Got it.
You need to use short hostname - i.e. hostname should return only "client", not "client.domain.org".
O.

From: sssd-users-bounces@lists.fedorahosted.org [sssd-users-bounces@lists.fedorahosted.org] on behalf of Ondrej Valousek
Sent: Tuesday, February 11, 2014 6:22 PM
To: End-user discussions about the System Security Services Daemon
Subject: Re: [SSSD-users] sssd-1.11.1 Saucy automount(nfs4+krb problem)

Problem is here:

Feb 11 16:00:39 client rpc.gssd[708]: WARNING: Client not found in Kerberos database while getting initial ticket for principal 'host/client.domain.org@DOMAIN.ORG' using keytab 'FILE:/etc/krb5.keytab'

Rpc.gssd needs to use CLIENT$@domain.org Krb5 principal.

And yes, reverse DNS records would be nice :)

HTH,


Ondrej


From: sssd-users-bounces@lists.fedorahosted.org [sssd-users-bounces@lists.fedorahosted.org] on behalf of Longina Przybyszewska [longina@sdu.dk]
Sent: Tuesday, February 11, 2014 5:00 PM
To: 'End-user discussions about the System Security Services Daemon'
Subject: Re: [SSSD-users] sssd-1.11.1 Saucy automount(nfs4+krb problem)

Hi,

I have problem with mountning NFS4 file  with Kerberos security ( I can  mount without Kerberos security)

 

Both test machines run Ubuntu-saucy

I have  the nfs4 server which joined to AD  with ‘msktutil’ :

Server’s /etc/krb5.keytab

 

klist –ke

Keytab name: FILE:/etc/krb5.keytab

KVNO Principal

---- --------------------------------------------------------------------------

   3 SERVER$@DOMAIN.ORG (arcfour-hmac)

   3 SERVER$@DOMAIN.ORG (aes128-cts-hmac-sha1-96)

   3 SERVER$@DOMAIN.ORG (aes256-cts-hmac-sha1-96)

   3 host/server.domain.org@DOMAIN.ORG (arcfour-hmac)

   3 host/server.domain.org@DOMAIN.ORG (aes128-cts-hmac-sha1-96)

   3 host/server.domain.org@DOMAIN.ORG (aes256-cts-hmac-sha1-96)

   3 nfs/server.domain.org@DOMAIN.ORG (arcfour-hmac)

   3 nfs/server.domain.org@DOMAIN.ORG (aes128-cts-hmac-sha1-96)

   3 nfs/server.domain.org@DOMAIN.ORG (aes256-cts-hmac-sha1-96)

 

Then, joined client machine to AD with ‘realm’ command:

 

 

alongina@client:~$ sudo realm join --verbose -U USER --computer-ou OU="Linux computers",OU=ADResources  domain.org

[sudo] password for alongina:

 * Resolving: _ldap._tcp.domain.org

* Performing LDAP DSE lookup on: 10.144.5.17

* Performing LDAP DSE lookup on: 10.144.5.18

* Successfully discovered: domain.org

Password for USER:

 * Unconditionally checking packages

* Resolving required packages

* Installing necessary packages: samba-common-bin

* LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.JAW8AX -U USER ads join domain.org createcomputer=ADResources/Linux computers

Enter USER's password:

DNS update failed!

Using short domain name – AAA-BBB

Joined 'CLIENT' to dns domain 'domain.org'

No DNS domain configured for client. Unable to perform DNS Update.

* LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.JAW8AX -U USER ads keytab create

Enter USER's password:

* /usr/sbin/update-rc.d sssd enable

update-rc.d: /etc/init.d/sssd: file does not exist

* /usr/sbin/service sssd restart

sssd stop/waiting

sssd start/running, process 3597

* Successfully enrolled machine in realm

 

==============0000000=========

klist –ke

 

Keytab name: FILE:/etc/krb5.keytab

KVNO Principal

---- --------------------------------------------------------------------------

   4 host/client.domain.org@DOMAIN.ORG (des-cbc-crc)

   4 host/client.domain.org@DOMAIN.ORG (des-cbc-md5)

   4 host/client.domain.org@DOMAIN.ORG (aes128-cts-hmac-sha1-96)

   4 host/client.domain.org@DOMAIN.ORG (aes256-cts-hmac-sha1-96)

   4 host/client.domain.org@DOMAIN.ORG (arcfour-hmac)

   4 host/CLIENT@DOMAIN.ORG (des-cbc-crc)

   4 host/CLIENT@DOMAIN.ORG (des-cbc-md5)

   4 host/CLIENT@DOMAIN.ORG (aes128-cts-hmac-sha1-96)

   4 host/CLIENT@DOMAIN.ORG (aes256-cts-hmac-sha1-96)

   4 host/CLIENT@DOMAIN.ORG (arcfour-hmac)

   4 CLIENT$@DOMAIN.ORG (des-cbc-crc)

   4 CLIENT$@DOMAIN.ORG (des-cbc-md5)

   4 CLIENT$@DOMAIN.ORG (aes128-cts-hmac-sha1-96)

   4 CLIENT$@DOMAIN.ORG (aes256-cts-hmac-sha1-96)

   4 CLIENT$@DOMAIN.ORG (arcfour-hmac)

 

 

=================================================================

 

root@client:/export/alongina# mount -t nfs4 server.domain.org:/nfs4/server /mnt/server -o sec=krb5

mount.nfs4: access denied by server while mounting server.domain.org:/nfs4/server

 

client:

/var/log/syslog

 

eb 11 16:00:39 client rpc.gssd[708]: handling gssd upcall (/run/rpc_pipefs/nfs/clntb)

Feb 11 16:00:39 client rpc.gssd[708]: handle_gssd_upcall: 'mech=krb5 uid=0 enctypes=18,17,16,23,3,1,2 '

Feb 11 16:00:39 client rpc.gssd[708]: handling krb5 upcall (/run/rpc_pipefs/nfs/clntb)

Feb 11 16:00:39 client rpc.gssd[708]: process_krb5_upcall: service is '<null>'

Feb 11 16:00:39 client rpc.gssd[708]: Full hostname for 'server.domain.org' is 'server.domain.org'

Feb 11 16:00:39 client rpc.gssd[708]: Full hostname for 'client.domain.org' is 'client.domain.org'

Feb 11 16:00:39 client rpc.gssd[708]: No key table entry found for CLIENT.DOMAIN.ORG$@DOMAIN.ORG while getting keytab entry for 'CLIENT.DOMAIN.ORG$@DOMAIN.ORG'

Feb 11 16:00:39 client rpc.gssd[708]: No key table entry found for root/client.domain.org@DOMAIN.ORG while getting keytab entry for 'root/client.domain.org@DOMAIN.ORG'

Feb 11 16:00:39 client rpc.gssd[708]: No key table entry found for nfs/client.domain.org@DOMAIN.ORG while getting keytab entry for 'nfs/client.domain.org@DOMAIN.ORG'

Feb 11 16:00:39 client rpc.gssd[708]: Success getting keytab entry for 'host/client.domain.org@DOMAIN.ORG'

Feb 11 16:00:39 client rpc.gssd[708]: WARNING: Client not found in Kerberos database while getting initial ticket for principal 'host/client.domain.org@DOMAIN.ORG' using keytab 'FILE:/etc/krb5.keytab'

Feb 11 16:00:39 client rpc.gssd[708]: ERROR: No credentials found for connection to server server.domain.org

Feb 11 16:00:39 client rpc.gssd[708]: doing error downcall

Is it mismatch with encryption typs?

Problem with DNS ?

Client machine is missing reverse addresse in DNS…

host client.domain.org

client.domain.org has address 10.80.8.54

--------------------

host 10.80.8.54

Host 54.8.80.10.in-addr.arpa. not found: 3(NXDOMAIN)

Best

longina

 

 

 

From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Ondrej Valousek
Sent: 30. januar 2014 14:38
To: End-user discussions about the System Security Services Daemon
Subject: Re: [SSSD-users] sssd-1.11.1 Saucy automount

 

That was me.
Yes, autofs works with sssd having AD backend (and using RFC2307 schema).
No blushing.

From: sssd-users-bounces@lists.fedorahosted.org [sssd-users-bounces@lists.fedorahosted.org] on behalf of Chris Gray [fathed@gmail.com]
Sent: Thursday, January 30, 2014 11:28 AM
To: End-user discussions about the System Security Services Daemon
Subject: Re: [SSSD-users] sssd-1.11.1 Saucy automount

This person was able to setup autofs with sssd and samba as their AD server.

 

 

I haven't tried this, but in theory if you make the right settings in MS AD and in the config files for autofs and sssd, it should work pretty much the same.

 

Since you have to specify where the ou for the automount base is in the autofs config files, you don't actually need to make the automount ou at the base level, but it's up to you and your ad structure on where you want to put it. Then as long as you have krb5, ldap, and everything set right, it should work for

 

Chris

 

 

On Wed, Jan 29, 2014 at 4:06 AM, Longina Przybyszewska <longina@sdu.dk> wrote:

Use case is - we work towards policy, accessing any resources from any platform.
All users get per automatic windows share.
Additionally, Linux users  have primary homedir as nfs mounted share with automount/autofs+ NIs.
Some enterprise services have access only to windows share.

Linux desktops, running sssd with AD-provider should be able access  both shares.

Best
Longina