[Samba] Samba4 unable to find SPN (Kerberos)

[Marcel Ritter]

Hi,

while trying to use Samba4 as KDC for secure NFS (once again)
I found something I suspect to be an error:

In order for NFS (with krb5) to work it requires a nfs/... principal,
so I created one using samba-tool:

samba-tool user add nfs-user
samba-tool spn add nfs/atom.mydomain.org nfs-user
samba-tool domain exportkeytab /etc/krb5.keytab -principal=nfs/atom.mydomain.org

After setting up NFS, a secure mount fails (permission denied).

While trying to debug this error, I had a look at the KDC debug
output of samba, and all queries done while looking for the
SPN are:

# Samba 4 log (during mount attempt):
Kerberos: AS-REQ nfs/atom.mydomain....@mydomain.org from ipv4:192.168.1.2:43938 
for krbtgt/mydomain....@mydomain.org
expr: 
(&(objectClass=user)(userPrincipalName=nfs/atom.mydomain....@mydomain.org))
expr: (&(objectClass=user)(samAccountName=nfs/atom.mydomain.org))
Kerberos: UNKNOWN -- nfs/atom.mydomain....@mydomain.org: no such entry found in 
hdb

Obviously the created computer object (s. below) does not
match any of the above queries:

# atom-nfs, Users, mydomain.org
dn: CN=atom-nfs,CN=Users,DC=mydomain,DC=org
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: atom-nfs
instanceType: 4
whenCreated: 20120720212952.0Z
uSNCreated: 4039
name: atom-nfs
objectGUID:: ZBSl4FIfvUyd6pbg4Rpy0w==
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAA7rfhoQA6M19vFKNmWgQAAA==
logonCount: 0
sAMAccountName: atom-nfs
sAMAccountType: 805306368
userPrincipalName: atom-...@mydomain.org
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=mydomain,DC=org
pwdLastSet: 129872933920000000
userAccountControl: 66048
accountExpires: 0
servicePrincipalName: nfs/atom.mydomain.org
whenChanged: 20120720213725.0Z
uSNChanged: 4043
distinguishedName: CN=atom-nfs,CN=Users,DC=mydomain,DC=org


So the question is: Shouldn't there also be a query like
expr: (&(objectClass=user)(servicePrincipalName=nfs/atom.mydomain.org))
to make SPNs usable?

Or did I miss something else here?

Hope someone can help,
    Marcel

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba