[prev in list] [next in list] [prev in thread] [next in thread]
List: samba
Subject: Re: [Samba] Samba and kerberized NFSv4
From: Marcel via samba <samba () lists ! samba ! org>
Date: 2016-11-28 10:55:23
Message-ID: b21e73b47a6485cbe18f0b57b6686d0a () linux-ng ! de
[Download RAW message or body]
Am 2016-11-28 07:14, schrieb Matthias Kahle via samba:
> Hi Folks
Hi Matthias,
> I'm trying to share user home directories hosted on a Samba-4 member
> server via NFSv4. Everything's working well with the Windows shares but
> when it comes to kerberized NFSv4 it fails. I can't even mount the
> home
> root directory via nfs on the server itself ("mount.nfsv4: access
> denied
> by server while mounting ...").
>
> As far as I have tracked it down, it appears to me that the server's is
> searching in its database for a userPrincipalName=nfs/server.dom.tld
> while I have added a servicePrincipalNamenfs/server.dom.tld with the
> samba-tool. Due to this neither the server is getting a TGT nor the
> client a TGS ...
>
> Am I doing anything wrong? Is that beahaviour intentional?
Getting NFSv4 + Kerberos to work with an $"Active Directory" KDC
can be quite tricky.
To track down the problem, you should run rpc.gssd (on client) and
rpc.svcgssd (on server) with "-v -v -v". This might give you some
more hints where to look.
You can read about the servicePrincipalNames your NFS client uses
in the man page of rpc.gssd:
<HOSTNAME>$@<REALM>
root/<hostname>@<REALM>
nfs/<hostname>@<REALM>
host/<hostname>@<REALM>
You should also check the listing of your keytab - if you're using
the wrong syntax for your principalName, samba-tool will tell you
it added an entry to the keytab (which in fact it didn't).
linux # ktutil
> rkt /etc/krb5.keytab
> list -e
> Version affacted is samba 4.2.10 from the official debian 8
> repositories
> (on DCs and the member server).
>
> Kind regards,
> Matthias
Bye,
Marcel
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic