Displaying 6 results from an estimated 6 matches for "no_auth_data_required".
2013 Jun 20
2
Samba4 and NFSv4
Is it possible that Samba4 includes a large PAC on the kerberos credential and you're going over the limit in kernel? Against AD you have to disable this PAC inclusion via the userAccountControl attribute to make kerberised NFSv4 work correctly. You /sometimes/ find that testing with a user who is a member of as close to no groups as possible works in this case, but users in many groups
2013 Jun 20
2
Samba4 and NFSv4
Is it possible that Samba4 includes a large PAC on the kerberos credential and you're going over the limit in kernel? Against AD you have to disable this PAC inclusion via the userAccountControl attribute to make kerberised NFSv4 work correctly. You /sometimes/ find that testing with a user who is a member of as close to no groups as possible works in this case, but users in many groups
2016 Dec 02
6
Samba and kerberized NFSv4
> Does it work if you manually add userPrincipalName=CLIENT02.DOMAIN.TLD to your clients ldap entry and reexport the keytab?
I already thought about trying that. So by now, I tried tweaking the client's LDAP entry.
Adding
userPrincipalName=CLIENT02.DOMAIN.TLD
does not succeeed, however, after reviewing the ldap filter once again, I added
userPrincipalName=nfs/client02.domain.tld at
2012 Feb 20
1
Privilege Attribute Certificate (PAC) Disabled/Samba authentication
...me time.
Specifically: The Linux kerberized NFS daemon (rpc.svcgssd) appears to only be
able to deal with service tickets up to a certain size. Active Directory adds a
PAC to service tickets which makes them much larger than they otherwise would
be. In order to work around this I've added 'NO_AUTH_DATA_REQUIRED' to the
UserAccountControl attribute on the machine account in AD (as per this
Microsoft KB article http://support.microsoft.com/kb/832572). This enables
kerberized NFS to work correctly but appears to break the Samba authentication.
Output from the samba logs initially looks promising
[2012/...
2016 Dec 02
0
Samba and kerberized NFSv4
...ile access.
In case you haven't found it yet: There's a nice tool
called msktutil, that will help when creating user/
servicePrincipalNames in Active Directory / Samba DC.
One other thing I found during my tries to get kerberized
NFSv4 working with my Samba DC: Some principals require
the NO_AUTH_DATA_REQUIRED flag to be set (--no-pac in msktutil),
otherwise tickets will not be accepted (not all of the
principals require this and I'm not sure wether it was the
client or the server who needed this...).
Motivated by your mail, I'm currently trying (once again) to
get NFSv4 working with Samba DC: b...
2016 Dec 02
3
Samba and kerberized NFSv4
Am 2016-12-02 12:12, schrieb Rowland Penny via samba:
> On Fri, 2 Dec 2016 11:05:50 +0100
> Matthias Kahle via samba <samba at lists.samba.org> wrote:
>
>> > Does it work if you manually add
>> > userPrincipalName=CLIENT02.DOMAIN.TLD to your clients ldap entry
>> > and reexport the keytab?
>>
>> I already thought about trying that. So by now,