Web lists-archives.com

Re: [Samba] Again NFSv4 and Kerberos at the 'samba way'...




Hai Marco, 
 
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens 
> Marco Gaiarin via samba
> Verzonden: vrijdag 26 oktober 2018 11:23
> Aan: samba@xxxxxxxxxxxxxxx
> Onderwerp: Re: [Samba] Again NFSv4 and Kerberos at the 'samba way'...
> 
> Mandi! L.P.H. van Belle via samba
>   In chel di` si favelave...
> 
> > >  root@vdcsv1:~# samba-tool spn list vdmpp1$
> > Hmm, 
> > > 	 nfs/vdmpp1.ad.fvg.lnf.it   << correct 
> > And these are wrong. 
> > > 	 nfs/vdmpp1.ad.fvg.lnf.it/vdmpp1
> > > 	 nfs/vdmpp1.ad.fvg.lnf.it/vdmpp1.ad.fvg.lnf.it
> > Remove these 2. 
> 
> Removed, both on server and client. But, really, i've only do:
> 
> 	samba-tool spn add nfs/vdmpp1.ad.fvg.lnf.it vdmpp1$
> 
> strange.
Yes, it is, what is the DC's samba version? Same as the members? 
> 
> 
> > What is the output of : 
> > dig -x $(hostname -i)
> 
> Still i'm using the old domain DNS for (back)resolving, so reverse
> point to old address (vdmpp2.pp.lnf.it).
> Clearly, i've addedd in /etc/hosts relevant record, and added to
> svcgssd the option '-p nfs/vdmpp1.ad.fvg.lnf.it' thatm, AFAI've
> understood, fix that.

Fixed? Yes and no, this is (still) one of you problems. 
All servers, in this case the DCs and vdmpp1 vdmpp2 need to know the correct hostnames and ip. 
And the members must have the resolving correctly to the DC's to be able to lookup the SPN's

if you cant setup in the dns correct and you need the hosts files for both server and client.

And on both servers add in /etc/krb5.conf  in libdefaults part. 
rdns = no
# no PTR lookups are done now. 

Reboot boot servers to make sure these settings are correctly applied. 
When thats done recheck then resolving on both these servers. 
hostname -f 
hostname -s
hostname -i 
These must be correct. 


> 
> 
> > exportfs
> > getfacl /home
> 
>  root@vdmpp1:~# exportfs
>  /home         	10.27.0.0/21
>  root@vdmpp1:~# getfacl /home
>  getfacl: Removing leading '/' from absolute path names
>  # file: home
>  # owner: root
>  # group: root
>  user::rwx
>  group::r-x
>  other::r-x

Ok this part, check again after the reboot, i forget the -v for the exportfs...  ( sorry ) 
exportfs -v 

Set chmod 1777 /home on both servers ( but leave this for the last. ), i suggest read the complete mail first. 
Test with sec=sys, and when that works we test with kerberos. 
Then we might need to look at the rights of /home 

> 
> 
> > And if you test with 
> > mount -t nfs4 -o sec=sys vdmpp1.ad.fvg.lnf.it:/home /home
> > Or 
> > mount -t nfs4 -o sec=krb5,vers=4.1 vdmpp1.ad.fvg.lnf.it:/home /home
> > Does that work or one of these work? If sys works then its 
> not firewalling. 
> 
> No, both does not work, same error.
Expected when i see above problem points. 

> 
> 
> > Have you set the encryption types i suggested in /etc/krb5.conf ?
> > The one i posted support CIFS and NFS both. 
> 
> I have on both server and client:
> 
>  ; for Windows 2008 with AES
>     default_tgs_enctypes =  aes256-cts-hmac-sha1-96 
> aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
>     default_tkt_enctypes = aes256-cts-hmac-sha1-96 
> aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
>     permitted_enctypes = aes256-cts-hmac-sha1-96 
> aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
> 
> 
> > ? No key table table entry??  Hmm.. 
> > Check this with : klist -ke | grep "vdmpp2\\$"
> 
> Return empty.

This is a mayor error in you keytab file. 

When you join as domain member you should have these 
klist -k| egrep -i "host|$(hostname -s)\\$" | sort
   2 host/HOSTNAME@xxxxxxxxxxxxxxxxxxx (aes128-cts-hmac-sha1-96)
   2 host/HOSTNAME@xxxxxxxxxxxxxxxxxxx (aes256-cts-hmac-sha1-96)
   2 host/HOSTNAME@xxxxxxxxxxxxxxxxxxx (arcfour-hmac)
   2 host/HOSTNAME@xxxxxxxxxxxxxxxxxxx (des-cbc-crc)
   2 host/HOSTNAME@xxxxxxxxxxxxxxxxxxx (des-cbc-md5)
   2 host/hostname.internal.domain.tld@xxxxxxxxxxxxxxxxxxx (aes128-cts-hmac-sha1-96)
   2 host/hostname.internal.domain.tld@xxxxxxxxxxxxxxxxxxx (aes256-cts-hmac-sha1-96)
   2 host/hostname.internal.domain.tld@xxxxxxxxxxxxxxxxxxx (arcfour-hmac)
   2 host/hostname.internal.domain.tld@xxxxxxxxxxxxxxxxxxx (des-cbc-crc)
   2 host/hostname.internal.domain.tld@xxxxxxxxxxxxxxxxxxx (des-cbc-md5)
   2 HOSTNAME$@INTERNAL.DOMAIN.TLD (aes128-cts-hmac-sha1-96)
   2 HOSTNAME$@INTERNAL.DOMAIN.TLD (aes256-cts-hmac-sha1-96)
   2 HOSTNAME$@INTERNAL.DOMAIN.TLD (arcfour-hmac)
   2 HOSTNAME$@INTERNAL.DOMAIN.TLD (des-cbc-crc)
   2 HOSTNAME$@INTERNAL.DOMAIN.TLD (des-cbc-md5)

and if these are also in the AD? ( you should only see 2 in the AD )
HOST/hostname.internal.domain.tld
HOST/HOSTNAME


The part below here  
NFS/vdmpp2. ... < wrong 
nfs/vdmpp2..... < correct 

Remove the one with NFS. 
You want : 
nfs/HOSTNAME$@INTERNAL.DOMAIN.TLD  ( per cipher ) 
nfs/HOSTNAME.internal.domain.tld@xxxxxxxxxxxxxxxxxxx

And remember, dont add the @REALM when adding this. 
If you see in the ad also the part @INTERNAL.DOMAIN.TLD and the result wil be
@INTERNAL.DOMAIN.TLD@xxxxxxxxxxxxxxxxxxx  when resolved on the client.

> 
> > Looks like the local keytab is having problems. 
> > Run  on vdmpp2 :
> > klist -ke
> > kinit nfs/$(hostname -f) -kt /etc/krb5.keytab
> > klist | grep "Default principal"
> > That should show :
> > Default principal: nfs/vdmpp2.ad.fvg.lnf.it@xxxxxxxxxxxxx
> 
>  root@vdmpp2:~# klist -ke | grep "vdmpp2\\$"
>  root@vdmpp2:~# klist -ke
>  Keytab name: FILE:/etc/krb5.keytab
>  KVNO Principal
>  ---- 
> --------------------------------------------------------------
> ------------
>     2 NFS/vdmpp2.ad.fvg.lnf.it@xxxxxxxxxxxxx (des-cbc-crc) 	< wron
>     2 NFS/vdmpp2.ad.fvg.lnf.it@xxxxxxxxxxxxx (des-cbc-md5) 
>     2 NFS/vdmpp2.ad.fvg.lnf.it@xxxxxxxxxxxxx 
> (aes128-cts-hmac-sha1-96) 
>     2 NFS/vdmpp2.ad.fvg.lnf.it@xxxxxxxxxxxxx 
> (aes256-cts-hmac-sha1-96) 
>     2 NFS/vdmpp2.ad.fvg.lnf.it@xxxxxxxxxxxxx (arcfour-hmac) 
>     2 nfs/vdmpp2.ad.fvg.lnf.it@xxxxxxxxxxxxx (des-cbc-crc) 
>     2 nfs/vdmpp2.ad.fvg.lnf.it@xxxxxxxxxxxxx (des-cbc-md5) 
>     2 nfs/vdmpp2.ad.fvg.lnf.it@xxxxxxxxxxxxx 
> (aes128-cts-hmac-sha1-96) 
>     2 nfs/vdmpp2.ad.fvg.lnf.it@xxxxxxxxxxxxx 
> (aes256-cts-hmac-sha1-96) 
>     2 nfs/vdmpp2.ad.fvg.lnf.it@xxxxxxxxxxxxx (arcfour-hmac) 
>     2 nfs/vdmpp1.ad.fvg.lnf.it@xxxxxxxxxxxxx (des-cbc-crc) 
>     2 nfs/vdmpp1.ad.fvg.lnf.it@xxxxxxxxxxxxx (des-cbc-md5) 
>     2 nfs/vdmpp1.ad.fvg.lnf.it@xxxxxxxxxxxxx 
> (aes128-cts-hmac-sha1-96) 
>     2 nfs/vdmpp1.ad.fvg.lnf.it@xxxxxxxxxxxxx 


If this server is not in production. 

Then remove it from the AD, clear the DNS, check the AD objects and remove these.
Backup you old keytab, ( ! Tip never trow the away until your 1000% sure ) it did bite me also once.. 
Remove the old ketab. 
Remove nfs-*  ( apt-get remove --purge --auto-remove nfs-* libnfsidmap2 ) 
Remove /var/lib/nfs 
install mlocate to create a db of you file system entries. 
apt-get install mlocate && updatedb && locate nfs
Remove any leftovers in /etc/systemd/. 

Clear you logs, reboot the server, check you logs, should be error free now. 

And re-add the server to the samba domain. 
Make sure you have the idmap config settings correct, you have the already. 
Make sure you have the resolving setup ok, minimal a correct A in the DNS.
  kerberos method = secrets and keytab
    dedicated keytab file = /etc/krb5.keytab

    # Renew the kerberos ticket
    winbind refresh tickets = yes

Make sure you have these in smb.conf

And now re-add you server. 

systemctl mask nmbd samba-ad-dc
systemctl stop nmbd samba-ad-dc

When your at this point, reboot then check the keytab file again, above shows what you need.

Then add the nfs/SPN  then reinstall nfs- .. Again.  

If you use ktutil 
Use the write command to /etc/krb5.keytab-NEW 
Or your adding to the existing keytab, but that also add the part you already had. 
Thats not what you want. 
Stop samba backup the old keytab and place the new one. 

See how far you get, if needed, you know where to find me..
User vers=4.1 for the mounts  


And on the nfs server you can also check this. 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867067 

mkdir /var/lib/nfs/nfsdcltrack 
nfsdcltrack init
Check if the .sqlite is created : ls /var/lib/nfs/nfsdcltrack/*.sqlite
systemctl restart nfs-server



Greetz, 

Louis





-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba