Web lists-archives.com

[Samba] Samba AD + Kerbero + NFS "Client no longer in database"




I am soo lost trying to get Samba AD 4.7.5 as a Kerberos source for NFSv4. The NFS server is the Samba AD server running Ubuntu Server 16.0.4.3 and the client is Linux Mint 18.3

This export WORKS and mounts on client

########## /etc/exports ##########

/mnt/fileshare         *(rw,no_subtree_check,async)

############################

This export DOES NOT

########## /etc/exports ##########

/mnt/fileshare *(rw,async,no_subtree_check,sec=krb5p:krb5i:krb5)

############################

The error I get on client side is

########## console ##########

sudo mount -vvvv -t nfs4 -o sec=krb5 ubuntu-nfs:/mnt/fileshare /mnt/fileshare

mount.nfs4: timeout set for Sat Mar  3 20:27:51 2018
mount.nfs4: trying text-based options 'sec=krb5,addr=172.20.100.151,clientaddr=172.20.100.205'
mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting ubuntu-nfs:/mnt/fileshare

############################

On server side, syslog is no help.

########## /var/log/syslog ##########

Mar  3 20:25:53 ubuntu-nfs rpc.mountd[2377]: auth_unix_ip: inbuf 'nfsd 172.20.100.205' Mar  3 20:25:53 ubuntu-nfs rpc.mountd[2377]: v4root_create: path '/' flags 0x12405 Mar  3 20:25:53 ubuntu-nfs rpc.mountd[2377]: v4root_create: path '/mnt' flags 0x10405 Mar  3 20:25:53 ubuntu-nfs rpc.mountd[2377]: auth_unix_ip: client 0x16ec5b0 '*'

############################

On server side, I increased Samba logging level to log level = 4 and I get this error when the remote mount fails initially

########## /usr/local/samba/var/log.samba ##########

SUBDOMAIN[2018/03/03 20:18:57.282480,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)   Kerberos: AS-REQ nfs/mint-nfs.subdomain.domain.com@xxxxxxxxxxxxxxxxxxxx from ipv4:172.20.100.205:36129 for krbtgt/SUBDOMAIN.DOMAIN.COM@xxxxxxxxxxxxxxxxxxxx [2018/03/03 20:18:57.287154,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Client sent patypes: 149
[2018/03/03 20:18:57.287185,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)   Kerberos: Looking for PKINIT pa-data -- nfs/mint-nfs.subdomain.domain.com@xxxxxxxxxxxxxxxxxxxx [2018/03/03 20:18:57.287207,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)   Kerberos: Looking for ENC-TS pa-data -- nfs/mint-nfs.subdomain.domain.com@xxxxxxxxxxxxxxxxxxxx [2018/03/03 20:18:57.287406,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)   Kerberos: No preauth found, returning PREAUTH-REQUIRED -- nfs/mint-nfs.subdomain.domain.com@xxxxxxxxxxxxxxxxxxxx [2018/03/03 20:18:57.288906,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)   Kerberos: AS-REQ nfs/mint-nfs.subdomain.domain.com@xxxxxxxxxxxxxxxxxxxx from ipv4:172.20.100.205:39005 for krbtgt/SUBDOMAIN.DOMAIN.COM@xxxxxxxxxxxxxxxxxxxx [2018/03/03 20:18:57.292893,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Client sent patypes: encrypted-timestamp, 149
[2018/03/03 20:18:57.292921,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)   Kerberos: Looking for PKINIT pa-data -- nfs/mint-nfs.subdomain.domain.com@xxxxxxxxxxxxxxxxxxxx [2018/03/03 20:18:57.292937,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)   Kerberos: Looking for ENC-TS pa-data -- nfs/mint-nfs.subdomain.domain.com@xxxxxxxxxxxxxxxxxxxx [2018/03/03 20:18:57.293106,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)   Kerberos: ENC-TS Pre-authentication succeeded -- nfs/mint-nfs.subdomain.domain.com@xxxxxxxxxxxxxxxxxxxx using aes256-cts-hmac-sha1-96 [2018/03/03 20:18:57.297323,  3] ../auth/auth_log.c:760(log_authentication_event_human_readable)   Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)]\[nfs/mint-nfs.subdomain.domain.com@xxxxxxxxxxxxxxxxxxxx] at [Sat, 03 Mar 2018 20:18:57.297240 EST] with [aes256-cts-hmac-sha1-96] status [NT_STATUS_OK] workstation [(null)] remote host [ipv4:172.20.100.205:39005] became [SUBDOMAIN]\[MINT-NFS$] [S-1-5-21-1314416752-3121880105-2930208240-1104]. local host [NULL]
[2018/03/03 20:18:57.297491,  3] ../auth/auth_log.c:220(log_json)
  JSON Authentication: {"timestamp": "2018-03-03T20:18:57.297385-0500", "type": "Authentication", "Authentication": {"authDescription": "ENC-TS Pre-authentication", "version": {"major": 1, "minor": 0}, "becameSid": "S-1-5-21-1314416752-3121880105-2930208240-1104", "netlogonComputer": null, "status": "NT_STATUS_OK", "netlogonTrustAccount": null, "serviceDescription": "Kerberos KDC", "localAddress": "NULL", "clientAccount": "nfs/mint-nfs.subdomain.domain.com@xxxxxxxxxxxxxxxxxxxx", "remoteAddress": "ipv4:172.20.100.205:39005", "clientDomain": null, "workstation": null, "becameAccount": "MINT-NFS$", "mappedAccount": "MINT-NFS$", "becameDomain": "SUBDOMAIN", "netlogonSecureChannelType": 0, "mappedDomain": "SUBDOMAIN", "netlogonNegotiateFlags": "0x00000000", "netlogonTrustAccountSid": "(NULL SID)", "passwordType": "aes256-cts-hmac-sha1-96"}} [2018/03/03 20:18:57.297615,  3] ../auth/auth_log.c:139(get_auth_event_server)   get_auth_event_server: Failed to find 'auth_event' registered on the message bus to send JSON authentication events to: NT_STATUS_OBJECT_NAME_NOT_FOUND [2018/03/03 20:18:57.297648,  4] ../source4/auth/sam.c:189(authsam_account_ok)   authsam_account_ok: Checking SMB password for user nfs/mint-nfs.subdomain.domain.com@xxxxxxxxxxxxxxxxxxxx [2018/03/03 20:18:57.307065,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)   Kerberos: AS-REQ authtime: 2018-03-03T20:18:57 starttime: unset endtime: 2018-03-04T06:18:57 renew till: 2018-03-04T20:18:57 [2018/03/03 20:18:57.307839,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)   Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, arcfour-hmac-md5, des3-cbc-sha1, 25, 26, using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96 [2018/03/03 20:18:57.307878,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Requested flags: renewable-ok
[2018/03/03 20:18:57.310239,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)   Kerberos: AS-REQ nfs/mint-nfs.subdomain.domain.com@xxxxxxxxxxxxxxxxxxxx from ipv4:172.20.100.205:57552 for krbtgt/SUBDOMAIN.DOMAIN.COM@xxxxxxxxxxxxxxxxxxxx [2018/03/03 20:18:57.314895,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Client sent patypes: encrypted-timestamp, 149
[2018/03/03 20:18:57.314932,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)   Kerberos: Looking for PKINIT pa-data -- nfs/mint-nfs.subdomain.domain.com@xxxxxxxxxxxxxxxxxxxx [2018/03/03 20:18:57.314951,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)   Kerberos: Looking for ENC-TS pa-data -- nfs/mint-nfs.subdomain.domain.com@xxxxxxxxxxxxxxxxxxxx [2018/03/03 20:18:57.315138,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)   Kerberos: ENC-TS Pre-authentication succeeded -- nfs/mint-nfs.subdomain.domain.com@xxxxxxxxxxxxxxxxxxxx using aes256-cts-hmac-sha1-96 [2018/03/03 20:18:57.315187,  3] ../auth/auth_log.c:760(log_authentication_event_human_readable)   Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)]\[nfs/mint-nfs.subdomain.domain.com@xxxxxxxxxxxxxxxxxxxx] at [Sat, 03 Mar 2018 20:18:57.315174 EST] with [aes256-cts-hmac-sha1-96] status [NT_STATUS_OK] workstation [(null)] remote host [ipv4:172.20.100.205:57552] became [SUBDOMAIN]\[MINT-NFS$] [S-1-5-21-1314416752-3121880105-2930208240-1104]. local host [NULL]
[2018/03/03 20:18:57.315435,  3] ../auth/auth_log.c:220(log_json)
  JSON Authentication: {"timestamp": "2018-03-03T20:18:57.315308-0500", "type": "Authentication", "Authentication": {"authDescription": "ENC-TS Pre-authentication", "version": {"major": 1, "minor": 0}, "becameSid": "S-1-5-21-1314416752-3121880105-2930208240-1104", "netlogonComputer": null, "status": "NT_STATUS_OK", "netlogonTrustAccount": null, "serviceDescription": "Kerberos KDC", "localAddress": "NULL", "clientAccount": "nfs/mint-nfs.subdomain.domain.com@xxxxxxxxxxxxxxxxxxxx", "remoteAddress": "ipv4:172.20.100.205:57552", "clientDomain": null, "workstation": null, "becameAccount": "MINT-NFS$", "mappedAccount": "MINT-NFS$", "becameDomain": "SUBDOMAIN", "netlogonSecureChannelType": 0, "mappedDomain": "SUBDOMAIN", "netlogonNegotiateFlags": "0x00000000", "netlogonTrustAccountSid": "(NULL SID)", "passwordType": "aes256-cts-hmac-sha1-96"}} [2018/03/03 20:18:57.315512,  3] ../auth/auth_log.c:139(get_auth_event_server)   get_auth_event_server: Failed to find 'auth_event' registered on the message bus to send JSON authentication events to: NT_STATUS_OBJECT_NAME_NOT_FOUND [2018/03/03 20:18:57.315622,  4] ../source4/auth/sam.c:189(authsam_account_ok)   authsam_account_ok: Checking SMB password for user nfs/mint-nfs.subdomain.domain.com@xxxxxxxxxxxxxxxxxxxx [2018/03/03 20:18:57.322796,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)   Kerberos: AS-REQ authtime: 2018-03-03T20:18:57 starttime: unset endtime: 2018-03-04T06:18:57 renew till: 2018-03-04T20:18:57 [2018/03/03 20:18:57.323216,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)   Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, arcfour-hmac-md5, des3-cbc-sha1, 25, 26, using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96 [2018/03/03 20:18:57.323256,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Requested flags: renewable-ok
[2018/03/03 20:18:57.323763,  3] ../source4/smbd/service_stream.c:65(stream_terminate_connection)   Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED' [2018/03/03 20:18:57.323830,  3] ../source4/smbd/process_single.c:114(single_terminate)   single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]

