered for caching > Oct 23 18:50:47 vdmpp2 kernel: [ 49.457587] Key type > dns_resolver registered > Oct 23 18:50:47 vdmpp2 kernel: [ 49.472990] NFS: > Registering the id_resolver key type > Oct 23 18:50:47 vdmpp2 kernel: [ 49.472994] Key type > id_resolver registered > Oct 23 18:50:47 vdmpp2 kernel: [ 49.472995] Key type > id_legacy registered > Oct 23 18:50:47 vdmpp2 rpc.gssd[696]: ERROR: > gssd_refresh_krb5_machine_credential: no usable keytab entry > found in keytab /etc/krb5.keytab for connection with host > vdmpp1.pp.lnf.it > Oct 23 18:50:47 vdmpp2 rpc.gssd[696]: ERROR: No credentials > found for connection to server vdmpp1.pp.lnf.it > Oct 23 18:50:47 vdmpp2 rpc.gssd[696]: ERROR: > gssd_refresh_krb5_machine_credential: no usable keytab entry > found in keytab /etc/krb5.keytab for connection with host > vdmpp1.pp.lnf.it > Oct 23 18:50:47 vdmpp2 rpc.gssd[696]: ERROR: No credentials > found for connection to server vdmpp1.pp.lnf.it > Oct 23 18:50:47 vdmpp2 rpc.gssd[696]: ERROR: > gssd_refresh_krb5_machine_credential: no usable keytab entry > found in keytab /etc/krb5.keytab for connection with host > vdmpp1.pp.lnf.it > Oct 23 18:50:47 vdmpp2 rpc.gssd[696]: ERROR: No credentials > found for connection to server vdmpp1.pp.lnf.it > Oct 23 18:50:47 vdmpp2 rpc.gssd[696]: ERROR: > gssd_refresh_krb5_machine_credential: no usable keytab entry > found in keytab /etc/krb5.keytab for connection with host > vdmpp1.pp.lnf.it > Oct 23 18:50:47 vdmpp2 rpc.gssd[696]: ERROR: No credentials > found for connection to server vdmpp1.pp.lnf.it > Oct 23 18:50:47 vdmpp2 rpc.gssd[696]: ERROR: > gssd_refresh_krb5_machine_credential: no usable keytab entry > found in keytab /etc/krb5.keytab for connection with host > vdmpp1.pp.lnf.it > Oct 23 18:50:47 vdmpp2 rpc.gssd[696]: ERROR: No credentials > found for connection to server vdmpp1.pp.lnf.it > > Seems i've to fix a bit my backresolving, so i've put and entr in > /etc/hosts, to test, and: > > Oct 23 18:56:26 vdmpp2 rpc.gssd[696]: ERROR: > gssd_refresh_krb5_machine_credential: no usable keytab entry > found in keytab /etc/krb5.keytab for connection with host > vdmpp1.ad.fvg.lnf.it > Oct 23 18:56:26 vdmpp2 rpc.gssd[696]: ERROR: No credentials > found for connection to server vdmpp1.ad.fvg.lnf.it > Oct 23 18:56:26 vdmpp2 rpc.gssd[696]: ERROR: > gssd_refresh_krb5_machine_credential: no usable keytab entry > found in keytab /etc/krb5.keytab for connection with host > vdmpp1.ad.fvg.lnf.it > Oct 23 18:56:26 vdmpp2 rpc.gssd[696]: ERROR: No credentials > found for connection to server vdmpp1.ad.fvg.lnf.it > Oct 23 18:56:26 vdmpp2 rpc.gssd[696]: ERROR: > gssd_refresh_krb5_machine_credential: no usable keytab entry > found in keytab /etc/krb5.keytab for connection with host > vdmpp1.ad.fvg.lnf.it > Oct 23 18:56:26 vdmpp2 rpc.gssd[696]: ERROR: No credentials > found for connection to server vdmpp1.ad.fvg.lnf.it > Oct 23 18:56:26 vdmpp2 rpc.gssd[696]: ERROR: > gssd_refresh_krb5_machine_credential: no usable keytab entry > found in keytab /etc/krb5.keytab for connection with host > vdmpp1.ad.fvg.lnf.it > Oct 23 18:56:26 vdmpp2 rpc.gssd[696]: ERROR: No credentials > found for connection to server vdmpp1.ad.fvg.lnf.it > Oct 23 18:56:26 vdmpp2 rpc.gssd[696]: ERROR: > gssd_refresh_krb5_machine_credential: no usable keytab entry > found in keytab /etc/krb5.keytab for connection with host > vdmpp1.ad.fvg.lnf.it > Oct 23 18:56:26 vdmpp2 rpc.gssd[696]: ERROR: No credentials > found for connection to server vdmpp1.ad.fvg.lnf.it > > Why?! Thanks. > > -- > dott. Marco Gaiarin GNUPG > Key ID: 240A3D66 > Associazione ``La Nostra Famiglia'' > http://www.lanostrafamiglia.it/ > Polo FVG - Via della Bontà, 7 - 33078 - San Vito al > Tagliamento (PN) > marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 > f +39-0434-842797 > > Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! > http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 > (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA) > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Marco Gaiarin
2018-Oct-25 09:59 UTC
[Samba] Again NFSv4 and Kerberos at the 'samba way'...
Mandi! L.P.H. van Belle via samba In chel di` si favelave...> The nfs-server needs to be able to delegate the servers with kerberos. (obligated for nfsv4 with kerberos mounts ) > Start - ADUC, enable advanced features - goto CN=Computers > get the member server's properties, tab Delegation, enable "Trust this computer for delegation to any service (kerberos only) > I have set this on both NFS server and NFS client, thats more because of the use of my servers.OK. Done. The same can be achived with: samba-tool delegation for-any-service vdmpp1$ on> And obligated in smb.conf for this setup. > kerberos method = secrets and keytabOK.> dedicated keytab file = /etc/krb5.keytabSeems not needed. smb.conf manpage say explicitly that this is needed only if 'kerberos method = dedicated keytab'; if 'kerberos method = secrets and keytab' is set, system keytab are used.> # Renew the kerberos ticket > winbind refresh tickets = yesMmmmhhhh... manapage says about 'pam_winbind' tickets, so seems a 'user' part, not a system keytab one... anyway, in doubt, setted.> Check the spn/upn in the AD with the RSAT's ADUC, this is why i do.Ok, added the nfs/ SPN: samba-tool spn add nfs/vdmpp1.ad.fvg.lnf.it vdmpp1$ clearly you can check it also with: root at vdcsv1:~# samba-tool spn list vdmpp1$ vdmpp1$ User CN=VDMPP1,OU=Computers,OU=Pasian,OU=FVG,DC=ad,DC=fvg,DC=lnf,DC=it has the following servicePrincipalName: HOST/VDMPP1 HOST/vdmpp1.ad.fvg.lnf.it HOST/filepp.ad.fvg.lnf.it HOST/FILEPP HOST/cupspp.ad.fvg.lnf.it HOST/CUPSPP HOST/homepp.ad.fvg.lnf.it HOST/HOMEPP nfs/vdmpp1.ad.fvg.lnf.it nfs/vdmpp1.ad.fvg.lnf.it/vdmpp1 nfs/vdmpp1.ad.fvg.lnf.it/vdmpp1.ad.fvg.lnf.it Still i get: root at vdmpp2:~# mount -t nfs4 -o sec=krb5 vdmpp1.ad.fvg.lnf.it:/home /home mount.nfs4: access denied by server while mounting vdmpp1.ad.fvg.lnf.it:/home on server and client now i got no logs at all, even if i've added '-vvv' to GSS options and 'Verbosity = 5' to idmap.> You nfs stalled, then it gets mask to prevent other errors. > systemctl unmask nfs-common > systemctl enable nfs-common > If you keep hitting problems with the nfs server/clientI've treid on client. purged 'nfs-common', reinstall, restore configuration on /etc/default/nfs-common and /etc/idmapd.conf, but: root at vdmpp2:~# systemctl unmask nfs-common root at vdmpp2:~# systemctl start nfs-common Failed to start nfs-common.service: Unit nfs-common.service is masked. there's no /usr/sbin/rpc.gssd run, only idmap. Mount fail: root at vdmpp2:~# mount -t nfs4 -o sec=krb5 vdmpp1.ad.fvg.lnf.it:/home /home mount.nfs4: an incorrect mount option was specified i've tried to run by hand with '-vvv' and i got: Oct 25 11:52:57 vdmpp2 rpc.gssd[13790]: doing a full rescan Oct 25 11:53:18 vdmpp2 rpc.gssd[13790]: #012handle_gssd_upcall: 'mech=krb5 uid=0 service=* enctypes=18,17,16,23,3,1,2 ' (nfs/clnt28) Oct 25 11:53:18 vdmpp2 rpc.gssd[13790]: krb5_use_machine_creds: uid 0 tgtname (null) Oct 25 11:53:18 vdmpp2 rpc.gssd[13790]: Full hostname for 'vdmpp1.ad.fvg.lnf.it' is 'vdmpp1.ad.fvg.lnf.it' Oct 25 11:53:18 vdmpp2 rpc.gssd[13790]: Full hostname for 'vdmpp2.ad.fvg.lnf.it' is 'vdmpp2.ad.fvg.lnf.it' Oct 25 11:53:18 vdmpp2 rpc.gssd[13790]: No key table entry found for vdmpp2$@AD.FVG.LNF.IT while getting keytab entry for 'vdmpp2$@AD.FVG.LNF.IT' Oct 25 11:53:18 vdmpp2 rpc.gssd[13790]: No key table entry found for VDMPP2$@AD.FVG.LNF.IT while getting keytab entry for 'VDMPP2$@AD.FVG.LNF.IT' Oct 25 11:53:18 vdmpp2 rpc.gssd[13790]: No key table entry found for root/vdmpp2.ad.fvg.lnf.it at AD.FVG.LNF.IT while getting keytab entry for 'root/vdmpp2.ad.fvg.lnf.it at AD.FVG.LNF.IT' Oct 25 11:53:18 vdmpp2 rpc.gssd[13790]: Success getting keytab entry for 'nfs/vdmpp2.ad.fvg.lnf.it at AD.FVG.LNF.IT' Oct 25 11:53:18 vdmpp2 rpc.gssd[13790]: gssd_get_single_krb5_cred: principal 'nfs/vdmpp2.ad.fvg.lnf.it at AD.FVG.LNF.IT' ccache:'FILE:/tmp/krb5ccmachine_AD.FVG.LNF.IT' Oct 25 11:53:18 vdmpp2 rpc.gssd[13790]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_AD.FVG.LNF.IT' are good until 1540497198 Oct 25 11:53:18 vdmpp2 rpc.gssd[13790]: creating tcp client for server vdmpp1.ad.fvg.lnf.it Oct 25 11:53:18 vdmpp2 rpc.gssd[13790]: DEBUG: port already set to 2049 Oct 25 11:53:18 vdmpp2 rpc.gssd[13790]: creating context with server nfs at vdmpp1.ad.fvg.lnf.it Oct 25 11:53:18 vdmpp2 rpc.gssd[13790]: WARNING: Failed to create krb5 context for user with uid 0 for server nfs at vdmpp1.ad.fvg.lnf.it Oct 25 11:53:18 vdmpp2 rpc.gssd[13790]: WARNING: Failed to create machine krb5 context with cred cache FILE:/tmp/krb5ccmachine_AD.FVG.LNF.IT for server vdmpp1.ad.fvg.lnf.it Oct 25 11:53:18 vdmpp2 rpc.gssd[13790]: WARNING: Machine cache prematurely expired or corrupted trying to recreate cache for server vdmpp1.ad.fvg.lnf.it Oct 25 11:53:18 vdmpp2 rpc.gssd[13790]: Full hostname for 'vdmpp1.ad.fvg.lnf.it' is 'vdmpp1.ad.fvg.lnf.it' Oct 25 11:53:18 vdmpp2 rpc.gssd[13790]: Full hostname for 'vdmpp2.ad.fvg.lnf.it' is 'vdmpp2.ad.fvg.lnf.it' Oct 25 11:53:18 vdmpp2 rpc.gssd[13790]: No key table entry found for vdmpp2$@AD.FVG.LNF.IT while getting keytab entry for 'vdmpp2$@AD.FVG.LNF.IT' Oct 25 11:53:18 vdmpp2 rpc.gssd[13790]: No key table entry found for VDMPP2$@AD.FVG.LNF.IT while getting keytab entry for 'VDMPP2$@AD.FVG.LNF.IT' Oct 25 11:53:18 vdmpp2 rpc.gssd[13790]: No key table entry found for root/vdmpp2.ad.fvg.lnf.it at AD.FVG.LNF.IT while getting keytab entry for 'root/vdmpp2.ad.fvg.lnf.it at AD.FVG.LNF.IT' Oct 25 11:53:18 vdmpp2 rpc.gssd[13790]: Success getting keytab entry for 'nfs/vdmpp2.ad.fvg.lnf.it at AD.FVG.LNF.IT' Oct 25 11:53:18 vdmpp2 rpc.gssd[13790]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_AD.FVG.LNF.IT' are good until 1540497198 Oct 25 11:53:18 vdmpp2 rpc.gssd[13790]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_AD.FVG.LNF.IT' are good until 1540497198 Oct 25 11:53:18 vdmpp2 rpc.gssd[13790]: creating tcp client for server vdmpp1.ad.fvg.lnf.it Oct 25 11:53:18 vdmpp2 rpc.gssd[13790]: DEBUG: port already set to 2049 Oct 25 11:53:18 vdmpp2 rpc.gssd[13790]: creating context with server nfs at vdmpp1.ad.fvg.lnf.it Oct 25 11:53:18 vdmpp2 rpc.gssd[13790]: WARNING: Failed to create krb5 context for user with uid 0 for server nfs at vdmpp1.ad.fvg.lnf.it Oct 25 11:53:18 vdmpp2 rpc.gssd[13790]: WARNING: Failed to create machine krb5 context with cred cache FILE:/tmp/krb5ccmachine_AD.FVG.LNF.IT for server vdmpp1.ad.fvg.lnf.it Oct 25 11:53:18 vdmpp2 rpc.gssd[13790]: ERROR: Failed to create machine krb5 context with any credentials cache for server vdmpp1.ad.fvg.lnf.it Oct 25 11:53:18 vdmpp2 rpc.gssd[13790]: doing error downcall I've tried only on client. Thanks. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
L.P.H. van Belle
2018-Oct-25 13:20 UTC
[Samba] Again NFSv4 and Kerberos at the 'samba way'...
Hai marco, I left you original mail a bit intact and commented inbetween lines.> > > The nfs-server needs to be able to delegate the servers > with kerberos. (obligated for nfsv4 with kerberos mounts ) > > Start - ADUC, enable advanced features - goto CN=Computers > > get the member server's properties, tab Delegation, enable > "Trust this computer for delegation to any service (kerberos only) > > I have set this on both NFS server and NFS client, thats > more because of the use of my servers. > > OK. Done. The same can be achived with: > > samba-tool delegation for-any-service vdmpp1$ onGreat, saves me searching, i'll add the to my scripts. Thanks ;-) I still need todo more with samba-tool and drop the windows ADUC.> > > And obligated in smb.conf for this setup. > > kerberos method = secrets and keytab > OK.> > dedicated keytab file = /etc/krb5.keytab > Seems not needed. smb.conf manpage say explicitly that this is needed > only if 'kerberos method = dedicated keytab'; if 'kerberos > method = secrets and keytab' is set, system keytab are used.Yes, thats exact what i want here, i want to see this in the configs. Even its the default, it make the readablity of smb.conf better. And this is why you dont see this on the DC's. smb.conf For the DC's its: /var/lib/samba/private/dns.keytab /var/lib/samba/private/secrets.keytab> > > # Renew the kerberos ticket > > winbind refresh tickets = yes > > Mmmmhhhh... manapage says about 'pam_winbind' tickets, so seems a > 'user' part, not a system keytab one... anyway, in doubt, setted.No this is needed. computer$ a user. If the computer$ changes its password its handled by winbind refresh tickets = yes This keep you member working and in sync with the ad password for the computer. Out of sync, your server losses ad access.> > > > Check the spn/upn in the AD with the RSAT's ADUC, this is why i do. > > Ok, added the nfs/ SPN: > samba-tool spn add nfs/vdmpp1.ad.fvg.lnf.it vdmpp1$On my own DC ( samba 4.8.6) , im adding the nfs/FQDN to hostname$ samba-tool spn add nfs/$(hostname -f) $(hostname -s)\$ And what is my result. samba-tool spn list $(hostname -s)\$ | grep nfs Result : nfs/hostname.internal.domain.tld> > clearly you can check it also with: > > root at vdcsv1:~# samba-tool spn list vdmpp1$ > vdmpp1$ > User > CN=VDMPP1,OU=Computers,OU=Pasian,OU=FVG,DC=ad,DC=fvg,DC=lnf,DC > =it has the following servicePrincipalName: > HOST/VDMPP1 > HOST/vdmpp1.ad.fvg.lnf.it > HOST/filepp.ad.fvg.lnf.it > HOST/FILEPP > HOST/cupspp.ad.fvg.lnf.it > HOST/CUPSPP > HOST/homepp.ad.fvg.lnf.it > HOST/HOMEPP > nfs/vdmpp1.ad.fvg.lnf.it > nfs/vdmpp1.ad.fvg.lnf.it/vdmpp1 > nfs/vdmpp1.ad.fvg.lnf.it/vdmpp1.ad.fvg.lnf.itHmm,> nfs/vdmpp1.ad.fvg.lnf.it << correctAnd these are wrong.> nfs/vdmpp1.ad.fvg.lnf.it/vdmpp1 > nfs/vdmpp1.ad.fvg.lnf.it/vdmpp1.ad.fvg.lnf.itRemove these 2. What is the output of : dig a vdmpp1.ad.fvg.lnf.it dig a vdmpp2.ad.fvg.lnf.it dig a filepp.ad.fvg.lnf.it ping -c1 vdmpp1.ad.fvg.lnf.it ping -c1 vdmpp2.ad.fvg.lnf.it ping -c1 filepp.ad.fvg.lnf.it dig -x $(hostname -i)> > > Still i get: > > root at vdmpp2:~# mount -t nfs4 -o sec=krb5 > vdmpp1.ad.fvg.lnf.it:/home /home > mount.nfs4: access denied by server while mounting > vdmpp1.ad.fvg.lnf.it:/home >On the NFS server post the output of exportfs getfacl /home> on server and client now i got no logs at all, even if i've added > '-vvv' to GSS options and 'Verbosity = 5' to idmap.The -vvv on nfs-comon or nfs-kernel-server.... Shows what happend with the connections, while connection. The idmap Verbose, if your mount was sucessfull, it shows the imapping logs. By example from my server. : An ls in /home/users ( as user root ) Oct 25 13:09:21 member3 nfsidmap[22443]: key: 0x2c4e3178 type: uid value: root at internal.example.tld timeout 600 Oct 25 13:09:21 member3 nfsidmap[22443]: nfs4_name_to_uid: calling nsswitch->name_to_uid Oct 25 13:09:21 member3 nfsidmap[22443]: nss_getpwnam: name 'root at internal.example.tld' domain 'internal.example.tld': resulting localname 'root' Oct 25 13:09:21 member3 nfsidmap[22443]: nfs4_name_to_uid: nsswitch->name_to_uid returned 0 Oct 25 13:09:21 member3 nfsidmap[22443]: nfs4_name_to_uid: final return value is 0 Oct 25 13:09:21 member3 nfsidmap[22444]: key: 0x324af16a type: gid value: root at internal.example.tld timeout 600 Oct 25 13:09:21 member3 nfsidmap[22444]: nfs4_name_to_gid: calling nsswitch->name_to_gid Oct 25 13:09:21 member3 nfsidmap[22444]: nfs4_name_to_gid: nsswitch->name_to_gid returned 0 Oct 25 13:09:21 member3 nfsidmap[22444]: nfs4_name_to_gid: final return value is 0 And my (username) login in with ssh with a kerberized automounted homedir. Oct 25 13:12:47 member3 systemd[1]: Started Session 30 of user username. Oct 25 13:12:48 member3 nfsidmap[22518]: key: 0x2a737fa8 type: user value: 10002 timeout 600 Oct 25 13:12:48 member3 nfsidmap[22518]: nfs4_uid_to_name: calling nsswitch->uid_to_name Oct 25 13:12:48 member3 nfsidmap[22518]: nfs4_uid_to_name: nsswitch->uid_to_name returned 0 Oct 25 13:12:48 member3 nfsidmap[22518]: nfs4_uid_to_name: final return value is 0 Oct 25 13:12:48 member3 nfsidmap[22518]: nfs4_uid_to_name: final return value is 0 Oct 25 13:12:48 member3 nfsidmap[22519]: key: 0xae3b2ad type: group value: 10000 timeout 600 Oct 25 13:12:48 member3 nfsidmap[22519]: nfs4_gid_to_name: calling nsswitch->gid_to_name Oct 25 13:12:48 member3 nfsidmap[22519]: nfs4_gid_to_name: nsswitch->gid_to_name returned 0 Oct 25 13:12:48 member3 nfsidmap[22519]: nfs4_gid_to_name: final return value is 0 id username uid=10002(username) gid=10000(domain users) groups=10000(domain users) (and more).. ! returned 0 is good ! nsswitch->uid_to_name returned 0 , nsswitch was able to resolve my name from uid.> > > > You nfs stalled, then it gets mask to prevent other errors. > > systemctl unmask nfs-common > > systemctl enable nfs-common > > If you keep hitting problems with the nfs server/client > > I've treid on client. purged 'nfs-common', reinstall, restore > configuration on /etc/default/nfs-common and /etc/idmapd.conf, but: > > root at vdmpp2:~# systemctl unmask nfs-common > root at vdmpp2:~# systemctl start nfs-common > Failed to start nfs-common.service: Unit > nfs-common.service is masked. > > there's no /usr/sbin/rpc.gssd run, only idmap. Mount fail: > > root at vdmpp2:~# mount -t nfs4 -o sec=krb5 > vdmpp1.ad.fvg.lnf.it:/home /home > mount.nfs4: an incorrect mount option was specifiedAnd if you test with mount -t nfs4 -o sec=sys vdmpp1.ad.fvg.lnf.it:/home /home Or mount -t nfs4 -o sec=krb5,vers=4.1 vdmpp1.ad.fvg.lnf.it:/home /home Does that work or one of these work? If sys works then its not firewalling. I can tell more about this after the asked outputs.. The command : exportfs ( on the nfs server ) should tell me more.> > i've tried to run by hand with '-vvv' and i got: > > Oct 25 11:52:57 vdmpp2 rpc.gssd[13790]: doing a full rescan > Oct 25 11:53:18 vdmpp2 rpc.gssd[13790]: > #012handle_gssd_upcall: 'mech=krb5 uid=0 service=* > enctypes=18,17,16,23,3,1,2 ' (nfs/clnt28)^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ There are types for NFS Kerberos only and do not cover CIFS Kerberos support. And visa versa. Have you set the encryption types i suggested in /etc/krb5.conf ? The one i posted support CIFS and NFS both.> Oct 25 11:53:18 vdmpp2 rpc.gssd[13790]: > krb5_use_machine_creds: uid 0 tgtname (null) > Oct 25 11:53:18 vdmpp2 rpc.gssd[13790]: Full hostname for > 'vdmpp1.ad.fvg.lnf.it' is 'vdmpp1.ad.fvg.lnf.it' > Oct 25 11:53:18 vdmpp2 rpc.gssd[13790]: Full hostname for > 'vdmpp2.ad.fvg.lnf.it' is 'vdmpp2.ad.fvg.lnf.it'> Oct 25 11:53:18 vdmpp2 rpc.gssd[13790]: No key table entry > found for vdmpp2$@AD.FVG.LNF.IT while getting keytab entry > for 'vdmpp2$@AD.FVG.LNF.IT'^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ? No key table table entry?? Hmm.. Check this with : klist -ke | grep "vdmpp2\\$" My servers output to compair with : 2 HOSTNAME1$@MY_REALM (des-cbc-crc) 2 HOSTNAME1$@MY_REALM (des-cbc-md5) 2 HOSTNAME1$@MY_REALM (arcfour-hmac) 2 HOSTNAME1$@MY_REALM (aes128-cts-hmac-sha1-96) 2 HOSTNAME1$@MY_REALM (aes256-cts-hmac-sha1-96) Just to be sure its there.> Oct 25 11:53:18 vdmpp2 rpc.gssd[13790]: No key table entry > found for VDMPP2$@AD.FVG.LNF.IT while getting keytab entry > for 'VDMPP2$@AD.FVG.LNF.IT'> Oct 25 11:53:18 vdmpp2 rpc.gssd[13790]: No key table entry > found for root/vdmpp2.ad.fvg.lnf.it at AD.FVG.LNF.IT while > getting keytab entry for 'root/vdmpp2.ad.fvg.lnf.it at AD.FVG.LNF.IT'> Oct 25 11:53:18 vdmpp2 rpc.gssd[13790]: Success getting > keytab entry for 'nfs/vdmpp2.ad.fvg.lnf.it at AD.FVG.LNF.IT'Ok, post the output of vdmpp2.>From the DC: samba-tool spn list vdmpp2$Looks like the local keytab is having problems. Run on vdmpp2 : klist -ke kinit nfs/$(hostname -f) -kt /etc/krb5.keytab klist | grep "Default principal" That should show : Default principal: nfs/vdmpp2.ad.fvg.lnf.it at AD.FVG.LNF.IT And run: kdestroy> Oct 25 11:53:18 vdmpp2 rpc.gssd[13790]: > gssd_get_single_krb5_cred: principal > 'nfs/vdmpp2.ad.fvg.lnf.it at AD.FVG.LNF.IT' > ccache:'FILE:/tmp/krb5ccmachine_AD.FVG.LNF.IT' > Oct 25 11:53:18 vdmpp2 rpc.gssd[13790]: INFO: Credentials in > CC 'FILE:/tmp/krb5ccmachine_AD.FVG.LNF.IT' are good until 1540497198> Oct 25 11:53:18 vdmpp2 rpc.gssd[13790]: creating tcp client > for server vdmpp1.ad.fvg.lnf.it > Oct 25 11:53:18 vdmpp2 rpc.gssd[13790]: DEBUG: port already > set to 2049 > Oct 25 11:53:18 vdmpp2 rpc.gssd[13790]: creating context > with server nfs at vdmpp1.ad.fvg.lnf.it > Oct 25 11:53:18 vdmpp2 rpc.gssd[13790]: WARNING: Failed to > create krb5 context for user with uid 0 for server > nfs at vdmpp1.ad.fvg.lnf.it> Oct 25 11:53:18 vdmpp2 rpc.gssd[13790]: WARNING: Failed to > create machine krb5 context with cred cache > FILE:/tmp/krb5ccmachine_AD.FVG.LNF.IT for server vdmpp1.ad.fvg.lnf.it> Oct 25 11:53:18 vdmpp2 rpc.gssd[13790]: WARNING: Machine > cache prematurely expired or corrupted trying to recreate > cache for server vdmpp1.ad.fvg.lnf.it > Oct 25 11:53:18 vdmpp2 rpc.gssd[13790]: Full hostname for > 'vdmpp1.ad.fvg.lnf.it' is 'vdmpp1.ad.fvg.lnf.it' > Oct 25 11:53:18 vdmpp2 rpc.gssd[13790]: Full hostname for > 'vdmpp2.ad.fvg.lnf.it' is 'vdmpp2.ad.fvg.lnf.it' > Oct 25 11:53:18 vdmpp2 rpc.gssd[13790]: No key table entry > found for vdmpp2$@AD.FVG.LNF.IT while getting keytab entry > for 'vdmpp2$@AD.FVG.LNF.IT' > Oct 25 11:53:18 vdmpp2 rpc.gssd[13790]: No key table entry > found for VDMPP2$@AD.FVG.LNF.IT while getting keytab entry > for 'VDMPP2$@AD.FVG.LNF.IT' > Oct 25 11:53:18 vdmpp2 rpc.gssd[13790]: No key table entry > found for root/vdmpp2.ad.fvg.lnf.it at AD.FVG.LNF.IT while > getting keytab entry for 'root/vdmpp2.ad.fvg.lnf.it at AD.FVG.LNF.IT'Side note here. If you dont use the idmap.conf to map the computername to root. You can set the root/spn also, root is used by the client to mount from a users request. I used the computer$ to root mapping in idmap.conf for this. See how far you get, and let me know. At least you questions, helped me also to locate one of my last nfs problems. Which was in the end also a simple, missing SPN in the AD, but existed localy. It was there some time, and only one user noticed it (me), so very very low prio. But fixed now. :-)) so thank you for fresshing up my memory. :-) Take this slow, make sure you have tested every step before you go to the next. Greetz, Louis
Marco Gaiarin
2018-Oct-26 09:23 UTC
[Samba] Again NFSv4 and Kerberos at the 'samba way'...
Mandi! L.P.H. van Belle via samba In chel di` si favelave...> > root at vdcsv1:~# samba-tool spn list vdmpp1$ > Hmm, > > nfs/vdmpp1.ad.fvg.lnf.it << correct > And these are wrong. > > nfs/vdmpp1.ad.fvg.lnf.it/vdmpp1 > > nfs/vdmpp1.ad.fvg.lnf.it/vdmpp1.ad.fvg.lnf.it > Remove these 2.Removed, both on server and client. But, really, i've only do: samba-tool spn add nfs/vdmpp1.ad.fvg.lnf.it vdmpp1$ strange.> What is the output of : > dig -x $(hostname -i)Still i'm using the old domain DNS for (back)resolving, so reverse point to old address (vdmpp2.pp.lnf.it). Clearly, i've addedd in /etc/hosts relevant record, and added to svcgssd the option '-p nfs/vdmpp1.ad.fvg.lnf.it' thatm, AFAI've understood, fix that.> exportfs > getfacl /homeroot at vdmpp1:~# exportfs /home 10.27.0.0/21 root at vdmpp1:~# getfacl /home getfacl: Removing leading '/' from absolute path names # file: home # owner: root # group: root user::rwx group::r-x other::r-x> And if you test with > mount -t nfs4 -o sec=sys vdmpp1.ad.fvg.lnf.it:/home /home > Or > mount -t nfs4 -o sec=krb5,vers=4.1 vdmpp1.ad.fvg.lnf.it:/home /home > Does that work or one of these work? If sys works then its not firewalling.No, both does not work, same error.> Have you set the encryption types i suggested in /etc/krb5.conf ? > The one i posted support CIFS and NFS both.I have on both server and client: ; for Windows 2008 with AES default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5> ? No key table table entry?? Hmm.. > Check this with : klist -ke | grep "vdmpp2\\$"Return empty.> Looks like the local keytab is having problems. > Run on vdmpp2 : > klist -ke > kinit nfs/$(hostname -f) -kt /etc/krb5.keytab > klist | grep "Default principal" > That should show : > Default principal: nfs/vdmpp2.ad.fvg.lnf.it at AD.FVG.LNF.ITroot at vdmpp2:~# klist -ke | grep "vdmpp2\\$" root at vdmpp2:~# klist -ke Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 2 NFS/vdmpp2.ad.fvg.lnf.it at AD.FVG.LNF.IT (des-cbc-crc) 2 NFS/vdmpp2.ad.fvg.lnf.it at AD.FVG.LNF.IT (des-cbc-md5) 2 NFS/vdmpp2.ad.fvg.lnf.it at AD.FVG.LNF.IT (aes128-cts-hmac-sha1-96) 2 NFS/vdmpp2.ad.fvg.lnf.it at AD.FVG.LNF.IT (aes256-cts-hmac-sha1-96) 2 NFS/vdmpp2.ad.fvg.lnf.it at AD.FVG.LNF.IT (arcfour-hmac) 2 nfs/vdmpp2.ad.fvg.lnf.it at AD.FVG.LNF.IT (des-cbc-crc) 2 nfs/vdmpp2.ad.fvg.lnf.it at AD.FVG.LNF.IT (des-cbc-md5) 2 nfs/vdmpp2.ad.fvg.lnf.it at AD.FVG.LNF.IT (aes128-cts-hmac-sha1-96) 2 nfs/vdmpp2.ad.fvg.lnf.it at AD.FVG.LNF.IT (aes256-cts-hmac-sha1-96) 2 nfs/vdmpp2.ad.fvg.lnf.it at AD.FVG.LNF.IT (arcfour-hmac) 2 nfs/vdmpp1.ad.fvg.lnf.it at AD.FVG.LNF.IT (des-cbc-crc) 2 nfs/vdmpp1.ad.fvg.lnf.it at AD.FVG.LNF.IT (des-cbc-md5) 2 nfs/vdmpp1.ad.fvg.lnf.it at AD.FVG.LNF.IT (aes128-cts-hmac-sha1-96) 2 nfs/vdmpp1.ad.fvg.lnf.it at AD.FVG.LNF.IT (aes256-cts-hmac-sha1-96) 2 nfs/vdmpp1.ad.fvg.lnf.it at AD.FVG.LNF.IT (arcfour-hmac) 2 nfs/vdmpp2.ad.fvg.lnf.it/MEDIAPP.ad.fvg.lnf.it at AD.FVG.LNF.IT (des-cbc-crc) 2 nfs/vdmpp2.ad.fvg.lnf.it/VDMPP2 at AD.FVG.LNF.IT (des-cbc-crc) 2 nfs/vdmpp2.ad.fvg.lnf.it/MEDIAPP.ad.fvg.lnf.it at AD.FVG.LNF.IT (des-cbc-md5) 2 nfs/vdmpp2.ad.fvg.lnf.it/VDMPP2 at AD.FVG.LNF.IT (des-cbc-md5) 2 nfs/vdmpp2.ad.fvg.lnf.it/MEDIAPP.ad.fvg.lnf.it at AD.FVG.LNF.IT (aes128-cts-hmac-sha1-96) 2 nfs/vdmpp2.ad.fvg.lnf.it/VDMPP2 at AD.FVG.LNF.IT (aes128-cts-hmac-sha1-96) 2 nfs/vdmpp2.ad.fvg.lnf.it/MEDIAPP.ad.fvg.lnf.it at AD.FVG.LNF.IT (aes256-cts-hmac-sha1-96) 2 nfs/vdmpp2.ad.fvg.lnf.it/VDMPP2 at AD.FVG.LNF.IT (aes256-cts-hmac-sha1-96) 2 nfs/vdmpp2.ad.fvg.lnf.it/MEDIAPP.ad.fvg.lnf.it at AD.FVG.LNF.IT (arcfour-hmac) 2 nfs/vdmpp2.ad.fvg.lnf.it/VDMPP2 at AD.FVG.LNF.IT (arcfour-hmac) root at vdmpp2:~# kinit nfs/$(hostname -f) -kt /etc/krb5.keytab root at vdmpp2:~# klist | grep "Default principal" Default principal: nfs/vdmpp2.ad.fvg.lnf.it at AD.FVG.LNF.IT root at vdmpp2:~# kdestroy root at vdmpp2:~# mount -t nfs4 -o sec=krb5 vdmpp1.ad.fvg.lnf.it:/home /home mount.nfs4: access denied by server while mounting vdmpp1.ad.fvg.lnf.it:/home> Take this slow, make sure you have tested every step before you go to the next.Sorry, but still i think that most of my problem came from the fact that i cannot restart idmap and gssd, because 'nfs-common' is masked. Better to try to run them by hand? Eg, i kill them and restart by hand, enabling debug? -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
L.P.H. van Belle
2018-Oct-26 10:24 UTC
[Samba] Again NFSv4 and Kerberos at the 'samba way'...
Hai Marco,> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Marco Gaiarin via samba > Verzonden: vrijdag 26 oktober 2018 11:23 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Again NFSv4 and Kerberos at the 'samba way'... > > Mandi! L.P.H. van Belle via samba > In chel di` si favelave... > > > > root at vdcsv1:~# samba-tool spn list vdmpp1$ > > Hmm, > > > nfs/vdmpp1.ad.fvg.lnf.it << correct > > And these are wrong. > > > nfs/vdmpp1.ad.fvg.lnf.it/vdmpp1 > > > nfs/vdmpp1.ad.fvg.lnf.it/vdmpp1.ad.fvg.lnf.it > > Remove these 2. > > Removed, both on server and client. But, really, i've only do: > > samba-tool spn add nfs/vdmpp1.ad.fvg.lnf.it vdmpp1$ > > strange.Yes, it is, what is the DC's samba version? Same as the members?> > > > What is the output of : > > dig -x $(hostname -i) > > Still i'm using the old domain DNS for (back)resolving, so reverse > point to old address (vdmpp2.pp.lnf.it). > Clearly, i've addedd in /etc/hosts relevant record, and added to > svcgssd the option '-p nfs/vdmpp1.ad.fvg.lnf.it' thatm, AFAI've > understood, fix that.Fixed? Yes and no, this is (still) one of you problems. All servers, in this case the DCs and vdmpp1 vdmpp2 need to know the correct hostnames and ip. And the members must have the resolving correctly to the DC's to be able to lookup the SPN's if you cant setup in the dns correct and you need the hosts files for both server and client. And on both servers add in /etc/krb5.conf in libdefaults part. rdns = no # no PTR lookups are done now. Reboot boot servers to make sure these settings are correctly applied. When thats done recheck then resolving on both these servers. hostname -f hostname -s hostname -i These must be correct.> > > > exportfs > > getfacl /home > > root at vdmpp1:~# exportfs > /home 10.27.0.0/21 > root at vdmpp1:~# getfacl /home > getfacl: Removing leading '/' from absolute path names > # file: home > # owner: root > # group: root > user::rwx > group::r-x > other::r-xOk this part, check again after the reboot, i forget the -v for the exportfs... ( sorry ) exportfs -v Set chmod 1777 /home on both servers ( but leave this for the last. ), i suggest read the complete mail first. Test with sec=sys, and when that works we test with kerberos. Then we might need to look at the rights of /home> > > > And if you test with > > mount -t nfs4 -o sec=sys vdmpp1.ad.fvg.lnf.it:/home /home > > Or > > mount -t nfs4 -o sec=krb5,vers=4.1 vdmpp1.ad.fvg.lnf.it:/home /home > > Does that work or one of these work? If sys works then its > not firewalling. > > No, both does not work, same error.Expected when i see above problem points.> > > > Have you set the encryption types i suggested in /etc/krb5.conf ? > > The one i posted support CIFS and NFS both. > > I have on both server and client: > > ; for Windows 2008 with AES > default_tgs_enctypes = aes256-cts-hmac-sha1-96 > aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 > default_tkt_enctypes = aes256-cts-hmac-sha1-96 > aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 > permitted_enctypes = aes256-cts-hmac-sha1-96 > aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 > > > > ? No key table table entry?? Hmm.. > > Check this with : klist -ke | grep "vdmpp2\\$" > > Return empty.This is a mayor error in you keytab file. When you join as domain member you should have these klist -k| egrep -i "host|$(hostname -s)\\$" | sort 2 host/HOSTNAME at INTERNAL.DOMAIN.TLD (aes128-cts-hmac-sha1-96) 2 host/HOSTNAME at INTERNAL.DOMAIN.TLD (aes256-cts-hmac-sha1-96) 2 host/HOSTNAME at INTERNAL.DOMAIN.TLD (arcfour-hmac) 2 host/HOSTNAME at INTERNAL.DOMAIN.TLD (des-cbc-crc) 2 host/HOSTNAME at INTERNAL.DOMAIN.TLD (des-cbc-md5) 2 host/hostname.internal.domain.tld at INTERNAL.DOMAIN.TLD (aes128-cts-hmac-sha1-96) 2 host/hostname.internal.domain.tld at INTERNAL.DOMAIN.TLD (aes256-cts-hmac-sha1-96) 2 host/hostname.internal.domain.tld at INTERNAL.DOMAIN.TLD (arcfour-hmac) 2 host/hostname.internal.domain.tld at INTERNAL.DOMAIN.TLD (des-cbc-crc) 2 host/hostname.internal.domain.tld at INTERNAL.DOMAIN.TLD (des-cbc-md5) 2 HOSTNAME$@INTERNAL.DOMAIN.TLD (aes128-cts-hmac-sha1-96) 2 HOSTNAME$@INTERNAL.DOMAIN.TLD (aes256-cts-hmac-sha1-96) 2 HOSTNAME$@INTERNAL.DOMAIN.TLD (arcfour-hmac) 2 HOSTNAME$@INTERNAL.DOMAIN.TLD (des-cbc-crc) 2 HOSTNAME$@INTERNAL.DOMAIN.TLD (des-cbc-md5) and if these are also in the AD? ( you should only see 2 in the AD ) HOST/hostname.internal.domain.tld HOST/HOSTNAME The part below here NFS/vdmpp2. ... < wrong nfs/vdmpp2..... < correct Remove the one with NFS. You want : nfs/HOSTNAME$@INTERNAL.DOMAIN.TLD ( per cipher ) nfs/HOSTNAME.internal.domain.tld at INTERNAL.DOMAIN.TLD And remember, dont add the @REALM when adding this. If you see in the ad also the part @INTERNAL.DOMAIN.TLD and the result wil be @INTERNAL.DOMAIN.TLD at INTERNAL.DOMAIN.TLD when resolved on the client.> > > Looks like the local keytab is having problems. > > Run on vdmpp2 : > > klist -ke > > kinit nfs/$(hostname -f) -kt /etc/krb5.keytab > > klist | grep "Default principal" > > That should show : > > Default principal: nfs/vdmpp2.ad.fvg.lnf.it at AD.FVG.LNF.IT > > root at vdmpp2:~# klist -ke | grep "vdmpp2\\$" > root at vdmpp2:~# klist -ke > Keytab name: FILE:/etc/krb5.keytab > KVNO Principal > ---- > -------------------------------------------------------------- > ------------ > 2 NFS/vdmpp2.ad.fvg.lnf.it at AD.FVG.LNF.IT (des-cbc-crc) < wron > 2 NFS/vdmpp2.ad.fvg.lnf.it at AD.FVG.LNF.IT (des-cbc-md5) > 2 NFS/vdmpp2.ad.fvg.lnf.it at AD.FVG.LNF.IT > (aes128-cts-hmac-sha1-96) > 2 NFS/vdmpp2.ad.fvg.lnf.it at AD.FVG.LNF.IT > (aes256-cts-hmac-sha1-96) > 2 NFS/vdmpp2.ad.fvg.lnf.it at AD.FVG.LNF.IT (arcfour-hmac) > 2 nfs/vdmpp2.ad.fvg.lnf.it at AD.FVG.LNF.IT (des-cbc-crc) > 2 nfs/vdmpp2.ad.fvg.lnf.it at AD.FVG.LNF.IT (des-cbc-md5) > 2 nfs/vdmpp2.ad.fvg.lnf.it at AD.FVG.LNF.IT > (aes128-cts-hmac-sha1-96) > 2 nfs/vdmpp2.ad.fvg.lnf.it at AD.FVG.LNF.IT > (aes256-cts-hmac-sha1-96) > 2 nfs/vdmpp2.ad.fvg.lnf.it at AD.FVG.LNF.IT (arcfour-hmac) > 2 nfs/vdmpp1.ad.fvg.lnf.it at AD.FVG.LNF.IT (des-cbc-crc) > 2 nfs/vdmpp1.ad.fvg.lnf.it at AD.FVG.LNF.IT (des-cbc-md5) > 2 nfs/vdmpp1.ad.fvg.lnf.it at AD.FVG.LNF.IT > (aes128-cts-hmac-sha1-96) > 2 nfs/vdmpp1.ad.fvg.lnf.it at AD.FVG.LNF.ITIf this server is not in production. Then remove it from the AD, clear the DNS, check the AD objects and remove these. Backup you old keytab, ( ! Tip never trow the away until your 1000% sure ) it did bite me also once.. Remove the old ketab. Remove nfs-* ( apt-get remove --purge --auto-remove nfs-* libnfsidmap2 ) Remove /var/lib/nfs install mlocate to create a db of you file system entries. apt-get install mlocate && updatedb && locate nfs Remove any leftovers in /etc/systemd/. Clear you logs, reboot the server, check you logs, should be error free now. And re-add the server to the samba domain. Make sure you have the idmap config settings correct, you have the already. Make sure you have the resolving setup ok, minimal a correct A in the DNS. kerberos method = secrets and keytab dedicated keytab file = /etc/krb5.keytab # Renew the kerberos ticket winbind refresh tickets = yes Make sure you have these in smb.conf And now re-add you server. systemctl mask nmbd samba-ad-dc systemctl stop nmbd samba-ad-dc When your at this point, reboot then check the keytab file again, above shows what you need. Then add the nfs/SPN then reinstall nfs- .. Again. If you use ktutil Use the write command to /etc/krb5.keytab-NEW Or your adding to the existing keytab, but that also add the part you already had. Thats not what you want. Stop samba backup the old keytab and place the new one. See how far you get, if needed, you know where to find me.. User vers=4.1 for the mounts And on the nfs server you can also check this. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867067 mkdir /var/lib/nfs/nfsdcltrack nfsdcltrack init Check if the .sqlite is created : ls /var/lib/nfs/nfsdcltrack/*.sqlite systemctl restart nfs-server Greetz, Louis
Bjoern Trimborn
2018-Nov-06 19:02 UTC
[Samba] samba-tool user create, python, exceptions.UnicodeDecodeError
short question is it a known "bug?" that samba-tool doesn't like
umlauts
in the user option?
root at ad1:~/$ samba-tool user create max.mustermann cD4L7gSv
--given-name=Max --surname=Mustermann,
--userou="OU=Schüler,OU=Benutzer,OU=Marien Schule"
--profile-path=%logonserver%\\dfs\\profiles_windows\\%username%
--use-username-as-cn --must-change-at-next-login
---
ERROR(<type 'exceptions.UnicodeDecodeError'>): Failed to add user
'max.mustermann': - 'ascii' codec can't decode byte 0xc3 in
position
24: ordinal not in range(128)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/user.py", line
383, in run
smartcard_required=smartcard_required)
File "/usr/lib/python2.7/dist-packages/samba/samdb.py", line 490, in
newuser
force_password_change_at_next_login_req)
File "/usr/lib/python2.7/dist-packages/samba/samdb.py", line 606, in
setpassword
""" % (user_dn, base64.b64encode(pw).decode('utf-8'))
---
root at ad1:~$ samba-tool --version
4.9.1
after renaming the ou from "Schüler" to "Students" it works
as expected.
Bjoern