Introduction[edit]

http://jurjenbokma.com/ApprenticesNotes/ad_nfs4.html


Setup[edit]

Windows Server[edit]

Create 3 accounts:

  1. unixclienthost (represents the unixclient machine)
  2. unixclientroot (account for root on unixclient)
  3. unixclientnfs (used by the NFS Server on unixclient)

After creating these users, right click on each user, go to properties and under the "Account" tab change the "User logon name" to "host/unixclient.nfsdomain.com", "root/unixclient.nfsdomain.com", and "nfs/unixclient.nfsdomain.com" respectively.

Now we're going to set the SPNs on these accounts:

setspn -A host/unixclient unixclienthost
setspn -A host/unixclient.nfsdomain.com unixclienthost
setspn -A root/unixclient unixclientroot
setspn -A root/unixclient.nfsdomain.com unixclientroot
setspn -A nfs/unixclient unixclientnfs
setspn -A nfs/unixclient.nfsdomain.com unixclientnfs


Client Machine[edit]

net ads join createupn=host/$(hostname -f)@CS.CPSC.UCALGARY.CA -U admin%pass
net ads keytab add nfs/$(hostname -f)@CS.CPSC.UCALGARY.CA -U admin%pass


klist -kte[edit]

 1 root@cs1:/mnt# klist -kte
 2 Keytab name: FILE:/etc/krb5.keytab
 3 KVNO Timestamp         Principal
 4 ---- ----------------- --------------------------------------------------------
 5    4 05/06/13 16:24:51 host/cs1.cs.cpsc.ucalgary.ca@CS.CPSC.UCALGARY.CA (des-cbc-crc)
 6    4 05/06/13 16:24:52 host/cs1.cs.cpsc.ucalgary.ca@CS.CPSC.UCALGARY.CA (des-cbc-md5)
 7    4 05/06/13 16:24:52 host/cs1.cs.cpsc.ucalgary.ca@CS.CPSC.UCALGARY.CA (arcfour-hmac)
 8    4 05/06/13 16:24:52 host/cs1.cs.cpsc.ucalgary.ca@CS.CPSC.UCALGARY.CA (aes128-cts-hmac-sha1-96)
 9    4 05/06/13 16:24:52 host/cs1.cs.cpsc.ucalgary.ca@CS.CPSC.UCALGARY.CA (aes256-cts-hmac-sha1-96)
10    4 05/06/13 16:24:52 host/cs1@CS.CPSC.UCALGARY.CA (des-cbc-crc)
11    4 05/06/13 16:24:52 host/cs1@CS.CPSC.UCALGARY.CA (des-cbc-md5)
12    4 05/06/13 16:24:52 host/cs1@CS.CPSC.UCALGARY.CA (arcfour-hmac)
13    4 05/06/13 16:24:52 host/cs1@CS.CPSC.UCALGARY.CA (aes128-cts-hmac-sha1-96)
14    4 05/06/13 16:24:52 host/cs1@CS.CPSC.UCALGARY.CA (aes256-cts-hmac-sha1-96)
15    4 05/06/13 16:24:52 CS1$@CS.CPSC.UCALGARY.CA (des-cbc-crc)
16    4 05/06/13 16:24:52 CS1$@CS.CPSC.UCALGARY.CA (des-cbc-md5)
17    4 05/06/13 16:24:52 CS1$@CS.CPSC.UCALGARY.CA (arcfour-hmac)
18    4 05/06/13 16:24:52 CS1$@CS.CPSC.UCALGARY.CA (aes128-cts-hmac-sha1-96)
19    4 05/06/13 16:24:52 CS1$@CS.CPSC.UCALGARY.CA (aes256-cts-hmac-sha1-96)
20    4 05/06/13 16:24:52 nfs/cs1.cs.cpsc.ucalgary.ca/cs1.cs.cpsc.ucalgary.ca@CS.CPSC.UCALGARY.CA (des-cbc-crc)
21    4 05/06/13 16:24:52 nfs/cs1.cs.cpsc.ucalgary.ca/cs1.cs.cpsc.ucalgary.ca@CS.CPSC.UCALGARY.CA (des-cbc-md5)
22    4 05/06/13 16:24:53 nfs/cs1.cs.cpsc.ucalgary.ca/cs1.cs.cpsc.ucalgary.ca@CS.CPSC.UCALGARY.CA (arcfour-hmac)
23    4 05/06/13 16:24:53 nfs/cs1.cs.cpsc.ucalgary.ca/cs1.cs.cpsc.ucalgary.ca@CS.CPSC.UCALGARY.CA (aes128-cts-hmac-sha1-96)
24    4 05/06/13 16:24:53 nfs/cs1.cs.cpsc.ucalgary.ca/cs1.cs.cpsc.ucalgary.ca@CS.CPSC.UCALGARY.CA (aes256-cts-hmac-sha1-96)
25    4 05/06/13 16:24:53 nfs/cs1.cs.cpsc.ucalgary.ca/cs1@CS.CPSC.UCALGARY.CA (des-cbc-crc)
26    4 05/06/13 16:24:53 nfs/cs1.cs.cpsc.ucalgary.ca/cs1@CS.CPSC.UCALGARY.CA (des-cbc-md5)
27    4 05/06/13 16:24:53 nfs/cs1.cs.cpsc.ucalgary.ca/cs1@CS.CPSC.UCALGARY.CA (arcfour-hmac)
28    4 05/06/13 16:24:53 nfs/cs1.cs.cpsc.ucalgary.ca/cs1@CS.CPSC.UCALGARY.CA (aes128-cts-hmac-sha1-96)
29    4 05/06/13 16:24:53 nfs/cs1.cs.cpsc.ucalgary.ca/cs1@CS.CPSC.UCALGARY.CA (aes256-cts-hmac-sha1-96)

File Server[edit]

net ads keytab add nfs -U admin%pass

klist -kte[edit]

 1 root@file2:~# klist -kte
 2 Keytab name: FILE:/etc/krb5.keytab
 3 KVNO Timestamp         Principal
 4 ---- ----------------- --------------------------------------------------------
 5    2 05/06/13 16:21:39 nfs/file2.cs.cpsc.ucalgary.ca@CS.CPSC.UCALGARY.CA (des-cbc-crc)
 6    2 05/06/13 16:21:39 nfs/file2.cs.cpsc.ucalgary.ca@CS.CPSC.UCALGARY.CA (des-cbc-md5)
 7    2 05/06/13 16:21:39 nfs/file2.cs.cpsc.ucalgary.ca@CS.CPSC.UCALGARY.CA (arcfour-hmac)
 8    2 05/06/13 16:21:39 nfs/file2.cs.cpsc.ucalgary.ca@CS.CPSC.UCALGARY.CA (aes128-cts-hmac-sha1-96)
 9    2 05/06/13 16:21:39 nfs/file2.cs.cpsc.ucalgary.ca@CS.CPSC.UCALGARY.CA (aes256-cts-hmac-sha1-96)
10    2 05/06/13 16:21:39 nfs/file2@CS.CPSC.UCALGARY.CA (des-cbc-crc)
11    2 05/06/13 16:21:39 nfs/file2@CS.CPSC.UCALGARY.CA (des-cbc-md5)
12    2 05/06/13 16:21:39 nfs/file2@CS.CPSC.UCALGARY.CA (arcfour-hmac)
13    2 05/06/13 16:21:39 nfs/file2@CS.CPSC.UCALGARY.CA (aes128-cts-hmac-sha1-96)
14    2 05/06/13 16:21:39 nfs/file2@CS.CPSC.UCALGARY.CA (aes256-cts-hmac-sha1-96)

Joining Domain[edit]

To join a domain as a specific computer, you can pass in

createcomputer='OU=Extra Workstations,OU=Computers,OU=MYDOMAIN,DC=wspace,DC=mydomain,DC=com'


Troubleshooting[edit]

mount.nfs4: access dened by server[edit]

Attempted to do:

root@cs1:/mnt# mount -t nfs4 -o sec=krb5i file2:/export/home /mnt/test
mount.nfs4: access denied by server while mounting file2:/export/home

rpcgssd -fvvv returns:

 1 dir_notify_handler: sig 37 si 0x7fffc1aa5bb0 data 0x7fffc1aa5a80
 2 dir_notify_handler: sig 37 si 0x7fffc1aa5bb0 data 0x7fffc1aa5a80
 3 dir_notify_handler: sig 37 si 0x7fffc1aa5a70 data 0x7fffc1aa5940
 4 handling gssd upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt1c)
 5 handle_gssd_upcall: 'mech=krb5 uid=0 enctypes=18,17,16,23,3,1,2 '
 6 handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt1c)
 7 process_krb5_upcall: service is '<null>'
 8 Full hostname for 'file2.cs.cpsc.ucalgary.ca' is 'file2.cs.cpsc.ucalgary.ca'
 9 Full hostname for 'cs1.cs.cpsc.ucalgary.ca' is 'cs1.cs.cpsc.ucalgary.ca'
10 Success getting keytab entry for 'CS1$@CS.CPSC.UCALGARY.CA'
11 INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_CS.CPSC.UCALGARY.CA' are good until 1367913056
12 INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_CS.CPSC.UCALGARY.CA' are good until 1367913056
13 using FILE:/tmp/krb5cc_machine_CS.CPSC.UCALGARY.CA as credentials cache for machine creds
14 using environment variable to select krb5 ccache FILE:/tmp/krb5cc_machine_CS.CPSC.UCALGARY.CA
15 creating context using fsuid 0 (save_uid 0)
16 creating tcp client for server file2.cs.cpsc.ucalgary.ca
17 DEBUG: port already set to 2049
18 creating context with server nfs@file2.cs.cpsc.ucalgary.ca
19 WARNING: Failed to create krb5 context for user with uid 0 for server file2.cs.cpsc.ucalgary.ca
20 WARNING: Failed to create machine krb5 context with credentials cache FILE:/tmp/krb5cc_machine_CS.CPSC.UCALGARY.CA for server file2.cs.cpsc.ucalgary.ca
21 WARNING: Machine cache is prematurely expired or corrupted trying to recreate cache for server file2.cs.cpsc.ucalgary.ca
22 Full hostname for 'file2.cs.cpsc.ucalgary.ca' is 'file2.cs.cpsc.ucalgary.ca'
23 Full hostname for 'cs1.cs.cpsc.ucalgary.ca' is 'cs1.cs.cpsc.ucalgary.ca'
24 Success getting keytab entry for 'CS1$@CS.CPSC.UCALGARY.CA'
25 INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_CS.CPSC.UCALGARY.CA' are good until 1367913056
26 INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_CS.CPSC.UCALGARY.CA' are good until 1367913056
27 using FILE:/tmp/krb5cc_machine_CS.CPSC.UCALGARY.CA as credentials cache for machine creds
28 using environment variable to select krb5 ccache FILE:/tmp/krb5cc_machine_CS.CPSC.UCALGARY.CA
29 creating context using fsuid 0 (save_uid 0)
30 creating tcp client for server file2.cs.cpsc.ucalgary.ca
31 DEBUG: port already set to 2049
32 creating context with server nfs@file2.cs.cpsc.ucalgary.ca
33 WARNING: Failed to create krb5 context for user with uid 0 for server file2.cs.cpsc.ucalgary.ca
34 WARNING: Failed to create machine krb5 context with credentials cache FILE:/tmp/krb5cc_machine_CS.CPSC.UCALGARY.CA for server file2.cs.cpsc.ucalgary.ca
35 WARNING: Failed to create machine krb5 context with any credentials cache for server file2.cs.cpsc.ucalgary.ca
36 doing error downcall
37 dir_notify_handler: sig 37 si 0x7fffc1aa5bb0 data 0x7fffc1aa5a80
38 dir_notify_handler: sig 37 si 0x7fffc1aa5bb0 data 0x7fffc1aa5a80
39 dir_notify_handler: sig 37 si 0x7fffc1aa1470 data 0x7fffc1aa1340
40 dir_notify_handler: sig 37 si 0x7fffc1aa5ab0 data 0x7fffc1aa5980
41 dir_notify_handler: sig 37 si 0x7fffc1aa5ab0 data 0x7fffc1aa5980
42 dir_notify_handler: sig 37 si 0x7fffc1aa1470 data 0x7fffc1aa1340
43 dir_notify_handler: sig 37 si 0x7fffc1aa1470 data 0x7fffc1aa1340
44 destroying client /var/lib/nfs/rpc_pipefs/nfs/clnt1d
45 destroying client /var/lib/nfs/rpc_pipefs/nfs/clnt1c