Rob Kampen wrote:
On 07/19/2011 04:43 PM, Olaf Mueller wrote:
Rob Kampen wrote:
Hello,
nfs4 with kerberos works fine here on CentOS 5.6.
change exports to
[...]gss/krb([...]
[...]gss/krb([...]
My /etc/exports says '... gss/krb5(...'.
Got this already
And 'SECURE_NFS="yes"' is set in /etc/sysconfig/nfs.
This too is set
All needed services are running?
- rpcsvcgssd (server)
- rpcidmapd (server)
- rpcgssd (client)
Yes all running
A very good instruction, in my opinion, to get it running is
http://sadiquepp.blogspot.com/2009/02/how-to-configure-nfsv4-with-kerberos-in.html.
This was one of the ones I used - will start from the beginning again.
Thanks for comments
regards
Olaf
I have put the nfs4 with Kerberos on hold as it seems there may be a
problem with the basic kerberos install.
I have chased many dozen of references (most seems at least 4 years old)
and worked step-by-step through their examples only to find problems.
I have a master KDC set up on an older i386 box (uptodate 5.6) that also
runs centos-directory-server (not yet functioning) and also runs as my
DNS master (not internet accessible).
It appears to be running as advertised.
So before I go live, all the docs recommend having at least one slave
per lan segment, so I thought that should be easy.
I followed
http://tldp.org/HOWTO/Kerberos-Infrastructure-HOWTO/server-replication.html
and also
http://www.linuxtopia.org/online_books/linux_system_administration/kerberos_guides/kerberos-5.15_installation_guide/Set-Up-the-Slave-KDCs-for-Database-Propagation.html#Set%20Up%20the%20Slave%20KDCs%20for%20Database%20Propagation
and find I cannot get past this error:
/usr/kerberos/sbin/kprop: Decrypt integrity check failed while getting
initial ticket
the kdc log shows the principal I'm missing, and sure enough
>kvno host/www.nealdevelopment.com
host/www.nealdevelopment.com@xxxxxxxxxxxxx: kvno = 5
yet
> sudo klist -k /etc/krb5.keytab |grep www
3 host/www.nealdevelopment.com@xxxxxxxxxxxxx
3 host/www.nealdevelopment.com@xxxxxxxxxxxxx
3 host/www.nealdevelopment.com@xxxxxxxxxxxxx
3 host/www.nealdevelopment.com@xxxxxxxxxxxxx
4 host/www.nealdevelopment.com@xxxxxxxxxxxxx
4 host/www.nealdevelopment.com@xxxxxxxxxxxxx
4 host/www.nealdevelopment.com@xxxxxxxxxxxxx
4 host/www.nealdevelopment.com@xxxxxxxxxxxxx
6 host/www.nealdevelopment.com@xxxxxxxxxxxxx
6 host/www.nealdevelopment.com@xxxxxxxxxxxxx
6 host/www.nealdevelopment.com@xxxxxxxxxxxxx
6 host/www.nealdevelopment.com@xxxxxxxxxxxxx
sure enough the version numbers do not match
so I do another kadmin ktadd to add the appropriate ticket to the keytab
only to find it bumps the version number
What on earth am I missing!!!
I just cannot seems to get the numbers to match!!
As you can see my patience is all gone - I'm obviously missing something
basic.
BTW, I have tried both copying and generating local keytabs - neither
solve the problem - documentation varies and some say only do it this
way and others say another - in my case none work.
There is thus some magic foo I am not able to discern.
All help appreciated.
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
begin:vcard
fn:Rob Kampen
n:Kampen;Rob
org:Team Torman Realty, LLC
adr:;;13019 Water Point Blvd;Windermere;FL;34786;USA
email;internet:rkampen@xxxxxxxxxxxxxxxxxxxx
tel;work:407-876-4108
tel;fax:407-876-3591
tel;home:407-876-4854
tel;cell:407-341-3815
note:LCAM & CPM Candidate
url:www.robkampen.com
version:2.1
end:vcard
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos