Bug 11485 - Access to Windows 2012r2 NFS Server fails
Access to Windows 2012r2 NFS Server fails
Status: NEW
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB
unspecified
All All
: P5 normal
: ---
Assigned To: Andrew Bartlett
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-09-02 07:10 UTC by Marcel Ritter
Modified: 2015-09-07 20:24 UTC (History)
1 user (show)

See Also:


Attachments
samba log file (debug level = 10) (150.85 KB, application/x-bzip)
2015-09-03 06:14 UTC, Marcel Ritter
no flags Details
samba dc keytab (1.03 KB, application/octet-stream)
2015-09-03 06:15 UTC, Marcel Ritter
no flags Details
samba dc network dump (81.27 KB, application/vnd.tcpdump.pcap)
2015-09-03 06:15 UTC, Marcel Ritter
no flags Details
nfs client network dump (50.53 KB, application/vnd.tcpdump.pcap)
2015-09-03 06:15 UTC, Marcel Ritter
no flags Details
nfs client keytab 1 (/etc/krb5.keytab for winbind / nss) (1.03 KB, application/octet-stream)
2015-09-03 06:16 UTC, Marcel Ritter
no flags Details
nfs client keytab 2 (/etc/nfs.keytab for nfs) (662 bytes, application/octet-stream)
2015-09-03 06:17 UTC, Marcel Ritter
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Marcel Ritter 2015-09-02 07:10:08 UTC
Trying to access a Windows 2012r2 based NFS server from Linux-Clients fails if samba4 is used as AD.

The basic setup seems to be fine, as Linux-based NFS servers work fine with Linux-based NFS Servers using krb5 and NFS 4.1.

Connections to a Windows 2012r2 NFS server based on a a Windows AD also work.

Samba version tested: latest git
Comment 1 Marcel Ritter 2015-09-02 12:30:10 UTC
More details:

Mounting works fine (using the fsid=0 export /):

# mount -t nfs4 -o minorversion=1,sec=krb5  win12:/ /tmp/m

# ls /tmp/m
test1  test2

First "ls -l" also works and displays correct owner/group:

# ls /tmp/m -l
total 0
d--------- 2 nobody    domain users 64 Aug 29 17:47 test1
d--------- 2 user00001 domain users 64 Sep  2 14:23 test2

However, just one second later doing the very same thing,
I get this:

# ls /tmp/m -l
ls: cannot access /tmp/m/test1: Permission denied
ls: cannot access /tmp/m/test2: Permission denied
total 0
d????????? ? ? ? ?            ? test1
d????????? ? ? ? ?            ? test2
Comment 2 Marcel Ritter 2015-09-02 14:30:18 UTC
Windows Event Viewer:

One log entry looks nice (maybe the one leading to the first (successful) directory listing?):

-> Windows Logs
-> Security

----

An account was successfully logged on.

Subject:
	Security ID:		NULL SID
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Logon Type:			3

Impersonation Level:		Impersonation

New Logon:
	Security ID:		ANONYMOUS LOGON
	Account Name:		nfs/u1git.s5dom.test
	Account Domain:		S5DOM.TEST
	Logon ID:		0x5171EA
	Logon GUID:		{31b07c5b-966c-3ba2-1a6c-792412eab70d}

Process Information:
	Process ID:		0x0
	Process Name:		-

Network Information:
	Workstation Name:	
	Source Network Address:	-
	Source Port:		-

Detailed Authentication Information:
	Logon Process:		Kerberos
	Authentication Package:	Kerberos
	Transited Services:	-
	Package Name (NTLM only):	-
	Key Length:		0

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The impersonation level field indicates the extent to which a process in the logon session can impersonate.

The authentication information fields provide detailed information about this specific logon request.
	- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
	- Transited services indicate which intermediate services have participated in this logon request.
	- Package name indicates which sub-protocol was used among the NTLM protocols.
	- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

----

However some seconds later those log entries appear (maybe the ones causing the "permission denied" / "??????"):


-> Application and Service Logs
-> Microsoft
-> Windows
-> ServiceForNFS-Server
-> IdentityMapping:

----
Server for NFS was unable to obtain security information for the GSS user account S5DOM.TEST\nfs/u1git.s5dom.test.

Check that the user account S5DOM.TEST\nfs/u1git.s5dom.test is valid and meets all configured security policies. There may be additional information in the Windows Security event log.

MSV Status: 0xC000009A, SubStatus: 0x0
S4U Status: 0xC000006D, SubStatus: 0x0
----

And two other failure reports in a different location:

-> Windows Logs
-> Security

----
An account failed to log on.

Subject:
	Security ID:		SYSTEM
	Account Name:		WIN12$
	Account Domain:		S5DOM
	Logon ID:		0x3E7

Logon Type:			3

Account For Which Logon Failed:
	Security ID:		NULL SID
	Account Name:		
	Account Domain:		

Failure Information:
	Failure Reason:		An Error occured during Logon.
	Status:			0xC000009A
	Sub Status:		0x0

Process Information:
	Caller Process ID:	0x4
	Caller Process Name:	

Network Information:
	Workstation Name:	WIN12
	Source Network Address:	-
	Source Port:		-

Detailed Authentication Information:
	Logon Process:		NfsSvr
	Authentication Package:	Kerberos
	Transited Services:	-
	Package Name (NTLM only):	-
	Key Length:		0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
	- Transited services indicate which intermediate services have participated in this logon request.
	- Package name indicates which sub-protocol was used among the NTLM protocols.
----

An account failed to log on.

Subject:
	Security ID:		SYSTEM
	Account Name:		WIN12$
	Account Domain:		S5DOM
	Logon ID:		0x3E7

Logon Type:			3

Account For Which Logon Failed:
	Security ID:		NULL SID
	Account Name:		nfs/u1git.s5dom.test
	Account Domain:		S5DOM.TEST

Failure Information:
	Failure Reason:		Unknown user name or bad password.
	Status:			0xC000006D
	Sub Status:		0xC0000064

Process Information:
	Caller Process ID:	0x4
	Caller Process Name:	

Network Information:
	Workstation Name:	
	Source Network Address:	-
	Source Port:		-

Detailed Authentication Information:
	Logon Process:		NfsSvr
	Authentication Package:	MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
	Transited Services:	-
	Package Name (NTLM only):	-
	Key Length:		0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
	- Transited services indicate which intermediate services have participated in this logon request.
	- Package name indicates which sub-protocol was used among the NTLM protocols.
	- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
----
Comment 3 Marcel Ritter 2015-09-02 14:38:28 UTC
General setup description:

Domain Controller:
   dcgit.s5dom.test
   IP: 192.168.122.70
   System: Ubuntu 14.04.3
   Samba: git-latest
     Domain s5dom.test
     Realm: S5DOM.TEST

Windows NFS Server (joined to domain):
   win12.s5dom.test
   IP: 192.168.122.33
   System: Windows 2012R2

Linux NFS client:
   u1git.s5dom.test
   IP: 192.168.122.71
   System: Ubuntu 14.04.3

Linux NFS server (only to make sure NFS+krb5 client setup is ok):
   nfsgit.s5dom.test
   IP: 192.168.122.72
   System: Ubuntu 14.04.3
Comment 4 Marcel Ritter 2015-09-03 06:14:32 UTC
Created attachment 11398 [details]
samba log file (debug level = 10)
Comment 5 Marcel Ritter 2015-09-03 06:15:03 UTC
Created attachment 11399 [details]
samba dc keytab
Comment 6 Marcel Ritter 2015-09-03 06:15:36 UTC
Created attachment 11400 [details]
samba dc network dump
Comment 7 Marcel Ritter 2015-09-03 06:15:54 UTC
Created attachment 11401 [details]
nfs client network dump
Comment 8 Marcel Ritter 2015-09-03 06:16:34 UTC
Created attachment 11402 [details]
nfs client keytab 1 (/etc/krb5.keytab for winbind / nss)
Comment 9 Marcel Ritter 2015-09-03 06:17:08 UTC
Created attachment 11403 [details]
nfs client keytab 2 (/etc/nfs.keytab for nfs)
Comment 10 Marcel Ritter 2015-09-03 06:18:48 UTC
Hope I got everything you need ... 


On Wed, Sep 02, 2015 at 12:52:39PM +0000, Ritter, Marcel (RRZE) wrote:
> Hi Jeremy,
> 
> I've opened bug 11485 on this topic.
> 
> What wireshark traces do you need?
> 
> I guess one from the dc and one from the nfs client, right?
> 
> And as some of this stuff is encrypted:
> What else do you need to decrypt it?
> (As I'm running an isolated testbed, I can provide the keytabs and or 
> SSL keys if required.)

dc <-> server, nfs <-> server + keytabs should help, thanks !
Comment 11 Marcel Ritter 2015-09-04 11:33:33 UTC
Hmm ... did something in the handling of krb5 PAC change between samba 4.1.6 and current git?

I'm seeing PAC verification errors on the DC when trying to access NFS krb5 mounted directories (Linux client and server).

Not sure if they are really related to this bug but at least they look suspicious to me:

Kerberos: Verify PAC failed for nfs/nfsgit.s5dom.test@S5DOM.TEST (user00001@S5DOM.TEST) from ipv4:192.168.122.71:46262 with <unknown error: 22>
Comment 12 Marcel Ritter 2015-09-07 08:36:47 UTC
(In reply to Marcel Ritter from comment #0)

Update:
My initial statement that Linux NFS clients + servers work fine is incorrect: (This was only true with my Ubuntu Samba 4.1.6 setup).
With samba (latest git) I can mount NFSv4, but when trying to access user owned directories all I get is "permission denied" (even if permissions are 777).
(at the same time I get the "Verify PAC failed" messages mentioned in comment #11).
Comment 13 Marcel Ritter 2015-09-07 11:34:59 UTC
Just an update on the PAC issue:

After applying my trivial patch from 2011 (!) access from Linux NFS clients to Linux NFS servers works again:

http://permalink.gmane.org/gmane.network.samba.internals/55484

Next step: Tests with Windows NFS server ...
Comment 14 Marcel Ritter 2015-09-07 20:12:17 UTC
Update:

After adding the trivial patch, behaviour of the Windows NFS server is still broken (as described).
Comment 15 Marcel Ritter 2015-09-07 20:24:20 UTC
(In reply to Marcel Ritter from comment #13)

Link to whole thread about the PAC issue:

http://thread.gmane.org/gmane.network.samba.internals/55484/focus=55486

Unfortunately there's no trace in the mailing list archive about further discussion/work on this topic.