31.1.12

Samba 4 openSUSE fix

I fixed the nfs stuff on openSUSE. It wasn't a bug. It wasn't opensuse. Surprize surprize. Unbelievable though this may sound, it was me.  Sometimes I feel that I'm the only person ever to have done something. This was one of those days. Like, why couldn't we access our stuff exported with NFS4 mounts with Kerberos. Sigh. OK. Let's hear it. Then yell at me.

When anyone has a problem of any sort, the first place they'll look for help of course, is in their trusty old copy of /etc/idmapd.conf. So let's have a look at that file, /etc/idmapd.conf
[General]
Verbosity=0
Pipefs-Directory=/var/lib/nfs/rpc_pipefs
Domain=I.don't.know.what.the.hell.2.put.here
[Mapping]
Nobody-User=nobody
Nobody-Group=nobody

Trainspotters would then go on something like this.
In Greek and Roman Mythology, Pipefs was the name given to the tunnel beneath Hades which connected the lands of Clientium in the east and Severium in the west.
Back from the underworld, take a long hard look at this line:

Domain=I.don't.know.what.the.hell.2.put.here

Now, my fully qualified domain name is hh3.hh3.site, my hostname is hh3 and when I provisioned my Samba 4 domain, I gave the domain as --domain=CACTUS. Because I like cacti. Not to leave anyone out in the cold, my Kerberos realm is HH3.SITE. So, as with everything in Linux, I have a choice:
Domain=hh3.hh3.site
Domain=hh3.site
Domain=hh3
Domain=CACTUS
or
Domain=HH3.SITE

So it's make yer mind up or give up time. Google threw up a helpful 177 000 references to idmapd.conf, with "idmapd.conf opensuse", yes in quotes, returning zero. Not even the combined forces of the opensuse, samba nor nfs-kernel mailing lists could handle this one. Oh yes, I'd tried asking there. Did you know that there even was a mailing list for NFS? Truth is, I'd no idea how to ask a question like this. My English is not what it was. Do they even see light of day on the nfs list? Some sort of decision based upon simple logic was needed here. One option I considered was:
Domain=google.com
I tried it. But it didn't work.

OK. Let's get it over and done with eh. Finally, and no taking the piss please, here is my /etc/idmapd.conf:
[General]
Verbosity=0
Pipefs-Directory=/var/lib/nfs/rpc_pipefs
Domain=hh3.site
[Mapping]
Nobody-User=nobody
Nobody-Group=nobody

A swift
rcnfsserver restart
followed by a
mount -t nfs4 hh3:/home /mnt -o sec=krb5
like you do, later, and here is me living to tell the tale. . .
root, the KDC, rpc.idmapd and me
with XFCE looking over our shoulder
Phew. What a day.

Samba 4 and Kerberized NFS4

There seems to be a bug in the NFS4/idmap stuff under openSUSE 12.1

I tested this today with Ubuntu 11.10 and it worked fine. The workaround with openSUSE is not to use kerberized mounts. Mounting conventionally:
mount -t nfs4 server:/server.folder /client.folder

On Ubuntu you can go the whole hog:
mount -t nfs4 server:/server.folder /client.folder -o sec=krb5


Don't forget (unlike me who tried for 2 hours trying to access the mount as a local user) that the user wanting to access the nfs'd files has to either have logged in or have kinit'd to get a ticket before trying to go to the mount. Duh!


Updated Samba 4 post here
Updated Ubuntu post here

This is what it looks like on Ubuntu 11.10, KDC, NFS4 and client all on one box!


Clockwise, Samba 4 KDC, nslcd and mount, me, rpc.idmapd and rpc.gssd

All systems go. Kerberos with everything.

rpc.idmapd at work. Perfect uid:gid mappings. (this is the bit that's broken on openSUSE)

29.1.12

Pan y Grillos


The week in photos
Pan artesanal por Patricia

Terrace Cactus

Almond

Visitor

Las naranjas del vecino

25.1.12

The Kerberos Experience

From the Observers book of 'You don't have to be a Rocket Scientist but it helps'. ISBN-0322-07716-88

Plunge
Don't do this. My latest must have began back in November 2011. I decided to take the plunge and get involved with a software project called Samba 4. Although plunge was the right word, philosophy could well be used in its place. This is almost on a par with trying to imagine what an infinite universe is.

Cerberus, Guard Dog of Hades
Opera
I received a recording of Claudio Monteverdi's Il ritorno d'Ulisse in patria (1641) as an Xmas gift in 1972, just 331 years after it was first performed. (Vox Turnabout Records, 3 LP set, £2.98) It is an Opera. It is a love story, a home coming, a close encounter, a struggle. Everything any decent drama always is. Ulisse returns home but no one recognises him, not even his wife. In the end she does and it's all a happy ending. It took me longer to find another of his three operas, L'Orfeo on record. By the time I did, it was out on CD.

Orfeo descends into Hades, the Underworld, to try to bring his dead bride Euridice back to the living world. We hear Gods of the Sky and the Underworld pass judgement upon Orfeo. Cerberus is the three headed dog which guards the entrance to and from the Underworld. There's a river in it somewhere too. Now I really do want one of those turntables which can record old records  to a memory stick.

To give you an idea of the drama, here are Neptune and Jupiter in Ulisse passing judgement on humanity.
I'm currently writing out the brass introduction which is heard before we get to this part of the Hass edition of 1922
Italian opera, German translation, Spanish subtitles



And if you want to hear that low C at bar 9



Microsoft
An unprecedented move by Microsoft had them disclose details of part of their software called Active Directory (AD). The AD schema contains details of how user and computer information is stored on Microsoft networks. AD first shipped with Microsoft 2000 server and enjoyed two revisions in the same decade. It is the at centrre of all Microsoft servers and contains not only technical information about all the computers on the nework, but also data about all the users too.

MIT
During the early 1980's security and computer systems began to clash. Massechusets Institute of Technology (MIT) decided enough was enough and decided to do something about computer security on their campus in Boston. By the mid 80's, hackers were beginning to extract passwords by intercepting them as they traveled between computers connected by wires into a network. By now, instead of being sent as plain text, passwords were scrambled before being sent across the network to another computer. The computer at the other end knew how to unscramble the code back to the original password and in so doing, allow the user access to data therein. Of course, hackers got better and better at unravelling the scrambled passwords. They intercepted data on its way over from the server to the client posing as the computer that was to receive the data in the first place. This man in the middle attack would prove very difficult to detect. Sensitive information contained on the server would already have been compromised by the time it was realised that an attack had happened. Originally codenamed Athena, the intense 8 year resarch project at MIT became the Kerberos we know today.

Iraq
The US Government classified Kerberos and prohibited its export for use outside the US. That is why it is used worldwide today.

Euridice
As Cerberus guarded the entrance to Hades, so Kerberos guards entrance to your server. Both client and server have to authenticate themselves to each other before any information can be exchanged. I have been unable to find any readable explanation of Kerberos. Without implementing it yourself, I don't think you could ever understand it. It's invisible to the user.

Mythology
Kerberos has its roots firmly set in Unix networks which would have prevailed at MIT at the time of its development. And at last we get to mention Samba 4 which has a superbly engineerd Kerberos server implementation.  I'll start with Daniel Sonck's Wikipedia diagram:

The same Wikipedia article begins its explanation like this:
Kerberos uses as its basis the symmetric Needham-Schroeder protocol. It makes use of a trusted third party, termed a key distribution center (KDC), which consists of two logically separate parts: an Authentication Server (AS) and a Ticket Granting Server (TGS).

Yeah, well. Don't run away yet. Let's see.
Cerberus' three heads represent the three pillars of Kerberos:
-The Server in this example, a fileserver
-The Client
-The trusted third party. This is the Key Distribution Centre (KDC) The KDC consists of
- An authentication server (AS)
- A Ticket granting server (TGS)
-A database containing user, computer and service principals.

e.g. User steve is working on a computer called steve-pc and needs to edit a file stored on an nfs server called fileserver.  The principals involved here are steve as a user, steve-pc as a machine, fileserver as a machine and nfs as a service. For a realm called MYDOMAIN.COM in the domain mydomain.com, those principals look like this:

steve@MYDOMAIN.COM
steve-pc$@MYDOMAIN.COM
host/steve-pc@MYDOMAIN.COM
fileserver$@MYDOMAIN.COM
host/fileserver@MYDOMAIN.COM
nfs/fileserver.mydomain.com@MYDOMAIN.COM

User principals are created when a user is created. Machine principals are created when a computer is joined to the domain. On our setup with Samba 4 as the KDC, the host principals are created on the machine and stored in a keytab. Similarly, the nfs principal is stored in a keytab on the fileserver. The structure of a keytab is the same as the principal database on the KDC. You can make principals on any computer in the realm by using the samba-tool or net cli.

OK, I'm going to have a think about how to explain this. Here is my first attempt.

In this example, the user needs to edit a file on the fileserver. The client sends its password. The client sends a plain text message to the AS requesting authentication. The AS asks for his password. Back on the client, the password is hashed and sent to back to the AS. The AS then issues a time stamped TGT back to the user. The user can use his TGT to ask the TGS to give him a ticket for the fileserver. This ticket is then sent to the fileserver. The fileserver checks the ticket and requests a ticket too. If the keys for the on the two tickets match and they were created by the TGS within an agreed time skew, the user is then sent the file. Not quite good enough!

Don't laugh. Here is my diagram.
I gave up on this

Next I suppose I have to go through A to H in the first diagram. My diagram didn't get to the A to H stage. Not even close, so let's do it with an example.
Here's what appears on the KDC during a session after authentication.
user steve5 in Kerberos realm HH3.SITE
fileserver and nfs server fqdn hh3.hh3.site
Client, KDC and fileserver all on the same old laptop running from a USB memory stick. Sic.

The fileserver share is mounted on the client:
We'll use /mnt as the client.

mount -t nfs4:/home /mnt -o sec=krb5
produces a lot of activity including:
Kerberos: TGS-REQ HH3$@HH3.SITE from ipv4:192.168.1.3:45825 for
nfs/hh3.hh3.site@HH3.SITE [canonicalize, renewable]
Kerberos: TGS-REQ authtime: 2012-01-28T21:16:16 starttime:
2012-01-28T21:16:16 endtime: 2012-01-29T07:16:16 renew till:
2012-01-29T21:16:16


user steve5 logs in:

Kerberos: AS-REQ steve5@HH3.SITE from ipv4:192.168.1.3:50182 for
krbtgt/HH3.SITE@HH3.SITE
Kerberos: Client sent patypes: 149
Kerberos: Looking for PKINIT pa-data -- steve5@HH3.SITE
Kerberos: Looking for ENC-TS pa-data -- steve5@HH3.SITE
Kerberos: No preauth found, returning PREAUTH-REQUIRED -- steve5@HH3.SITE
Kerberos: AS-REQ steve5@HH3.SITE from ipv4:192.168.1.3:44732 for
krbtgt/HH3.SITE@HH3.SITE
Kerberos: Client sent patypes: encrypted-timestamp, 149
Kerberos: Looking for PKINIT pa-data -- steve5@HH3.SITE
Kerberos: Looking for ENC-TS pa-data -- steve5@HH3.SITE
Kerberos: ENC-TS Pre-authentication succeeded -- steve5@HH3.SITE using
arcfour-hmac-md5

steve5 goes to the mount to get a file:

Kerberos: TGS-REQ steve5@HH3.SITE from ipv4:192.168.1.3:43987 for
nfs/hh3.hh3.site@HH3.SITE [canonicalize, renewable, forwardable]
Kerberos: TGS-REQ authtime: 2012-01-28T21:21:50 starttime:
2012-01-28T21:23:29 endtime: 2012-01-29T07:21:50 renew till:
2012-01-29T21:21:50

I'll get back 2 u!

24.1.12

Spain goes 16x9

After years of nobody being in the slightest bit interested, Spain has recently started broadcasting the correct size of picture for modern TV screens.

Before now, you either had to zoom in and lose the top and bottom of the picture, or put up with a crushed images with bits missing at either side. No one in Spain adjusts their TV's, so you got used to seeing everyone unflatteringly fat. I'm told by put-that-remote-down-and-shut-up-about-it friends that I'm the only person in the whole of Spain ever to have complained.

Pictured is RTVE newsreader María Casado, Spain's answer to Joanna Lumley. Same voice, different language. Can you hear the difference?

Now: 16x9
Before: crush to fit
It's called aspect ratio. Your telly has it, your computer monitor has it, your mobile phone has it and A4 paper has it. A square has an aspect ratio of 1:1 A room 3m x 9m has an aspect ratio of 1:3. My Nikon slr camera takes photos with an aspect ratio of 2:3. Old film cameras took negatives that were 24mm x 36mm. So that's also 2:3

I wonder if the BBC would allow that outfit!
                             

23.1.12

The Sleeping Lion

Early start today. I took a stroll by my local village hill just after sunrise. Armed with my trusty old Nikon D50, I was inspired by the iron colouring in the rock and by some erosion.
Raices
El Leon Dormido
Cima El Ponoig, Altitude 1182m. Foto tomada saliendo por la CV-70, altitud 263m.

21.1.12

k5start on openSUSE

openSUSE 12.1

No k5start available for 12.1 out of the box:(

Grab the source code from here by right clicking and save-link-as'ing it. I didn't write it, so please give me no credit. Drop the guys who did a thank-you note. Russ Allbery: rra@stanford.edu
You'll need the development files for Kerberos. Yast will get them for you as in the screenshot here.
Installing the Kerberos dev stuff in Yast

I saved it in Downloads. so it's:
cd Downloads
tar -xzvf kstart-4.1.tar.gz
cd kstart-4.1
./configure
make
(now become root)
make install
(now become not root again)

You'll find k5start in /usr/local/bin so just typing k5start will launch it.

An example of using it is for processes that run all the time and who's Kerberos ticket would normally expire, so the guy getting the ticket must have renwable enabled. I needed to keep nslcd alive via GSSAPI to access the LDAP in Samba 4. k5start saved my life!

Example syntax:
 k5start -v -f /etc/nslcd.keytab -U -o nslcd-user -K 360 -k /tmp/krb5cc_0 
Details here and in the post just below here.

Official details with permission of the Author
The latest version of k5start is always available here and the excellent documentation here

20.1.12

nslcd: Angles and Attributes

nscld works hard behind the scenes, but rarely gets any credit. Without her, we'd have no idea of who we were, let alone where we lived. So to put matters right, here she is. Featured live on stage with some of her more well known Linux stars.
The orthogonal attributes of nslcd, yesterday
Why use nslcd? Because it can be kerberized.

16.1.12

Great Graphic Tablet Collections of the World



The ultimate in minimalism
 Meet the Ocelot in Cairo
Oneiric glx-dock
Go on. Admit it. You're envious of my graphics tablet collection. I don't blame you. How many of your mates have 3 (yes, three) graphics tablets? Eh? Go on then. How many? See. Told you. That's why I get all the birds, see.

Linux is great for working with graphics tablets. They work like pens, charcoal, erasers, smudges, air brushes and are great for taking away wrinkles on passport photos. But it just has to be Ubuntu. Don't ask me why. They work just as well in openSUSE, but somehow I just don't associate the latter with graphics, movies and mp3's. openSUSE is all high powered server university technical stuff. Ubuntu is mac for Linux. Better, but without the crazy price tags! 

The Collection
Clockwise from left. Genius 8 x 6 Wizardpen. Stone-age Acer from 2006, A4 Aiptek and cute 5 x 4 Wacom.
Setting up pressure for the big Aiptek
Winter in Benidorm

14.1.12

Kindle Huevos y Tabaco

The end result. Sticky T Pudding
Just love these new style egg boxes. No fumo.
Amazon Kindle with 6 eggs at €0.99

Samba 4 Screenshots

First, a warning: There is no Windows server in this system.

Nobody puts a human face on Samba 4. It's a remarkable achievement which has the capability of threatening Microsoft's stranglehold on corporate (and not so corporate) networks. Let's try to make it more accessible.

Here, we have installed Samba 4 as a PDC, DNS and NFSv4 server on openSUSE. A Samba 4 user called steve4 logs onto a windows 7 machine and saves a file on his desktop. He logs off and edits the same file logged into to an openSUSE client. Then again, this time using an Ubuntu client. The Administrator intervenes and makes a profile path for another domain user, steve2. But remember, this is all controlled from the Linux PDC running Samba 4.

You now have the choice. Your stuff is the same whether you choose a Linux or a windows workstation. Same files, same permissions. Choice of 2 flavours. No more costly windows licences either.

windows 7 domain logon

Windows 7 as a. VirtualBox guest of openSUSE
(good taste in Blogs!)

Creating a LibreOffice document in Windows

Admin setting the roaming profile for a user

Editing the document under XFCE
Editing the document under Unity
Setting up the Linux client. This was easier than we expected. Just to confuse you, this is with user steve5. Had already done the screenshots before I noticed. Sorry.

root actually doing some work for a change

The moment of truth. But be warned. . .

. . .Kerberos is watching you

Where the hell is Yast buried these days?

Surely it can't be this easy. Configure Kerberos

root_squashing, pam and the shiny new krb5.conf

Editing a memo left on your Windows desktop. Handy;)
See how we did it here

DNS woes

Not many DNS servers can cope with the thrashing that Samba 4 has in store for them. The guys at Samba patched the old Bind. Even so, we had to call in the heavy boys to sort out openSUSE's Bind9.

rcnamed stop
Edit /etc/sysconfig/named

NAMED_RUN_CHROOTED="no"
Or use the Yast sysconfig editor to do so. Then:

rm -r /var/run/named
mkdir /var/run/named
chown named:named /var/run/named
chown named:named /var/lib/named
touch /var/lib/named/managed-keys.bind


There's some stuff to do for Samba 4 too in /usr/local/samba/private. From the file called named.txt in that folder:


chgrp named /usr/local/samba/private/dns.keytab
chmod g+r /usr/local/samba/private/dns.keytab

Oh, don't forget to restart named (unlike me who took an hour trying to join a windows client to the domain!). It's not perfect, there is still a problem with /var/run/named having too many levels of symbolic links or something. The Bind gurus would laugh at this, but at least it gets a you a Bind that will not fall over when Samba 4 visits town.


I got so fed up with it, I got out the big hammer:



#!/bin/bash
#Steve 17 Jan 2012
#To workaround the openSUSE bug. Run this script to restart named
#copy this script to e.g./usr/local/bin/restartnamed, chmod +x it
#Then just type restartnamed
rcnamed stop
rm -r /var/run/named
mkdir /var/run/named
chown named:named /var/run/named
rcnamed start


With Ubuntu you can use the bind9.9.0 beta. Instead of running as named, it runs as bind.

13.1.12

Samba 4 on Ubuntu

Our openSUSE method for installing Samba 4 to serve Windows and Linux clients works for Ubuntu  too. This post is about the usual Red-Hat - Debian inconveniences. For speed and security we recommend 


UPDATE: s4bind. Ubuntu - Windows Single Sign On without Winbind. Full suite of tools, here.
UPDATE: automounting the nfs, as described here.
UPDATE: add reverse DNS here.
UPDATE: or even better, forward and reverse dlz zones here.
UPDATE: 12.04. No need for the bind9 beta. We now have 9.81 out of the box. Small change in packages for the server. We lose pam-krb5utils and instead install libpam-krb5.
UPDATE: 12.04 beta needs to be built with libacl1-dev installed for the s3fs to work.


The test domain with Ubuntu DC
Ubuntu DC and server
The otherwise excellent Samba 4 wiki is a little neglected. The packages needed to build from the git source on Ubuntu are missing. YMMV, but for Oneiric, I used this lot:

apt-get install
build-essential libattr1-dev krb5-user libblkid-dev gdb libgnutls-dev libreadline-gplv2-dev python-dev autoconf python-dnspython pkg-config pam-krb5utils libpopt-dev apparmor-utils  ldap-utils  libsasl2-modules-gssapi-mit

The client is much less greedy. See below. There's no decent bind available for Ubuntu out of the box. Not one which will survive a Samba 4 session anyway. To save hours of fiddling with dpkg on the 9.8.1 source, I can recommend the 9.9.0 beta. Edit:
/etc/apt/sources.list.d/hauke-bind9-oneiric.list
to contain:
deb http://ppa.launchpad.net/hauke/bind9/ubuntu natty main
deb-src http://ppa.launchpad.net/hauke/bind9/ubuntu natty main
Yeah, even though we're on 11.10 we use the Natty ppa. You may want to drop the packager a note thanking him:-)

For now, turn off apparmor:
sudo aa-complain /etc/aparmor.d/usr.sbin.named

 
Samba 4 on Ubuntu, yesterday 
Next, edit /etc/init.d/bind9 and change this line:
PIDFILE=/var/run/bind/run/named.pid
to this:
PIDFILE=/var/run/bind/run/named/named.pid
Finally, to get rid of the last remaining bind9 syslog error:
touch /var/cache/bind/managed-keys.bind
chown root:bind /var/cache/bind/managed-keys.bind

Nearly done. We must change the Samba 4 source so that it will talk to your bind9 beta. In: source4/dns_server/dlz_minimal.h
edit out:
//#define DLZ_DLOPEN_VERSION 1
and add:
#define DLZ_DLOPEN_VERSION 2
Obvious really. Then it's the usual.
./configure.developer
make
sudo su
make install
exit
make (again YMMV)
(coffee or something stronger break)

Then it's the usual:
sudo su

/usr/local/samba/sbin/provision --realm=hh3.site --domain=CACTUS 
--adminpass=Abcd@1ef --server-role=dc

The openSUSE package,
nss-pam-ldapd
comes as two packages on Ubuntu,
libnss-ldapd
libpam-ldapd
apt makes a user and group called nslcd for you and throws in k5start for good measure. Nice, but edit /etc/default/nslcd so that nslcd does not start it without warning:
K5START_START="no"


Turn off nscd:
service nscd stop

The NFS server is a bit different too. This is where you miss Yast. Here's the low-down.
apt-get install nfs-common nfs-kernel-server rpcbind

We'll set it up for Kerberized NFS4 and you can then choose 3 or 4 when you go to mount:
Edit the following:
/etc/default/nfs-kernel-server

RPCNFSDCOUNT=8
RPCNFSDPRIORITY=0
RPCMOUNTDOPTS=--manage-gids
NEED_SVCGSSD="yes"
RPCSVCGSSDOPTS=
RPCNFSDOPTS=

/etc/default/nfs-common (same on both server and client)
NEED_STATD="yes"
STATDOPTS=
NEED_IDMAPD="yes"
NEED_GSSD="yes"


/etc/idmapd.conf
[General]
Verbosity = 0
Pipefs-Directory = /var/lib/nfs/rpc_pipefs
Domain = hh3.site
[Mapping]
Nobody-User = nobody
Nobody-Group = nogroup


Then start the nfs server:
modprobe nfs
service nfs-kernel-server start
service idmapd start

Ubuntu Client
We need this stuff:


 apt-get install krb5-config krb5-user kstart libgssrpc4 libkadm5clnt-mit8 libkadm5srv-mit8 libkdb5-6 libnss-ldapd libpam-krb5 libpam-ldapd libsasl2-modules-gssapi-mit nscd nslcd nfs-common


There are some decisions about your ldap server, base LDAP address, nsswitch.conf and Kerberos authentication along the way. LDAP base is dc=hh3,dc=site. You need group and passwd for LDAP and the Kerberos server and authentication source is the same: 192.168.1.3. You do not need shadow lookup through NSS in LDAP. Some of the screens look as follows:
Ubuntu's equivalent of Yast
The poor mans Yast 2
DNS again. Go no further until hostname -f returns hh4.hh3.site. The easy way to do this is to add 192.168.1.3 hh3.hh3.site hh3 and 127.0.1.1 hh4.hh3.site hh4 to /etc/hosts. Ensure that /etc/hostname contains the short hostname only: hh4 No idea why. It really does help to have forward and reverse DNS lookups in place. plese see the articles under UPDATE above. 

The net command is already available on Oneiric so no need to install anything else, but smb.conf needs the kerberos method line adding to /etc/samba/smb.conf in this order:

workgroup = CACTUS
realm = HH3.SITE
security = ADS
kerberos method = system keytab


then (hold on tight):
net ads join -U Administrator
net ads keytab create -U Administrator
Ignore the warning about dns update.


to give (for our client with fqdn = hh4.hh3.site):

klist -k /etc/krb5.keytab

Keytab name: WRFILE:/etc/krb5.keytab

KVNO Principal

---- -------------------------------

   1 host/hh4.hh3.site@HH3.SITE

   1 host/hh4.hh3.site@HH3.SITE

   1 host/hh4.hh3.site@HH3.SITE

   1 host/hh4@HH3.SITE

   1 host/hh4@HH3.SITE

   1 host/hh4@HH3.SITE

   1 HH4$@HH3.SITE

   1 HH4$@HH3.SITE

   1 HH4$@HH3.SITE
2 for des and 1 for arcfour

nfs4/3 stuff
Before going to mount and to help debugging(either a test mount on the server, or a production mount on a remote client) in a separate shell:
rpc.gssd -fvvv
will start the gss daemon and tell you in no uncertain terms if you have your keytabs wrong. DNS must be absolutely perfect at this stage.


Be careful with the nfs mount. This setup defaults to nfs4 so be sure to specify if you want nfs3 on the command line or in fstab:
nfs4
rpc.idmapd -fvvv
At both ends will help you trace any mapping probs.


mount -t nfs4 hh3:/home /home -osec=krb5
nfs3
make sure that rpc.statd is running at both ends
mount -t nfs hh3:/home /home -osec=krb5,vers=3

A example startup script:
 cat /usr/local/bin/s4start
#!/bin/bash
#this is the ubuntu client version. Steve 26 Feb 2012
echo "Starting Samba 4 LINUX services "
#service nscd stop
service nslcd restart
k5start -f /etc/nslcd.keytab -U -o nslcd -K 540 -k /tmp/nslcd.tkt &
echo "mounting nfs4 filesystem"
sleep 2
mount -t nfs4 hh3:/home /home -o sec=krb5
#mount -t nfs hh3:/home /home -o sec=krb5,vers=3

If you want POSIX acl's over nfs (you do, nfs4 acl's are hopeless (you can't even have group rw share from a 0022 umask), you'll have to drop back to nfs3:
mount -t nfs hh3:/home /home -o vers=3,sec=krb5

If you are having permission or mapping issues, turn off nscd and remount. Login with your s4 credentials and enjoy. THEN CHECK DNS AGAIN!


To save you the misery, here are the bind configuration files, including the Samba 4 stuff:
 /etc/bind/named.conf
include "/etc/bind/named.conf.options";
zone "." {
type hint;
file "/etc/bind/db.root";
};
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
include "/etc/bind/named.conf.local";
include "/usr/local/samba/private/named.conf";

 /etc/bind/named.conf.options
options {
directory "/var/cache/bind";
auth-nxdomain no;    # conform to RFC1035
listen-on-v6 { any; };
tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
};

So thanks to Ubuntu, you now have the perfect setup for listening to mp3's downloaded from your mobile 'phone.

7.1.12

Día de Reyes, 2012

Reyes brought forth gifts of great joy for all mankind. Kindling in the righteousness we found the indispensable offering.   

slate & boat
The best part about it all was that I was inspired enough to dust off my now ageing Nikon and do some still life photography.










mounted
Before long, the boat was on the slate.
We hope you are inspired enough to investigate further.