NFS4 mount fails with AD Kerberos and long hostnames

Bug #1353502 reported by Jurjen Bokma on 2014-08-06
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
nfs-utils (Ubuntu)
Undecided
Unassigned

Bug Description

Hi,

Version info:
Using Ubuntu 14.04 LTS 'Trusty', and nfs-utils 1.2.8.

Symptoms:
Mounting kerberized NFS4 shares fails when the host is joined to an Active Directory domain, but not with the conventional name. Non-kerberized mounts succeed. Hosts joining the domain with the conventional name for their principal and/or sAMAccountName can also mount.

My Analysis:
When a host joins an Active Directory domain, it is convention to use the upper case non-fully-qualified domain name followed by a '$' as a principal name. But Windows cannot handle names longer than 19 characters. So when using longer hostnames, another string must be used, e.g. the IP number.
NFS looks only for <HOSTNAME>$, and fails if no principal by that name exists. AD forbids authentication with host/<fqdn> or nfs/<fqdn>. The manpage of 'msktutil' states that setting the userPrincipalName to host/<fqdn> should fix that. But in my case, it doesn't. And in many cases, it is impractical (requiring elevated privileges on Windows).

Included is a patch of utils/gssd/krb5_util.c that enables the system administrator to write a stanza in /etc/krb5.conf to override the name of the principal NFS should look for when authenticating against AD:

[appdefaults]
nfs = {
    ad_principal_name = 192.168.5.13$
}

I'm not sure whether to offer this patch here, to Debian, upstream, or all three.
Also, it makes use of an otherwise rarely used corner of Kerberos: appdefaults.

Regards
Jurjen

Revision history for this message
Jurjen Bokma (j-bokma-t) wrote :
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "Make NFS look for configurable AD principal" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Revision history for this message
Jurjen Bokma (j-bokma-t) wrote :

Please don't bother any more. I offered the patch upstream, and it was committed there. (Plus a line that fixes the memory leak I introduced above.)

Regards
Jurjen

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers