Ubuntu NFS4 server/client with AD Kerberos/LDAP

Ubuntu NFS4 server/client with AD Kerberos/LDAP
	Linux Authenticating against Active Directory

Kerberos config for NFS4 (both server and client)

The following enctype settings in /etc/krb5.conf are not necessary for NFS (which is what we do here). But they seem to be for CIFS (see , and so I still used them. But I verified that things worked without them:

[libdefaults]
     default_tgs_enctypes = AES256-CTS-HMAC-SHA1-96 AES128-CTS-HMAC-SHA1-96 RC4-HMAC
     default_tkt_enctypes = AES256-CTS-HMAC-SHA1-96 AES128-CTS-HMAC-SHA1-96 RC4-HMAC
     permitted_enctypes = AES256-CTS-HMAC-SHA1-96 AES128-CTS-HMAC-SHA1-96 RC4-HMAC
<snip>

I use these particular enctypes because the AD admin tells me these are the ones supported by AD. In order to use them on Debian Squeeze, I have to use the 3.2 kernel and the nfs-kernel-server from squeeze-backports!

1. Wait a minute! I thought you wrote here earlier that the following should be used?: default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5 default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5

1.

Wait a minute! I thought you wrote here earlier that the following should be used?:

default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5

I did. That was with an Ubuntu Precise client and an Ubuntu Precise server. But I couldn't get it to work a second time. It looks like the production AD server I'm using now doesn't support these encryption types, while the test server did.

So I removed that instruction.

The NFS4 Server

Configure the NFS services

/etc/default/nfs-common:

STATDOPTS=

/etc/default/nfs-kernel-server:

RPCNFSDCOUNT=8
RPCNFSDPRIORITY=0
RPCMOUNTDOPTS=--manage-gids
NEED_SVCGSSD=yes
RPCSVCGSSDOPTS=
RPCNFSDOPTS=

The NFS4 Client

Installing NFS and Samba packages

apprentice@clnt-3-53:~$ sudo apt-get -y install nfs-common samba-common
Configure Samba
Same edits to /etc/smb.conf as on server:
```
  workgroup = WSPACE
  realm = WSPACE.MYDOMAIN.NL
  kerberos method = system keytab

  security = ADS
	    
```
... then join the domain:
apprentice@clnt-3-53:~$ sudo net ADS JOIN -U 'unixJOINer%JOINpwd' createupn=host/$(hostname -f)@WSPACE.MYDOMAIN.NL createcomputer='OU=Extra Workstations,OU=Computers,OU=MYDOMAIN,DC=wspace,DC=mydomain,DC=com' apprentice@clnt-3-53:~$ sudo net ads keytab add root/$(hostname -f)@WSPACE.MYDOMAIN.NL -U 'unixJOINer%JOINpwd' Processing principals to add...
Configure the ancillary services (idmapd and gssd)
/etc/default/nfs-common:
```
NEED_STATD=no
STATDOPTS=
NEED_GSSD=yes
NEED_IDMAPD=yes
	    
```
apprentice@clnt-3-53:~$ sudo /etc/init.d/gssd start
Mount
The entry in /etc/fstab:
```
nfsserv-pc.ict.mydomain.com:/  /nfsmount nfs4   sec=krb5p 0 0
	    
```
apprentice@clnt-3-53:~$ sudo mkdir /nfsmount apprentice@clnt-3-53:~$ sudo mount /nfsmount
Check the mount
Since we 're mounting with root squash, root cannot look inside the mounted share. And because the admin user we 're logged in as doesn't have any tickets, he cannot either. But we could obtain a ticket. Or log in with AD authentication (which will automatically fetch us a ticket), and look inside the mount:
apprentice@intra202:~$ ssh U1234567@clnt-3-53.ict.mydomain.com U1234567@clnt-3-53.ict.mydomain.com's password: Welcome to Ubuntu 12.04 LTS (GNU/Linux 3.2.0-24-generic x86_64) <snip> $ ls /nfsmount srv $ echo blah > /nfsmount/srv/exported/blah.txt

Now this should show up on the server:
apprentice@nfsserv-pc:~$ ls -trl /srv/exported/ total 4 -rw-r--r-- 1 U1234567 41234567 5 May 7 21:21 blah.txt apprentice@nfsserv-pc:~$ cat /srv/exported/blah.txt blah
Ergo: It Works!

Troubleshooting

1. I get access denied when trying to mount.
2. I still get access denied when trying to mount. Using rpc.svcgssd -vvvvvvvv -iiiiiiii on the server to obtain more info, I find in /var/log/daemon.log:rpc.svcgssd[19386]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): Unspecified GSS failure. Minor code may provide more information - No supported encryption types (config file error?)
3. I still get access denied when trying to mount. Using rpc.svcgssd -vvvvvvvv -iiiiiiii on the server now gets me:rpc.svcgssd[2162]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): Unspecified GSS failure. Minor code may provide more information - Wrong principal in request
4. How do I get more debug information?
5. This is NFS! Is all that Samba stuff really necessary? I find that Samba needs too much configuration for having just a supporting role.
6. Hey, I thought you said I had to configure /etc/idmapd.conf like this:

1.	I get `access denied` when trying to mount.
	The Linux NFS4 FAQ points to Mike Eisler's blog for this, which in turn point to MS Support entry 833708.
2.	I still get `access denied` when trying to mount. Using rpc.svcgssd -vvvvvvvv -iiiiiiii on the server to obtain more info, I find in `/var/log/daemon.log`: `rpc.svcgssd[19386]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): Unspecified GSS failure. Minor code may provide more information - No supported encryption types (config file error?)`
	Are you using Squeeze? The default Squeeze kernel and daemon doesn't have strong enough encryption available. You need to use a backported kernel, and a backported nfs-kernel-server. Or you may get away with using weaker encryption, if your AD server supports it. Another advantage of a newer kernel is that the bug that causes `/proc/fs/nfsd/supported_krb5_enctypes` to not be available is fixed. BTW, the definition of the numeric enctypes listed in that pseudo-file can be found in `/usr/include/krb5/krb5.h`, which is in package `libkrb5-dev`. (You must convert from hex to decimal and back.)
3.	I still get `access denied` when trying to mount. Using rpc.svcgssd -vvvvvvvv -iiiiiiii on the server now gets me: `rpc.svcgssd[2162]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): Unspecified GSS failure. Minor code may provide more information - Wrong principal in request`
	That is most likely a nameserving inconsistency. Or maybe you put a domain in `/etc/idmapd.conf` and made a typo?
4.	How do I get more debug information?
	According to a Novell article, one can enable debugging of both NFS and RPC in the kernel through `/proc`: `sudo sh -c "echo 65535 > /proc/sys/sunrpc/nfsd_debug sudo sh -c "echo 65535 > /proc/sys/sunrpc/nfs_debug" sudo sh -c "echo 65535 > /proc/sys/sunrpc/rpc_debug"` ... but I hardly find the output useful. Most times, `wireshark` will give hints I like better. I you want to know for which principals the host holds keys, try sudo ktutil list
5.	This is NFS! Is all that Samba stuff really necessary? I find that Samba needs too much configuration for having just a supporting role.
	No, Samba isn't really needed. I switched to msktutil. But as long as msktutil hasn't made it into Debian Sid, I'll still advocate Samba here.
6.	Hey, I thought you said I had to configure `/etc/idmapd.conf` like this: [General] Verbosity = 0 Pipefs-Directory = /run/rpc_pipefs # Above is for Ubuntu. Change above to below for Debian # Pipefs-Directory = /var/lib/nfs/rpc_pipefs # This is not the same as the Kerberos realm Domain = WSPACE.MYDOMAIN.NL # LocalDomains = Doesn't need to be set if Kerberos configured well [Mapping] Nobody-User = nobody Nobody-Group = nogroup [Translation] Method = nsswitch
	I did. You still do for Debian Squeeze. If Kerberos is configured well in /etc/krb5.conf on Ubuntu Precise, the default settings suffice for idmapd.conf.


Mounting a Windows share from Debian/Ubuntu Linux, using AD authentication		Debian Squeeze based Samba server with AD Kerberos and LDAP

Ubuntu NFS4 server/client with AD Kerberos/LDAP

Kerberos config for NFS4 (both server and client)

The NFS4 Server

The NFS4 Client

Troubleshooting

Short selection of further reading