############################

In addition, there is a series of these messages repeating after the initial connection and any subsequent remount attempt just lists these messages below

########## /usr/local/samba/var/log.samba ##########

[2018/03/03 20:18:57.330456,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)     Kerberos: TGS-REQ nfs/mint-nfs.subdomain.domain.com@xxxxxxxxxxxxxxxxxxxx from ipv4:172.20.100.205:57554 for nfs/ubuntu-nfs.subdomain.domain.com@xxxxxxxxxxxxxxxxxxxx [canonicalize, renewable]   [2018/03/03 20:18:57.334817,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)     Kerberos: Client no longer in database: nfs/mint-nfs.subdomain.domain.com@xxxxxxxxxxxxxxxxxxxx   [2018/03/03 20:18:57.334883,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
    Kerberos: ret: -1765328378
  [2018/03/03 20:18:57.334944,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
    Kerberos: Failed building TGS-REP to ipv4:172.20.100.205:57554
  [2018/03/03 20:18:57.336124,  3] ../source4/smbd/service_stream.c:65(stream_terminate_connection)     Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'   [2018/03/03 20:18:57.336195,  3] ../source4/smbd/process_single.c:114(single_terminate)     single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]

############################

I believe the "Client no longer in database" message is the root error. I added code to Samba sources to pull exact message code of -1765328378 which I found means KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN

I created the server and client keytab files using these kinds of commands

sudo samba-tool spn add nfs/ubuntu-nfs.subdomain.domain.com "UBUNTU-NFS\$"

sudo samba-tool domain exportkeytab --principal=nfs/ubuntu-nfs.subdomain.domain.com ~/ubuntu-nfs.keytab

and put the files in /etc/krb5.keytab . I can verify in ADUC that these SPNs do exist on the machine accounts for server and client

I'm soo lost. I had this working on a prior test vm setup but started over to clean up my documentation. I've got no idea where to go next to make the NFSv4 mount work using Kerberos from Samba AD




--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba