[CentOS] [Samba] Samba4 and NVSv4

Sat Jun 8 19:27:09 UTC 2013
Steve Thompson <smt at vgersoft.com>

On Thu, 6 Jun 2013, Ritter, Marcel wrote:

> Newer versions of nfs-utils (>= 1.2.4) support the HOSTNAME$ format 
> (treated like a UPN) used by Samba/Windows, which makes things easier 
> (and could/should work out of the box with a keytab created by samba 
> itself).

I have tried creating a Samba4 user object with a suitable UPN using 
msktutil on the DC (this is successfully entered into the database):

# OU=Computers
# HOST=<short hostname>
# msktutil -c -b CN=$OU \
 	-k nfs-$HOST.keytab \
 	--computer-name nfs-$HOST \
 	--upn nfs/$HOST.test.cornell.edu \
 	--service nfs/$HOST.test.cornell.edu \
 	--server `hostname` \
 	--dont-expire-password \
 	--hostname $HOST.test.cornell.edu \
 	--enctypes 0x3

and then importing this keytab into the host's keytab with ktutil (so, not 
using "net ads keytab add"). Verified the keytab with klist. Get 
permission denied when trying to mount with sec=krb5. Various different 
enctypes all get the same result.

I tried also building nfs-utils 1.2.8 from source and installing that on
the NFSv4 server (using the NFSv4 server as a client for this test). All
I get then, no matter what I put in the keytab, is:

rpc.gssd[1679]: ERROR: GSS-API: error in gss_set_allowable_enctypes(): GSS_S_BAD_MECH
 	(An unsupported mechanism was requested) - Unknown error

The build of nfs-utils (via rpmbuild) appeared clean but I suspect that 
there may be something wrong with it. Still using the 2.6.32-358.6.2.el6 
kernel.

I tried the workaround suggested in:

 	https://bugzilla.redhat.com/show_bug.cgi?id=720479

just in case, but it made no difference.

Running out of ideas!

-Steve