after having checked the whole internet literally, I hope that I might get help here.

I am trying to accomplish integration of ubuntu 12.04 servers into a Windows 2012 active directory with nfs and single sign on.

setup:

• srv02 Windows server
• srv03 Ubuntu file server

• srv04 Ubuntu application server

• domain: lettrich.local

• realm: LETTRICH.LOCAL

what works

• windows 2012 AD setup with dns ntp and dhcp
• ubuntu servers registert in ad with msktutil and getting
  1. kerberos tickets for users (eg. kinit [email protected] works)
  2. and machines ( kinit -k [email protected] works),
  3. uids and gids get resolved using identity management for UNIX on AD and sssd over gssapi.

What does not work:

• mounting an NFS share on srv04 hosted on srv03.
• getting a kerberos ticket for service principals.

eg.

sudo kdestroy
sudo kinit -k
kinit: Client 'host/[email protected]' not found in Kerberos database while getting initial credentials

krb5.keytab on srv03, analog for srv04.

sudo klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
  10 [email protected] (arcfour-hmac) 
  10 [email protected] (aes128-cts-hmac-sha1-96) 
  10 [email protected] (aes256-cts-hmac-sha1-96) 
  10 nfs/[email protected] (arcfour-hmac) 
  10 nfs/[email protected] (aes128-cts-hmac-sha1-96) 
  10 nfs/[email protected] (aes256-cts-hmac-sha1-96) 
  10 host/[email protected] (arcfour-hmac) 
  10 host/[email protected] (aes128-cts-hmac-sha1-96) 
  10 host/[email protected] (aes256-cts-hmac-sha1-96)

nfs exports:

cat /etc/exports
/export               gss/krb5(rw,fsid=0,no_subtree_check,sync,insecure,crossmnt,anonuid=65534,anongid=65534)
/export/users           gss/krb5(rw,no_subtree_check,sync,insecure,nohide,anonuid=65534,anongid=65534)
/export/groups           gss/krb5(rw,no_subtree_check,sync,insecure,nohide,anonuid=65534,anongid=65534)
/export/share           gss/krb5(rw,no_subtree_check,sync,insecure,nohide,anonuid=65534,anongid=65534)
/export/backup           gss/krb5(rw,no_subtree_check,sync,insecure,nohide,anonuid=65534,anongid=65534)

mounting on srv04

sudo mount -t nfs4 -o sec=krb5 srv03:/export /mnt

gives me the error

srv04 rpc.gssd[754]: ERROR: No credentials found for connection to server srv03

Active directory has both srv03 and srv04 listed as domain computers with correct service principal names.(names changed accordingly)

service principal name = nfs/srv03.lettrich.local; host/srv03.lettrich.local

Where is my mistake? (and yeah, time is in sync ;-) )

Will provide further information if needed.

Thanks to all in advance who are willing to help.

Solution 1:

First, you should register straight and revert DNS record for new linux servers. Register this in windows domain.

Second, in Linux servers point DNS resolver to Windows, and modify /etc/hosts in linux for properly fields

Third, you must install Kerberos5 and winbind apps/modules/libraries

Fourth, configure /etc/krb5.conf with:

[libdefaults]
    default_realm = YOUR.FULL.DOMAIN.WITH.UPPER.CHARS

[realms]
    YOUR.FULL.DOMAIN.WITH.UPPER.CHARS = {
            kdc = list of IPs windows domain servers
            admin_server = one ip for master domain server
    }

[domain_realm]
    your.full.comain.with.lover.chars = YOUR.FULL.DOMAIN.WITH.UPPER.CHARS

[logging]
#example logging
    kdc = FILE:/var/log/kerberos/krb5kdc.log
    admin_server = FILE:/var/log/kerberos/kadmin.log
    default = FILE:/var/log/kerberos/krb5lib.log

Fifth, configure /etc/samba/smb.conf:

[global]
workgroup = YOUR.SHORT.DOMAIN.WITH.UPPER.CASE
netbios name = YOUR.SERVER.NAME.WITH.UPPER.CASE.WITHOUT.DOMAIN
realm = YOUR.FULL.DOMAIN.WITH.UPPER.CHARS
security = ads
password server = windows.ip.server.what.allows.password.change
wins server = as.above.supports.wins.messages
wins proxy = no
kerberos method = system keytab
dedicated keytab file = /etc/krb5.keytab
server string = write what you want using %h as host name
dns proxy = no
idmap config * : backend = rid
idmap config * : range = 10000-20000
winbind use default domain = Yes
winbind enum users = Yes
winbind enum groups = Yes
winbind nested groups = Yes
winbind separator = +
winbind refresh tickets = yes
template shell = /bin/bash
template homedir = /home/%D/%U
preferred master = no
inherit acls = Yes
map acl inherit = Yes
acl group control

Sixsth, verify you are able to connect using temporarly any user:

wbinfo -t   #test only
net getdomainsid  #should print local and domain identifier
wbinfo -u   #domain user list, may take long time for many users
wbinfo -g   #domain group list

Seventh, create technical user account that password never expires and cannot be changed. Others leave default. Collect that user in separate AD directory :)

Eighth, generate keytab:

net ads keytab create -U [email protected]

then check /etc/krb5.keytab exists

At now you can configure other services, specially using ntlm helper. You can test for connection using:

ntlm_auth --username UPPER.CASE.SHORTNAME.DOMAIN+your.technical.username

write password and you should see status:

NT_STATUS_OK: Success (0x0)

At now you can configure PAM for authenticate many services, but I didn't do this. I succesfully use that config with apache2.2 ntlm authentication. I saw pam config for ssh and Xsession.

The main idea is, only winbind authenticates to Active Directory. All other services authenticates locally to winbind by any way. Winbind is part of samba. If you don't need samba, install only winbind, this installs some samba libraries.

Sometimes when you configure connection, wbinfo fails to connect. You must then wait for a moment, 5 or more minutes for domain info propagation.

Of course, time on all mashines should be in sync. Configure NTP for this. I'm using debian, but ubuntu makes all similar to debian :) good luck.