On Sat, 2012-07-21 at 07:01 +0000, Marcel Ritter wrote: > Hi, > > while trying to use Samba4 as KDC for secure NFS (once again) > I found something I suspect to be an error: > > In order for NFS (with krb5) to work it requires a nfs/... principal, > so I created one using samba-tool: > > samba-tool user add nfs-user > samba-tool spn add nfs/atom.mydomain.org nfs-user > samba-tool domain exportkeytab /etc/krb5.keytab > -principal=nfs/atom.mydomain.org > > After setting up NFS, a secure mount fails (permission denied). > > While trying to debug this error, I had a look at the KDC debug > output of samba, and all queries done while looking for the > SPN are: > > # Samba 4 log (during mount attempt): > Kerberos: AS-REQ nfs/[email protected] from > ipv4:192.168.1.2:43938 for krbtgt/[email protected] > expr: > (&(objectClass=user)(userPrincipalName=nfs/[email protected])) > expr: (&(objectClass=user)(samAccountName=nfs/atom.mydomain.org)) > Kerberos: UNKNOWN -- nfs/[email protected]: no such entry found > in hdb
> So the question is: Shouldn't there also be a query like > expr: (&(objectClass=user)(servicePrincipalName=nfs/atom.mydomain.org)) > to make SPNs usable? > > Or did I miss something else here? An AS-REQ means that something is trying to kinit with the name nfs/atom.mydomain.org (ie, as a client). This shouldn't be needed, so work out what is doing that. The line for a client (user) connecting to an NFS server will be more like: Kerberos: TGS-REQ user@realm for nfs/atom.mydomain.org I hope this helps you debug this further, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
