[Bug 1353502] [NEW] NFS4 mount fails with AD Kerberos and long hostnames

Jurjen Bokma j.bokma at rug.nl
Wed Aug 6 13:32:56 UTC 2014 

Public bug reported:

Hi,

Version info:
Using Ubuntu 14.04 LTS 'Trusty', and nfs-utils 1.2.8.

Symptoms:
Mounting kerberized NFS4 shares fails when the host is joined to an Active Directory domain, but not with the conventional name. Non-kerberized mounts succeed. Hosts joining the domain with the conventional name for their principal  and/or sAMAccountName can also mount.

My Analysis:
When a host joins an Active Directory domain, it is convention to use the upper case non-fully-qualified domain name followed by a '$' as a principal name. But Windows cannot handle names longer than 19 characters. So when using longer hostnames, another string must be used, e.g. the IP number.
NFS looks only for <HOSTNAME>$, and fails if no principal by that name exists. AD forbids authentication with host/<fqdn> or nfs/<fqdn>.  The manpage of 'msktutil' states that setting the userPrincipalName to host/<fqdn> should fix that. But in my case, it doesn't. And in many cases, it is impractical (requiring elevated privileges on Windows).

Included is a patch of utils/gssd/krb5_util.c that enables the system
administrator to write a stanza in /etc/krb5.conf to override the name
of the principal NFS should look for when authenticating against AD:

[appdefaults]
nfs = {
    ad_principal_name = 192.168.5.13$
}

I'm not sure whether to offer this patch here, to Debian, upstream, or all three.
Also, it makes use of an otherwise rarely used corner of Kerberos: appdefaults.

Regards
Jurjen

** Affects: nfs-utils (Ubuntu)
     Importance: Undecided
         Status: New

** Patch added: "Make NFS look for configurable AD principal"
   https://bugs.launchpad.net/bugs/1353502/+attachment/4171128/+files/krb5_util.patch

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to nfs-utils in Ubuntu.
https://bugs.launchpad.net/bugs/1353502

Title:
  NFS4 mount fails with AD Kerberos and long hostnames

Status in “nfs-utils” package in Ubuntu:
  New

Bug description:
  Hi,

  Version info:
  Using Ubuntu 14.04 LTS 'Trusty', and nfs-utils 1.2.8.

  Symptoms:
  Mounting kerberized NFS4 shares fails when the host is joined to an Active Directory domain, but not with the conventional name. Non-kerberized mounts succeed. Hosts joining the domain with the conventional name for their principal  and/or sAMAccountName can also mount.

  My Analysis:
  When a host joins an Active Directory domain, it is convention to use the upper case non-fully-qualified domain name followed by a '$' as a principal name. But Windows cannot handle names longer than 19 characters. So when using longer hostnames, another string must be used, e.g. the IP number.
  NFS looks only for <HOSTNAME>$, and fails if no principal by that name exists. AD forbids authentication with host/<fqdn> or nfs/<fqdn>.  The manpage of 'msktutil' states that setting the userPrincipalName to host/<fqdn> should fix that. But in my case, it doesn't. And in many cases, it is impractical (requiring elevated privileges on Windows).

  Included is a patch of utils/gssd/krb5_util.c that enables the system
  administrator to write a stanza in /etc/krb5.conf to override the name
  of the principal NFS should look for when authenticating against AD:

  [appdefaults]
  nfs = {
      ad_principal_name = 192.168.5.13$
  }

  I'm not sure whether to offer this patch here, to Debian, upstream, or all three.
  Also, it makes use of an otherwise rarely used corner of Kerberos: appdefaults.

  Regards
  Jurjen

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nfs-utils/+bug/1353502/+subscriptions

More information about the foundations-bugs mailing list