Public bug reported:
Hi,
Version info:
Using Ubuntu 14.04 LTS 'Trusty', and nfs-utils 1.2.8.
Symptoms:
Mounting kerberized NFS4 shares fails when the host is joined to an Active
Directory domain, but not with the conventional name. Non-kerberized mounts
succeed. Hosts joining the domain with the conventional name for their
principal and/or sAMAccountName can also mount.
My Analysis:
When a host joins an Active Directory domain, it is convention to use the upper
case non-fully-qualified domain name followed by a '$' as a principal name. But
Windows cannot handle names longer than 19 characters. So when using longer
hostnames, another string must be used, e.g. the IP number.
NFS looks only for <HOSTNAME>$, and fails if no principal by that name exists.
AD forbids authentication with host/<fqdn> or nfs/<fqdn>. The manpage of
'msktutil' states that setting the userPrincipalName to host/<fqdn> should fix
that. But in my case, it doesn't. And in many cases, it is impractical
(requiring elevated privileges on Windows).
Included is a patch of utils/gssd/krb5_util.c that enables the system
administrator to write a stanza in /etc/krb5.conf to override the name
of the principal NFS should look for when authenticating against AD:
[appdefaults]
nfs = {
ad_principal_name = 192.168.5.13$
}
I'm not sure whether to offer this patch here, to Debian, upstream, or all
three.
Also, it makes use of an otherwise rarely used corner of Kerberos: appdefaults.
Regards
Jurjen
** Affects: nfs-utils (Ubuntu)
Importance: Undecided
Status: New
** Patch added: "Make NFS look for configurable AD principal"
https://bugs.launchpad.net/bugs/1353502/+attachment/4171128/+files/krb5_util.patch
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1353502
Title:
NFS4 mount fails with AD Kerberos and long hostnames
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nfs-utils/+bug/1353502/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs