Web lists-archives.com

Re: [Samba] Again NFSv4 and Kerberos at the 'samba way'...




 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens 
> Rowland Penny via samba
> Verzonden: woensdag 31 oktober 2018 9:51
> Aan: samba@xxxxxxxxxxxxxxx
> Onderwerp: Re: [Samba] Again NFSv4 and Kerberos at the 'samba way'...
> 
> On Wed, 31 Oct 2018 08:31:17 +0100
> "L.P.H. van Belle via samba" <samba@xxxxxxxxxxxxxxx> wrote:
> 
> > Hai Marco, 
> > 
> > > 
> > > Mandi! L.P.H. van Belle via samba
> > >   In chel di` si favelave...
> > > 
> > > > Sofar, until tomorrow, 
> > > 
> > > Done some tests, metoo.
> > > 
> > > 1) seems that nfs-common is disabled 'by design'. Looking 
> at debian
> > > changelog:
> > > 
> > >  nfs-utils (1:1.2.8-9.1) unstable; urgency=medium
> > > 
> > >   Partial sync from ubuntu, included changes:
> > > 
> > >   [ Martin Pitt ]
> > >   [...]
> > >   * 27-systemd-enable-with-systemctl-statd.patch: let the admin
> > >     enable/disable statd via systemd tools. (LP: #1428486)
> > > 
> > >   [...]
> > >   [ Andreas Henriksson ]
> > >   * Restore anything related to nfs-common.init and
> > > nfs-common.default
> > >   * debian/nfs-common.links: Mask nfs-common init script with 
> > > a symlink
> > >     to /dev/null to avoid using it under systemd.
> > > 
> > > so seems you have to enable/disable/mask single services. 
> Note that
> > > still there are some troubles, eg on client:
> > > 
> > > 	root@vdmpp2:~# systemctl start nfs-idmapd
> > > 	Failed to start nfs-idmapd.service: Unit 
> > > nfs-server.service not found.
> > > 
> > > (but probably idmap is a server-only service, so it is normal?)
> > > and also seems that /etc/default/nfs-common are *totally* ignored
> > > (eg, there's no way to pass options to services).
> > > 
> > > Anyway, now i'm able to restart nfs/rpc services. ;-)
> > 
> > Ok, thats at least better. 
> > 
> > And no, /etc/default/nfs-common is not ignored. Its just harder to
> > see it. 
> > 
> > systemctl cat nfs-config  
> > contains :  ExecStart=/usr/lib/systemd/scripts/nfs-utils_env.sh
> > And the nfs-utils_env.sh contains : 
> > [ -r /etc/default/nfs-common ] && . /etc/default/nfs-common
> > [ -r /etc/default/nfs-kernel-server ]
> > && . /etc/default/nfs-kernel-server
> > 
> > ;-) 
> > 
> > And 
> > /lib/systemd/system/rpc-svcgssd.service
> > Contains:  ConditionPathExists=/etc/krb5.keytab
> > 
> > Thats all ok. 
> > 
> > All i did for the server was systemctl enable nfs-server
> > And for the client systemctl enable nfs-client
> > After the setup, all other servers start if needed based on the
> > settings in /etc/default/nfs-common
> > and/or /etc/default/nfs-kernel-server 
> 
> Hmm, I wonder if 'nfsidmap' is now being used instead of nfs-common ?

Yes, nfsidmap also used, but all settings are loaded through the /etc/defaults/nfs-.... Files

See the complete path of things that are getting loaded. Install these. 
dpkg -l | grep nfs
ii  libnfsidmap2:amd64                    0.25-5.1                       amd64        NFS idmapping library
ii  nfs-common                            1:1.3.4-2.1                    amd64        NFS support files common to client and server
ii  nfs-kernel-server                     1:1.3.4-2.1                    amd64        support for NFS kernel server
ii  nfs4-acl-tools                        0.3.3-3                        amd64        Commandline and GUI ACL utilities for the NFSv4 client

And see this service file output : systemctl cat nfs-server.service

> 
> > 
> > 
> > > 
> > > 
> > > 2) doing some mounts on the same host, with verbose output, i get:
> > > 
> > >  Oct 30 15:13:33 vdmpp1 rpc.gssd[6448]: Success getting 
> > > keytab entry for 'nfs/vdmpp1.ad.fvg.lnf.it@xxxxxxxxxxxxx'
> > >  Oct 30 15:13:33 vdmpp1 rpc.gssd[6448]: WARNING: 
> > > Preauthentication failed while getting initial ticket for 
> > > principal 'nfs/vdmpp1.ad.fvg.lnf.it@xxxxxxxxxxxxx' using 
> > > keytab 'FILE:/etc/krb5.keytab'
> > >  Oct 30 15:13:33 vdmpp1 rpc.gssd[6448]: ERROR: No credentials 
> > > found for connection to server vdmpp1.ad.fvg.lnf.it
> > > 
> > > 'Preauthentication'?
> > Hmm, that is strange, it looks like this computer account is acting
> > like a real user. If i look in ADUC, Tab Account, only a 
> user has the
> > option to "disable preauthentication" So this might help in solving
> > the problem. Can you check in ADUC of you see the Account 
> tab or not. 
> > If its really a computer, you should not see the Account tab. 
> > 
> 
> A computer is a user, it just has an extra objectclass and a '$' on the end of the samAccountName

There is a difference at least in what we "see" in ADUC. 
And based on what i did see here, it might help Marco to fix the problem of finding the problem. 
This computer account is behaving like a user account. 

> A computer is a user, it just has an extra objectclass and a '$' on the end of the samAccountName  
Yes, totaly agree, but why is his "computer" account is complaining about : Preauthentication 
Which is normaly only available in a user account. Due to ( if im correct here ) the values : 
sAMAccountType 805306368 ( user_account ) 
userAccountControl 0x200 ( 512 ) 

And for the computer 
sAMAccountType 805306369 ( computer_account ) 
userAccountControl 0x19000 ( 593920 )  Workstation trust account. 

This is why i also check in ADUC to "see" what is there. 

Because of this old statement i made long time a go, in the win95 time and this still applies.  

In computer terms, It's a 0 or 1, always.. Yes, i say no..  ( sort off.. ) 

A door is open or closed, yes, .... No...  ;-) 

What if i open the door a very little bit, so its open, but you cannot go through it, now is it open or closed? 
If you say open, i say then go throug it, but you cant, its not open enough, so its closed, No.. Its open.. 

What if i can prove the it can be both.  :-) sort of, at least in windows, i havent seen it in linux yet.  
And when its both, it's a really a bug or corruption in the registry/database. 

In windows, you can "see" a setting, but in the backend (registry) this setting can be different. 
Thats what i'm saying here, you see something is turned on in windows, but in the registry its not. 

I think, something like this is happening in Marco's AD at least for that computer account. 

An ldap export of a correct computer account and the failing one will show what changed. 
I'm  still working on it howto detect and check all settings..


Greetz, 

Louis


















-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba