Web lists-archives.com

Re: [Samba] Using Samba AD for NFSV4 Kerberos servers and clients




Thanks Luc,

First, can I just use the small /etc/krb5.conf suggested in Samba AD docs or do I need something more substantial on the server & client for Kerberos NFS to work?

[libdefaults]
        default_realm = SUBDOMAIN.DOMAIN.COM
        dns_lookup_realm = false
        dns_lookup_kdc = true

I understand a /etc/krb5.keytab file has to be created on both server & client. Most of the existing docs show commands to do this using a real KDC, not Samba AD. If I try to use the kadmin tool, there's a message about the krb5.conf being incomplete. I am able to use klist and ktutil

How do I generate the keytab file with the correct credentials?

nfs/server@xxxxxxxxxxxxxxxxxxxx

nfs/client@xxxxxxxxxxxxxxxxxxxx

Are these created manually by adding some account in ADUC and then use "samba-tool domain exportkeytab" to export the krb5.keytab file

https://wiki.samba.org/index.php/Generating_Keytabs

-Ken



On 02/04/2018 06:29 PM, Luc Lalonde wrote:
Hey Ken,

We’re using AD as a Kerberos server for NFSv4 in our Linux labs to automount the students home directories.

I can answer specific questions if you’ve got some.

Cheers, Luc.


Luc Lalonde, analyste
-----------------------------
Département de génie informatique:
École polytechnique de MTL
(514) 340-4711 x5049
Luc.Lalonde@xxxxxxxxxx
-----------------------------

On Feb 4, 2018, at 16:30, Ken McDonald via samba <samba@xxxxxxxxxxxxxxx> wrote:

Is it possible to use Samba AD for Kerberos KDC with NFV4 servers and then have clients connect to them?

I have Ubuntu Server for the server and Linux Mint for clients. So far, I've got a lot setup according to these instructions

https://help.ubuntu.com/community/NFSv4Howto

And seem to have adapted the keytab entries from using this Samba AD info

https://wiki.samba.org/index.php/Generating_Keytabs

But I'm kind of stuck getting the actual mount to work on a client side. I'll admit to never using Kerberos with NFS before and my Samba AD knowledge is also fairly new (but I do have working Samba AD for Windows and Linux client logins, group, POSIX & Win ACls). I can't seem to find good information or howto on implementing NFSKerberos + SambaAD

Before I post actual questions and logs, is this configuration even possible?


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba




--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba