Hi list, hi Andrew, sorry for the long delay, but here's what I finally figured out:
Using secure NFSv4 requires rpc.gssd on the NFS client - to handle the kerberos stuff. When trying to mount a NFSv4 filesystem (-t nfs4 -o sec=krb5) rpc.gssd definitely does an AS-REQ for one of the following principals HOSTNAME$@REALM host/hostname@REALM nfs/hostname@REALM (the first one only with new versions of rpc.gssd). The principal needs to be stored in the local (client) keytab, in order to make the AS-REQ work. (The behavior can be emulated by doing a kinit -kt /etc/krb5.keytab HOSTNAME$@REALM) The trick is, to create an extra AD object, with an (unique) userPrincipalName attribute (named like one of the above), and export this principal key to the local client keytab. That's what AD/Samba4 are looking for during an AS-REQ. By now NFS is the only service I've tried to integrate, that acts like this. Bye, Marcel -----Ursprüngliche Nachricht----- Von: Andrew Bartlett [mailto:abart...@samba.org] Gesendet: Sonntag, 22. Juli 2012 13:54 An: Marcel Ritter Cc: 'samba' Betreff: Re: [Samba] Samba4 unable to find SPN (Kerberos) On Sat, 2012-07-21 at 07:01 +0000, Marcel Ritter wrote: > Hi, > > while trying to use Samba4 as KDC for secure NFS (once again) I found > something I suspect to be an error: > > In order for NFS (with krb5) to work it requires a nfs/... principal, > so I created one using samba-tool: > > samba-tool user add nfs-user > samba-tool spn add nfs/atom.mydomain.org nfs-user samba-tool domain > exportkeytab /etc/krb5.keytab -principal=nfs/atom.mydomain.org > > After setting up NFS, a secure mount fails (permission denied). > > While trying to debug this error, I had a look at the KDC debug output > of samba, and all queries done while looking for the SPN are: > > # Samba 4 log (during mount attempt): > Kerberos: AS-REQ nfs/atom.mydomain....@mydomain.org from > ipv4:192.168.1.2:43938 for krbtgt/mydomain....@mydomain.org > expr: > (&(objectClass=user)(userPrincipalName=nfs/atom.mydomain.org@MYDOMAIN. > ORG)) > expr: (&(objectClass=user)(samAccountName=nfs/atom.mydomain.org)) > Kerberos: UNKNOWN -- nfs/atom.mydomain....@mydomain.org: no such entry > found in hdb > So the question is: Shouldn't there also be a query like > expr: > (&(objectClass=user)(servicePrincipalName=nfs/atom.mydomain.org)) > to make SPNs usable? > > Or did I miss something else here? An AS-REQ means that something is trying to kinit with the name nfs/atom.mydomain.org (ie, as a client). This shouldn't be needed, so work out what is doing that. The line for a client (user) connecting to an NFS server will be more like: Kerberos: TGS-REQ user@realm for nfs/atom.mydomain.org I hope this helps you debug this further, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba