Hi All, I'm struggling since weeks to get samba winbind and a kerberized nfs mount running. We have a Netapp SAN exporting the nfs share with sec=krb5 and a Linux Client Ubuntu 10.04 Server trying to access the exported share. Accessing the share without krb5 (sec=sys) works fine. The linux machine is joined to an Windows 2008R2 domain and user/group lookups login via ssh etc. work fine.
I have read many articles about using winbind to aquire the Kerberos tickets on login. What I have done so far is join the linux machine to our AD: net ads join -U Administrator After this my krb5.keytab file is filled with the following: root@ubuntu100432:~# klist -kte Keytab name: WRFILE:/etc/krb5.keytab KVNO Timestamp Principal ---- ----------------- -------------------------------------------------------- 2 02/13/12 09:34:59 host/ubuntu100432.a.space.c...@a.space.corp (DES cbc mode with CRC-32) 2 02/13/12 09:34:59 host/ubuntu100432.a.space.c...@a.space.corp (DES cbc mode with RSA-MD5) 2 02/13/12 09:34:59 host/ubuntu100432.a.space.c...@a.space.corp (ArcFour with HMAC/md5) 2 02/13/12 09:34:59 host/ubuntu100...@a.space.corp (DES cbc mode with CRC-32) 2 02/13/12 09:34:59 host/ubuntu100...@a.space.corp (DES cbc mode with RSA-MD5) 2 02/13/12 09:34:59 host/ubuntu100...@a.space.corp (ArcFour with HMAC/md5) 2 02/13/12 09:34:59 UBUNTU100432$@A.SPACE.CORP (DES cbc mode with CRC-32) 2 02/13/12 09:34:59 UBUNTU100432$@A.SPACE.CORP (DES cbc mode with RSA-MD5) 2 02/13/12 09:34:59 UBUNTU100432$@A.SPACE.CORP (ArcFour with HMAC/md5) Then I add the nfs principal: net ads keytab add nfs -U Administrator This adds the princ to the keytab file: 2 02/13/12 09:36:11 nfs/ubuntu100432.a.space.c...@a.space.corp (DES cbc mode with CRC-32) 2 02/13/12 09:36:11 nfs/ubuntu100432.a.space.c...@a.space.corp (DES cbc mode with RSA-MD5) 2 02/13/12 09:36:11 nfs/ubuntu100432.a.space.c...@a.space.corp (ArcFour with HMAC/md5) 2 02/13/12 09:36:11 nfs/ubuntu100...@a.space.corp (DES cbc mode with CRC-32) 2 02/13/12 09:36:11 nfs/ubuntu100...@a.space.corp (DES cbc mode with RSA-MD5) 2 02/13/12 09:36:11 nfs/ubuntu100...@a.space.corp (ArcFour with HMAC/md5) I restart the portmap service (this restarts statd idmapd and gssd) Service portmap restart Now when I try to mount the share I always get an access denied: Looking at /var/log/daemon.log reveals: handling krb5 upcall Full hostname for 'ds-san-02.a.space.corp' is 'ds-san-02.a.space.corp' Full hostname for 'ubuntu100432.a.space.corp' is 'ubuntu100432.a.space.corp' Key table entry not found while getting keytab entry for 'root/ubuntu100432.a.space.c...@a.space.corp' Success getting keytab entry for 'nfs/ubuntu100432.a.space.c...@a.space.corp' WARNING: Client not found in Kerberos database while getting initial ticket for principal 'nfs/ubuntu100432.a.space.c...@a.space.corp' using keytab 'WRFILE:/etc/krb5.keytab' ERROR: No credentials found for connection to server ds-san-02.a.space.corp doing error downcall destroying client clnt13 destroying client clnt12 I checked the host in AD with setspn -L and this lists the following: Registered ServicePrincipalNames for CN=ubuntu100432 ace,DC=corp: NFS/ubuntu100432.a.space.corp NFS/ubuntu100432 HOST/ubuntu100432.a.space.corp HOST/UBUNTU100432 So there is no principal 'nfs/ubuntu100432.a.space.c...@a.space.corp'. Is there something special about Windows 2008 R2? Regards, Oliver -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba