Web lists-archives.com

Re: [Samba] Samba AD + Kerbero + NFS "Client no longer in database"






On 04.03.2018 02:52, Ken McDonald via samba wrote:
I am soo lost trying to get Samba AD 4.7.5 as a Kerberos source for NFSv4. The NFS server is the Samba AD server running Ubuntu Server 16.0.4.3 and the client is Linux Mint 18.3

This export WORKS and mounts on client

########## /etc/exports ##########

/mnt/fileshare         *(rw,no_subtree_check,async)

############################

This export DOES NOT

########## /etc/exports ##########

/mnt/fileshare *(rw,async,no_subtree_check,sec=krb5p:krb5i:krb5)

############################

The error I get on client side is

########## console ##########

sudo mount -vvvv -t nfs4 -o sec=krb5 ubuntu-nfs:/mnt/fileshare /mnt/fileshare

mount.nfs4: timeout set for Sat Mar  3 20:27:51 2018
mount.nfs4: trying text-based options 'sec=krb5,addr=172.20.100.151,clientaddr=172.20.100.205'
mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting ubuntu-nfs:/mnt/fileshare

############################

On server side, syslog is no help.

########## /var/log/syslog ##########

Mar  3 20:25:53 ubuntu-nfs rpc.mountd[2377]: auth_unix_ip: inbuf 'nfsd 172.20.100.205' Mar  3 20:25:53 ubuntu-nfs rpc.mountd[2377]: v4root_create: path '/' flags 0x12405 Mar  3 20:25:53 ubuntu-nfs rpc.mountd[2377]: v4root_create: path '/mnt' flags 0x10405 Mar  3 20:25:53 ubuntu-nfs rpc.mountd[2377]: auth_unix_ip: client 0x16ec5b0 '*'

############################

On server side, I increased Samba logging level to log level = 4 and I get this error when the remote mount fails initially

########## /usr/local/samba/var/log.samba ##########

SUBDOMAIN[2018/03/03 20:18:57.282480,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)   Kerberos: AS-REQ nfs/mint-nfs.subdomain.domain.com@xxxxxxxxxxxxxxxxxxxx from ipv4:172.20.100.205:36129 for krbtgt/SUBDOMAIN.DOMAIN.COM@xxxxxxxxxxxxxxxxxxxx [2018/03/03 20:18:57.287154,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Client sent patypes: 149
[2018/03/03 20:18:57.287185,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)   Kerberos: Looking for PKINIT pa-data -- nfs/mint-nfs.subdomain.domain.com@xxxxxxxxxxxxxxxxxxxx [2018/03/03 20:18:57.287207,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)   Kerberos: Looking for ENC-TS pa-data -- nfs/mint-nfs.subdomain.domain.com@xxxxxxxxxxxxxxxxxxxx [2018/03/03 20:18:57.287406,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)   Kerberos: No preauth found, returning PREAUTH-REQUIRED -- nfs/mint-nfs.subdomain.domain.com@xxxxxxxxxxxxxxxxxxxx [2018/03/03 20:18:57.288906,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)   Kerberos: AS-REQ nfs/mint-nfs.subdomain.domain.com@xxxxxxxxxxxxxxxxxxxx from ipv4:172.20.100.205:39005 for krbtgt/SUBDOMAIN.DOMAIN.COM@xxxxxxxxxxxxxxxxxxxx [2018/03/03 20:18:57.292893,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Client sent patypes: encrypted-timestamp, 149
[2018/03/03 20:18:57.292921,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)   Kerberos: Looking for PKINIT pa-data -- nfs/mint-nfs.subdomain.domain.com@xxxxxxxxxxxxxxxxxxxx [2018/03/03 20:18:57.292937,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)   Kerberos: Looking for ENC-TS pa-data -- nfs/mint-nfs.subdomain.domain.com@xxxxxxxxxxxxxxxxxxxx [2018/03/03 20:18:57.293106,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)   Kerberos: ENC-TS Pre-authentication succeeded -- nfs/mint-nfs.subdomain.domain.com@xxxxxxxxxxxxxxxxxxxx using aes256-cts-hmac-sha1-96 [2018/03/03 20:18:57.297323,  3] ../auth/auth_log.c:760(log_authentication_event_human_readable)   Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)]\[nfs/mint-nfs.subdomain.domain.com@xxxxxxxxxxxxxxxxxxxx] at [Sat, 03 Mar 2018 20:18:57.297240 EST] with [aes256-cts-hmac-sha1-96] status [NT_STATUS_OK] workstation [(null)] remote host [ipv4:172.20.100.205:39005] became [SUBDOMAIN]\[MINT-NFS$] [S-1-5-21-1314416752-3121880105-2930208240-1104]. local host [NULL]
[2018/03/03 20:18:57.297491,  3] ../auth/auth_log.c:220(log_json)
  JSON Authentication: {"timestamp": "2018-03-03T20:18:57.297385-0500", "type": "Authentication", "Authentication": {"authDescription": "ENC-TS Pre-authentication", "version": {"major": 1, "minor": 0}, "becameSid": "S-1-5-21-1314416752-3121880105-2930208240-1104", "netlogonComputer": null, "status": "NT_STATUS_OK", "netlogonTrustAccount": null, "serviceDescription": "Kerberos KDC", "localAddress": "NULL", "clientAccount": "nfs/mint-nfs.subdomain.domain.com@xxxxxxxxxxxxxxxxxxxx", "remoteAddress": "ipv4:172.20.100.205:39005", "clientDomain": null, "workstation": null, "becameAccount": "MINT-NFS$", "mappedAccount": "MINT-NFS$", "becameDomain": "SUBDOMAIN", "netlogonSecureChannelType": 0, "mappedDomain": "SUBDOMAIN", "netlogonNegotiateFlags": "0x00000000", "netlogonTrustAccountSid": "(NULL SID)", "passwordType": "aes256-cts-hmac-sha1-96"}} [2018/03/03 20:18:57.297615,  3] ../auth/auth_log.c:139(get_auth_event_server)   get_auth_event_server: Failed to find 'auth_event' registered on the message bus to send JSON authentication events to: NT_STATUS_OBJECT_NAME_NOT_FOUND [2018/03/03 20:18:57.297648,  4] ../source4/auth/sam.c:189(authsam_account_ok)   authsam_account_ok: Checking SMB password for user nfs/mint-nfs.subdomain.domain.com@xxxxxxxxxxxxxxxxxxxx [2018/03/03 20:18:57.307065,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)   Kerberos: AS-REQ authtime: 2018-03-03T20:18:57 starttime: unset endtime: 2018-03-04T06:18:57 renew till: 2018-03-04T20:18:57 [2018/03/03 20:18:57.307839,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)   Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, arcfour-hmac-md5, des3-cbc-sha1, 25, 26, using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96 [2018/03/03 20:18:57.307878,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Requested flags: renewable-ok
[2018/03/03 20:18:57.310239,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)   Kerberos: AS-REQ nfs/mint-nfs.subdomain.domain.com@xxxxxxxxxxxxxxxxxxxx from ipv4:172.20.100.205:57552 for krbtgt/SUBDOMAIN.DOMAIN.COM@xxxxxxxxxxxxxxxxxxxx [2018/03/03 20:18:57.314895,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Client sent patypes: encrypted-timestamp, 149
[2018/03/03 20:18:57.314932,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)   Kerberos: Looking for PKINIT pa-data -- nfs/mint-nfs.subdomain.domain.com@xxxxxxxxxxxxxxxxxxxx [2018/03/03 20:18:57.314951,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)   Kerberos: Looking for ENC-TS pa-data -- nfs/mint-nfs.subdomain.domain.com@xxxxxxxxxxxxxxxxxxxx [2018/03/03 20:18:57.315138,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)   Kerberos: ENC-TS Pre-authentication succeeded -- nfs/mint-nfs.subdomain.domain.com@xxxxxxxxxxxxxxxxxxxx using aes256-cts-hmac-sha1-96 [2018/03/03 20:18:57.315187,  3] ../auth/auth_log.c:760(log_authentication_event_human_readable)   Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)]\[nfs/mint-nfs.subdomain.domain.com@xxxxxxxxxxxxxxxxxxxx] at [Sat, 03 Mar 2018 20:18:57.315174 EST] with [aes256-cts-hmac-sha1-96] status [NT_STATUS_OK] workstation [(null)] remote host [ipv4:172.20.100.205:57552] became [SUBDOMAIN]\[MINT-NFS$] [S-1-5-21-1314416752-3121880105-2930208240-1104]. local host [NULL]
[2018/03/03 20:18:57.315435,  3] ../auth/auth_log.c:220(log_json)
  JSON Authentication: {"timestamp": "2018-03-03T20:18:57.315308-0500", "type": "Authentication", "Authentication": {"authDescription": "ENC-TS Pre-authentication", "version": {"major": 1, "minor": 0}, "becameSid": "S-1-5-21-1314416752-3121880105-2930208240-1104", "netlogonComputer": null, "status": "NT_STATUS_OK", "netlogonTrustAccount": null, "serviceDescription": "Kerberos KDC", "localAddress": "NULL", "clientAccount": "nfs/mint-nfs.subdomain.domain.com@xxxxxxxxxxxxxxxxxxxx", "remoteAddress": "ipv4:172.20.100.205:57552", "clientDomain": null, "workstation": null, "becameAccount": "MINT-NFS$", "mappedAccount": "MINT-NFS$", "becameDomain": "SUBDOMAIN", "netlogonSecureChannelType": 0, "mappedDomain": "SUBDOMAIN", "netlogonNegotiateFlags": "0x00000000", "netlogonTrustAccountSid": "(NULL SID)", "passwordType": "aes256-cts-hmac-sha1-96"}} [2018/03/03 20:18:57.315512,  3] ../auth/auth_log.c:139(get_auth_event_server)   get_auth_event_server: Failed to find 'auth_event' registered on the message bus to send JSON authentication events to: NT_STATUS_OBJECT_NAME_NOT_FOUND [2018/03/03 20:18:57.315622,  4] ../source4/auth/sam.c:189(authsam_account_ok)   authsam_account_ok: Checking SMB password for user nfs/mint-nfs.subdomain.domain.com@xxxxxxxxxxxxxxxxxxxx [2018/03/03 20:18:57.322796,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)   Kerberos: AS-REQ authtime: 2018-03-03T20:18:57 starttime: unset endtime: 2018-03-04T06:18:57 renew till: 2018-03-04T20:18:57 [2018/03/03 20:18:57.323216,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)   Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, arcfour-hmac-md5, des3-cbc-sha1, 25, 26, using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96 [2018/03/03 20:18:57.323256,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Requested flags: renewable-ok
[2018/03/03 20:18:57.323763,  3] ../source4/smbd/service_stream.c:65(stream_terminate_connection)   Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED' [2018/03/03 20:18:57.323830,  3] ../source4/smbd/process_single.c:114(single_terminate)   single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]

############################

In addition, there is a series of these messages repeating after the initial connection and any subsequent remount attempt just lists these messages below

########## /usr/local/samba/var/log.samba ##########

[2018/03/03 20:18:57.330456,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)     Kerberos: TGS-REQ nfs/mint-nfs.subdomain.domain.com@xxxxxxxxxxxxxxxxxxxx from ipv4:172.20.100.205:57554 for nfs/ubuntu-nfs.subdomain.domain.com@xxxxxxxxxxxxxxxxxxxx [canonicalize, renewable]   [2018/03/03 20:18:57.334817,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)     Kerberos: Client no longer in database: nfs/mint-nfs.subdomain.domain.com@xxxxxxxxxxxxxxxxxxxx   [2018/03/03 20:18:57.334883,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
    Kerberos: ret: -1765328378
  [2018/03/03 20:18:57.334944,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
    Kerberos: Failed building TGS-REP to ipv4:172.20.100.205:57554
  [2018/03/03 20:18:57.336124,  3] ../source4/smbd/service_stream.c:65(stream_terminate_connection)     Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'   [2018/03/03 20:18:57.336195,  3] ../source4/smbd/process_single.c:114(single_terminate)     single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]

############################

I believe the "Client no longer in database" message is the root error. I added code to Samba sources to pull exact message code of -1765328378 which I found means KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN

I created the server and client keytab files using these kinds of commands

sudo samba-tool spn add nfs/ubuntu-nfs.subdomain.domain.com "UBUNTU-NFS\$"

sudo samba-tool domain exportkeytab --principal=nfs/ubuntu-nfs.subdomain.domain.com ~/ubuntu-nfs.keytab

and put the files in /etc/krb5.keytab . I can verify in ADUC that these SPNs do exist on the machine accounts for server and client

I'm soo lost. I had this working on a prior test vm setup but started over to clean up my documentation. I've got no idea where to go next to make the NFSv4 mount work using Kerberos from Samba AD

This looks very similar to a problem I had with a Solaris system joined to a Samba AD DC.

In my case the Solaris system uses to requested a ticket for root/system.subdomain.domain.tld@xxxxxxxxxxxxxxxxxxxx, which is a valid SPN for the system, while the UPN for that system was host/system.subdomain.domain.tld@xxxxxxxxxxxxxxxxxxxx.

Apparently, the Samba built-in KDC expects such a ticket request to be for a UPN, not an SPN. In comparison, the MIT Kerberos KDC is more tolerant and accepts such a request: I tested with Samba 4.7.5 on Fedora 27 that uses the MIT KDC and it works.

Since I did not want to migrate my DCs to a different platform supporting the MIT KDC I implemented a workaround: I renamed the UPN of the client systems account from host/... to root/... and that works with the Samba built-in KDC. Of course this workaround works for exactly one name used client side, root/... in my case.

You might try the same: rename the UPN to nfs/... and check if it works. Or switch to a Samba AD DC with an MIT KDC.

Regards,
Norbert


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba