Hi, I have problem with mountning NFS4 file with Kerberos security ( I can mount without Kerberos security)
Both test machines run Ubuntu-saucy I have the nfs4 server which joined to AD with 'msktutil' : Server's /etc/krb5.keytab klist -ke Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 3 [email protected] (arcfour-hmac) 3 [email protected] (aes128-cts-hmac-sha1-96) 3 [email protected] (aes256-cts-hmac-sha1-96) 3 host/[email protected] (arcfour-hmac) 3 host/[email protected] (aes128-cts-hmac-sha1-96) 3 host/[email protected] (aes256-cts-hmac-sha1-96) 3 nfs/[email protected] (arcfour-hmac) 3 nfs/[email protected] (aes128-cts-hmac-sha1-96) 3 nfs/[email protected] (aes256-cts-hmac-sha1-96) Then, joined client machine to AD with 'realm' command: alongina@client:~$ sudo realm join --verbose -U USER --computer-ou OU="Linux computers",OU=ADResources domain.org [sudo] password for alongina: * Resolving: _ldap._tcp.domain.org * Performing LDAP DSE lookup on: 10.144.5.17 * Performing LDAP DSE lookup on: 10.144.5.18 * Successfully discovered: domain.org Password for USER: * Unconditionally checking packages * Resolving required packages * Installing necessary packages: samba-common-bin * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.JAW8AX -U USER ads join domain.org createcomputer=ADResources/Linux computers Enter USER's password: DNS update failed! Using short domain name - AAA-BBB Joined 'CLIENT' to dns domain 'domain.org' No DNS domain configured for client. Unable to perform DNS Update. * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.JAW8AX -U USER ads keytab create Enter USER's password: * /usr/sbin/update-rc.d sssd enable update-rc.d: /etc/init.d/sssd: file does not exist * /usr/sbin/service sssd restart sssd stop/waiting sssd start/running, process 3597 * Successfully enrolled machine in realm ==============0000000========= klist -ke Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 4 host/[email protected] (des-cbc-crc) 4 host/[email protected] (des-cbc-md5) 4 host/[email protected] (aes128-cts-hmac-sha1-96) 4 host/[email protected] (aes256-cts-hmac-sha1-96) 4 host/[email protected] (arcfour-hmac) 4 host/[email protected] (des-cbc-crc) 4 host/[email protected] (des-cbc-md5) 4 host/[email protected] (aes128-cts-hmac-sha1-96) 4 host/[email protected] (aes256-cts-hmac-sha1-96) 4 host/[email protected] (arcfour-hmac) 4 [email protected] (des-cbc-crc) 4 [email protected] (des-cbc-md5) 4 [email protected] (aes128-cts-hmac-sha1-96) 4 [email protected] (aes256-cts-hmac-sha1-96) 4 [email protected] (arcfour-hmac) ================================================================= root@client:/export/alongina# mount -t nfs4 server.domain.org:/nfs4/server /mnt/server -o sec=krb5 mount.nfs4: access denied by server while mounting server.domain.org:/nfs4/server client: /var/log/syslog eb 11 16:00:39 client rpc.gssd[708]: handling gssd upcall (/run/rpc_pipefs/nfs/clntb) Feb 11 16:00:39 client rpc.gssd[708]: handle_gssd_upcall: 'mech=krb5 uid=0 enctypes=18,17,16,23,3,1,2 ' Feb 11 16:00:39 client rpc.gssd[708]: handling krb5 upcall (/run/rpc_pipefs/nfs/clntb) Feb 11 16:00:39 client rpc.gssd[708]: process_krb5_upcall: service is '<null>' Feb 11 16:00:39 client rpc.gssd[708]: Full hostname for 'server.domain.org' is 'server.domain.org' Feb 11 16:00:39 client rpc.gssd[708]: Full hostname for 'client.domain.org' is 'client.domain.org' Feb 11 16:00:39 client rpc.gssd[708]: No key table entry found for [email protected] while getting keytab entry for '[email protected]' Feb 11 16:00:39 client rpc.gssd[708]: No key table entry found for root/[email protected] while getting keytab entry for 'root/[email protected]' Feb 11 16:00:39 client rpc.gssd[708]: No key table entry found for nfs/[email protected] while getting keytab entry for 'nfs/[email protected]' Feb 11 16:00:39 client rpc.gssd[708]: Success getting keytab entry for 'host/[email protected]' Feb 11 16:00:39 client rpc.gssd[708]: WARNING: Client not found in Kerberos database while getting initial ticket for principal 'host/[email protected]' using keytab 'FILE:/etc/krb5.keytab' Feb 11 16:00:39 client rpc.gssd[708]: ERROR: No credentials found for connection to server server.domain.org Feb 11 16:00:39 client rpc.gssd[708]: doing error downcall Is it mismatch with encryption typs? Problem with DNS ? Client machine is missing reverse addresse in DNS... host client.domain.org client.domain.org has address 10.80.8.54 -------------------- host 10.80.8.54 Host 54.8.80.10.in-addr.arpa. not found: 3(NXDOMAIN) Best longina From: [email protected] [mailto:[email protected]] On Behalf Of Ondrej Valousek Sent: 30. januar 2014 14:38 To: End-user discussions about the System Security Services Daemon Subject: Re: [SSSD-users] sssd-1.11.1 Saucy automount That was me. Yes, autofs works with sssd having AD backend (and using RFC2307 schema). No blushing. ________________________________ From: [email protected]<mailto:[email protected]> [[email protected]] on behalf of Chris Gray [[email protected]] Sent: Thursday, January 30, 2014 11:28 AM To: End-user discussions about the System Security Services Daemon Subject: Re: [SSSD-users] sssd-1.11.1 Saucy automount This person was able to setup autofs with sssd and samba as their AD server. https://www.mail-archive.com/[email protected]/msg00810.html I haven't tried this, but in theory if you make the right settings in MS AD and in the config files for autofs and sssd, it should work pretty much the same. Since you have to specify where the ou for the automount base is in the autofs config files, you don't actually need to make the automount ou at the base level, but it's up to you and your ad structure on where you want to put it. Then as long as you have krb5, ldap, and everything set right, it should work for Chris On Wed, Jan 29, 2014 at 4:06 AM, Longina Przybyszewska <[email protected]<mailto:[email protected]>> wrote: Use case is - we work towards policy, accessing any resources from any platform. All users get per automatic windows share. Additionally, Linux users have primary homedir as nfs mounted share with automount/autofs+ NIs. Some enterprise services have access only to windows share. Linux desktops, running sssd with AD-provider should be able access both shares. Best Longina
_______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-users
