Hi, Upgraded the samba from 4.7.7 to 4.9.3 in debian. Trying to get Samba AD 4.9.3 as a Kerberos source for nfs4. Until 4.7.7 able to mount the nfs4 over krb5 security. After upgrade unable to mount it. Suggest me is there any configure change in 4.9.3. Please look the following configuration. [Global] available= yes restrict anonymous= 0 Workgroup= SAM netbios namex2 realm= SAM.COM password server= 192.168.1.14, * idmap backend= tdb idmap uid= 5000-9999999 idmap gid= 5000-9999999 idmap config SAM : backend= rid idmap config SAM : range= 10000000-19999999 security= ADS name resolve order= wins host bcast lmhosts client use spnego= yes dns proxy= no winbind use default domain= no winbind nested groups= yes inherit acls= yes winbind enum users= yes winbind enum groups= yes winbind separator= \\ winbind cache time= 300 winbind offline logon= true template shell= /bin/sh kerberos method= secrets and keytab map to guest= Bad User host msdfs= yes strict allocate= no encrypt passwords= yes printcap name= lpstat printableno load printers= yes max smbd processes= 500 getwd cache= yes use sendfile= yes winbind sequence directory= /tmp/samba log level= 0 max log size= 50 unix extensions= no dos charset= ascii state directory/mnt/system/samba/system cache directory= /tmp/samba/ ntlm auth= Yes winbind expand groups= 1 idmap config * : backend= tdb idmap config * : range= 3000-7999 console output: *mount.nfs4: access denied by server while mounting* Thanks,
Hai, What is the debian your running Stretch? I'll guess Stretch. I can see i should work fine on stretch. About.> *mount.nfs4: access denied by server while mounting*Can you post the output of cat /etc/idmap.conf cat /etc/krb5.conf klist -ke|sort Which spn's are set and how did you set these. If you use automounting. You might want to try adding : [libdefaults] ignore_k5login = true But first more info. And test a mount with -vvv and show that output. Greetz, Louis
On Thu, 20 Dec 2018 20:08:52 +0530 VigneshDhanraj G via samba <samba at lists.samba.org> wrote:> Hi, > > Upgraded the samba from 4.7.7 to 4.9.3 in debian. Trying to get Samba > AD 4.9.3 as a Kerberos source for nfs4. > Until 4.7.7 able to mount the nfs4 over krb5 security. After upgrade > unable to mount it. > Suggest me is there any configure change in 4.9.3. Please look the > following configuration. > > [Global] available= yes restrict anonymous= 0 Workgroup= SAM netbios > name= x2 realm= SAM.COM password server= 192.168.1.14, * idmap > backend= tdb idmap uid= 5000-9999999 idmap gid= 5000-9999999 idmap > config SAM : backend= rid idmap config SAM : range> 10000000-19999999 security= ADS name resolve order= wins host bcast > lmhosts client use spnego= yes dns proxy= no winbind use default > domain= no winbind nested groups= yes inherit acls= yes winbind enum > users= yes winbind enum groups= yes winbind separator= \\ winbind > cache time= 300 winbind offline logon= true template shell= /bin/sh > kerberos method= secrets and keytab map to guest= Bad User host > msdfs= yes strict allocate= no encrypt passwords= yes printcap name> lpstat printable= no load printers= yes max smbd processes= 500 getwd > cache= yes use sendfile= yes winbind sequence directory= /tmp/samba > log level= 0 max log size= 50 unix extensions= no dos charset= ascii > state directory= /mnt/system/samba/system cache > directory= /tmp/samba/ ntlm auth= Yes winbind expand groups= 1 idmap > config * : backend= tdb idmap config * : range= 3000-7999 > > console output: > > *mount.nfs4: access denied by server while mounting* > > Thanks,OK, after expanding your smb. conf ;-) Two things are apparent, you have: kerberos method= secrets and keytab But do not have the required: dedicated keytab file = /etc/krb5.keytab Does 'etc/krb5.keytab' exist ? You also have: * idmap backend= tdb idmap uid= 5000-9999999 idmap gid= 5000-9999999 idmap config * : backend= tdb idmap config * : range= 3000-7999 idmap config SAM : backend= rid idmap config SAM : range= 10000000-19999999 You shouldn't have the top three lines. You also have a lot of default lines and even some lines that do not exist. Rowland
Hi Team, After replacing the "net ads keytab add" with "net ads keytab add_update_ads" hfs4 with krb5 is working fine. However unable to connect as guest user from mac after upgrade to 4.9.3. Thanks On Thu, Dec 20, 2018 at 8:08 PM VigneshDhanraj G <vigneshdhanraj.g at gmail.com> wrote:> Hi, > > Upgraded the samba from 4.7.7 to 4.9.3 in debian. Trying to get Samba AD > 4.9.3 as a Kerberos source for nfs4. > Until 4.7.7 able to mount the nfs4 over krb5 security. After upgrade > unable to mount it. > Suggest me is there any configure change in 4.9.3. Please look the > following configuration. > > [Global] available= yes restrict anonymous= 0 Workgroup= SAM netbios name> x2 realm= SAM.COM password server= 192.168.1.14, * idmap backend= tdb > idmap uid= 5000-9999999 idmap gid= 5000-9999999 idmap config SAM : > backend= rid idmap config SAM : range= 10000000-19999999 security= ADS > name resolve order= wins host bcast lmhosts client use spnego= yes dns > proxy= no winbind use default domain= no winbind nested groups= yes inherit > acls= yes winbind enum users= yes winbind enum groups= yes winbind > separator= \\ winbind cache time= 300 winbind offline logon= true template > shell= /bin/sh kerberos method= secrets and keytab map to guest= Bad User > host msdfs= yes strict allocate= no encrypt passwords= yes printcap name> lpstat printable= no load printers= yes max smbd processes= 500 getwd > cache= yes use sendfile= yes winbind sequence directory= /tmp/samba log > level= 0 max log size= 50 unix extensions= no dos charset= ascii state > directory= /mnt/system/samba/system cache directory= /tmp/samba/ ntlm auth> Yes winbind expand groups= 1 idmap config * : backend= tdb idmap config * : > range= 3000-7999 > > console output: > > *mount.nfs4: access denied by server while mounting* > > Thanks, > >