On 07/21/2012 09:01 AM, Marcel Ritter wrote:
Hi,
while trying to use Samba4 as KDC for secure NFS (once again)
I found something I suspect to be an error:
In order for NFS (with krb5) to work it requires a nfs/... principal,
so I created one using samba-tool:
samba-tool user add nfs-user
samba-tool spn add nfs/atom.mydomain.org nfs-user
samba-tool domain exportkeytab /etc/krb5.keytab -principal=nfs/atom.mydomain.org
After setting up NFS, a secure mount fails (permission denied).
Hi Marcel
The client doesn't need a nfs principal. e.g. we just use the machine$
principal.
From man rpc.gssd(8)
<quote>
Previous versions of rpc.gssd used only "nfs/*" keys found within the
keytab. To be more consistent with other implementations, we now look
for specific keytab entries. The search order for keytabs to be used for
"machine credentials" is now:
<HOSTNAME>$@<REALM>
root/<hostname>@<REALM>
nfs/<hostname>@<REALM>
host/<hostname>@<REALM>
root/<anyname>@<REALM>
nfs/<anyname>@<REALM>
host/<anyname>@<REALM>
</quote>
There are lots of misunderstandings about nfs and Kerberos. We tried to
collect them:
http://linuxcostablanca.blogspot.com.es/2012/02/nfsv4-myths-and-legends.html
HTH,
Steve
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
