Network and Storage Protocols

Kerberized NFS

oweinmann
10,867 Views

Hi All,

I’m struggling since weeks to get samba winbind and a kerberized nfs mount running. We have a Netapp 3020c SAN exporting the nfs share with sec=krb5 and a Linux Client Ubuntu 10.04 Server trying to access the exported share. Accessing the share without krb5 (sec=sys) works fine. The linux machine is joined to an Windows 2008R2 domain and user/group lookups login via ssh etc. work fine.

I have read many articles about using winbind to aquire the Kerberos tickets on login.

What I have done so far is join the linux machine to our AD:

net ads join –U Administrator 

After this my krb5.keytab file is filled with the following:

root@ubuntu100432:~# klist -kte

   Keytab name: WRFILE:/etc/krb5.keytab

   KVNO Timestamp         Principal

   ---- ----------------- --------------------------------------------------------

      2 02/13/12 09:34:59 host/ubuntu100432.a.space.corp@A.SPACE.CORP (DES cbc mode with CRC-32)

      2 02/13/12 09:34:59 host/ubuntu100432.a.space.corp@A.SPACE.CORP (DES cbc mode with RSA-MD5)

      2 02/13/12 09:34:59 host/ubuntu100432.a.space.corp@A.SPACE.CORP (ArcFour with HMAC/md5)

      2 02/13/12 09:34:59 host/ubuntu100432@A.SPACE.CORP (DES cbc mode with CRC-32)

      2 02/13/12 09:34:59 host/ubuntu100432@A.SPACE.CORP (DES cbc mode with RSA-MD5)

      2 02/13/12 09:34:59 host/ubuntu100432@A.SPACE.CORP (ArcFour with HMAC/md5)

      2 02/13/12 09:34:59 UBUNTU100432$@A.SPACE.CORP (DES cbc mode with CRC-32)

      2 02/13/12 09:34:59 UBUNTU100432$@A.SPACE.CORP (DES cbc mode with RSA-MD5)

      2 02/13/12 09:34:59 UBUNTU100432$@A.SPACE.CORP (ArcFour with HMAC/md5)

Then I add the nfs principal:

net ads keytab add nfs –U Administrator

This adds the princ to the keytab file:

2 02/13/12 09:36:11 nfs/ubuntu100432.a.space.corp@A.SPACE.CORP (DES cbc mode with CRC-32)

2 02/13/12 09:36:11 nfs/ubuntu100432.a.space.corp@A.SPACE.CORP (DES cbc mode with RSA-MD5)

2 02/13/12 09:36:11 nfs/ubuntu100432.a.space.corp@A.SPACE.CORP (ArcFour with HMAC/md5)

2 02/13/12 09:36:11 nfs/ubuntu100432@A.SPACE.CORP (DES cbc mode with CRC-32)

2 02/13/12 09:36:11 nfs/ubuntu100432@A.SPACE.CORP (DES cbc mode with RSA-MD5)

  2 02/13/12 09:36:11 nfs/ubuntu100432@A.SPACE.CORP (ArcFour with HMAC/md5)

I restart the portmap service (this restarts statd idmapd and gssd)

service portmap restart 

Now when I try to mount the share I always get an access denied:

Looking at /var/log/daemon.log reveals:

   handling krb5 upcall

   Full hostname for 'ds-san-02.a.space.corp' is 'ds-san-02.a.space.corp'

   Full hostname for 'ubuntu100432.a.space.corp' is 'ubuntu100432.a.space.corp'

   Key table entry not found while getting keytab entry for 'root/ubuntu100432.a.space.corp@A.SPACE.CORP'

   Success getting keytab entry for 'nfs/ubuntu100432.a.space.corp@A.SPACE.CORP'

   WARNING: Client not found in Kerberos database while getting initial ticket for principal 'nfs/ubuntu100432.a.space.corp@A.SPACE.CORP' using keytab 'WRFILE:/etc/krb5.keytab'

   ERROR: No credentials found for connection to server ds-san-02.a.space.corp

   doing error downcall

   destroying client clnt13

   destroying client clnt12

I checked the host in AD with setspn –L and this lists the following:

Registered ServicePrincipalNames for CN=ubuntu100432

   ace,DC=corp:

       NFS/ubuntu100432.a.space.corp

       NFS/ubuntu100432

       HOST/ubuntu100432.a.space.corp

       HOST/UBUNTU100432

So there is no principal 'nfs/ubuntu100432.a.space.corp@A.SPACE.CORP'.

Is there something special about Windows 2008 R2?

Regards,

Oliver

1 ACCEPTED SOLUTION

oweinmann
10,867 Views

Dear All,

I finally have it working. The holy grail.

I had to change my /etc/krb5.conf. I added/changed the following 3 lines.

default_tgs_enctypes = des-cbc-crc aes256-cts-hmac-sha1-96 arcfour-hmac

default_tkt_enctypes = des-cbc-crc aes256-cts-hmac-sha1-96 arcfour-hmac

allow_weak_crypto = 1

I rejoined the machine to the domain:

net ads join createupn=nfs/ubuntu100432.a.space.corp -U Administrator

created the nfs service principal (I'm not 100% sure if it is any longer needed since rpc.gssd checks for root and host principal)

net ads keytab add nfs -U Administrator

finally mount the nfs export:

mount -t nfs4 -o sec=krb5 ds-san-02:/vol/nfsv4test_krb5 /mnt/nfsv4test_krb5

I will write a complete howto soon.

View solution in original post

3 REPLIES 3

oweinmann
10,868 Views

Dear All,

I finally have it working. The holy grail.

I had to change my /etc/krb5.conf. I added/changed the following 3 lines.

default_tgs_enctypes = des-cbc-crc aes256-cts-hmac-sha1-96 arcfour-hmac

default_tkt_enctypes = des-cbc-crc aes256-cts-hmac-sha1-96 arcfour-hmac

allow_weak_crypto = 1

I rejoined the machine to the domain:

net ads join createupn=nfs/ubuntu100432.a.space.corp -U Administrator

created the nfs service principal (I'm not 100% sure if it is any longer needed since rpc.gssd checks for root and host principal)

net ads keytab add nfs -U Administrator

finally mount the nfs export:

mount -t nfs4 -o sec=krb5 ds-san-02:/vol/nfsv4test_krb5 /mnt/nfsv4test_krb5

I will write a complete howto soon.

ARAVINDHA_CHELLAPPA
10,867 Views

Do you have a complete howto / reference available?

oweinmann
10,867 Views

Hi,

I have written a complete howto for Ubuntu 12.04. You can find it on the ubuntu forums:

http://ubuntuforums.org/showthread.php?t=1924660

Sorry for the late reply.

Public