after having checked the whole internet literally, I hope that I might get help here.
I am trying to accomplish integration of ubuntu 12.04 servers into a Windows 2012 active directory with nfs and single sign on.
setup:
- srv02 Windows server
- srv03 Ubuntu file server
-
srv04 Ubuntu application server
-
domain: lettrich.local
- realm: LETTRICH.LOCAL
what works
- windows 2012 AD setup with dns ntp and dhcp
- ubuntu servers registert in ad with msktutil and getting
- kerberos tickets for users (eg. kinit Administrator@LETTRICH.LOCAL works)
- and machines ( kinit -k srv03$@LETTRICH.LOCAL works),
- uids and gids get resolved using identity management for UNIX on AD and sssd over gssapi.
What does not work:
- mounting an NFS share on srv04 hosted on srv03.
- getting a kerberos ticket for service principals.
eg.
sudo kdestroy
sudo kinit -k
kinit: Client 'host/srv03.lettrich.local@LETTRICH.LOCAL' not found in Kerberos database while getting initial credentials
krb5.keytab on srv03, analog for srv04.
sudo klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
10 srv03$@LETTRICH.LOCAL (arcfour-hmac)
10 srv03$@LETTRICH.LOCAL (aes128-cts-hmac-sha1-96)
10 srv03$@LETTRICH.LOCAL (aes256-cts-hmac-sha1-96)
10 nfs/srv03.lettrich.local@LETTRICH.LOCAL (arcfour-hmac)
10 nfs/srv03.lettrich.local@LETTRICH.LOCAL (aes128-cts-hmac-sha1-96)
10 nfs/srv03.lettrich.local@LETTRICH.LOCAL (aes256-cts-hmac-sha1-96)
10 host/srv03.lettrich.local@LETTRICH.LOCAL (arcfour-hmac)
10 host/srv03.lettrich.local@LETTRICH.LOCAL (aes128-cts-hmac-sha1-96)
10 host/srv03.lettrich.local@LETTRICH.LOCAL (aes256-cts-hmac-sha1-96)
nfs exports:
cat /etc/exports
/export gss/krb5(rw,fsid=0,no_subtree_check,sync,insecure,crossmnt,anonuid=65534,anongid=65534)
/export/users gss/krb5(rw,no_subtree_check,sync,insecure,nohide,anonuid=65534,anongid=65534)
/export/groups gss/krb5(rw,no_subtree_check,sync,insecure,nohide,anonuid=65534,anongid=65534)
/export/share gss/krb5(rw,no_subtree_check,sync,insecure,nohide,anonuid=65534,anongid=65534)
/export/backup gss/krb5(rw,no_subtree_check,sync,insecure,nohide,anonuid=65534,anongid=65534)
mounting on srv04
sudo mount -t nfs4 -o sec=krb5 srv03:/export /mnt
gives me the error
srv04 rpc.gssd[754]: ERROR: No credentials found for connection to server srv03
Active directory has both srv03 and srv04 listed as domain computers with correct service principal names.(names changed accordingly)
service principal name = nfs/srv03.lettrich.local; host/srv03.lettrich.local
Where is my mistake? (and yeah, time is in sync 😉 )
Will provide further information if needed.
Thanks to all in advance who are willing to help.
Best Answer
First, you should register straight and revert DNS record for new linux servers. Register this in windows domain.
Second, in Linux servers point DNS resolver to Windows, and modify /etc/hosts in linux for properly fields
Third, you must install Kerberos5 and winbind apps/modules/libraries
Fourth, configure /etc/krb5.conf with:
Fifth, configure /etc/samba/smb.conf:
Sixsth, verify you are able to connect using temporarly any user:
Seventh, create technical user account that password never expires and cannot be changed. Others leave default. Collect that user in separate AD directory :)
Eighth, generate keytab:
net ads keytab create -U your.technical.user@YOUR.FULL.DOMAIN.WITH.UPPER.CHARS
then check /etc/krb5.keytab exists
At now you can configure other services, specially using ntlm helper. You can test for connection using:
write password and you should see status:
At now you can configure PAM for authenticate many services, but I didn't do this. I succesfully use that config with apache2.2 ntlm authentication. I saw pam config for ssh and Xsession.
The main idea is, only winbind authenticates to Active Directory. All other services authenticates locally to winbind by any way. Winbind is part of samba. If you don't need samba, install only winbind, this installs some samba libraries.
Sometimes when you configure connection, wbinfo fails to connect. You must then wait for a moment, 5 or more minutes for domain info propagation.
Of course, time on all mashines should be in sync. Configure NTP for this. I'm using debian, but ubuntu makes all similar to debian :) good luck.