On Mon, 2011-07-25 at 12:58 -0400, Rob Kampen wrote: > Rob Kampen wrote: > > On 07/19/2011 04:43 PM, Olaf Mueller wrote: > >> Rob Kampen wrote: > >> > >> Hello, > >> > >> nfs4 with kerberos works fine here on CentOS 5.6. > >> > >>> change exports to > >>> [...]gss/krb([...] > >>> [...]gss/krb([...] > >> My /etc/exports says '... gss/krb5(...'. > > Got this already > >> And 'SECURE_NFS="yes"' is set in /etc/sysconfig/nfs. > > This too is set > >> All needed services are running? > >> - rpcsvcgssd (server) > >> - rpcidmapd (server) > >> - rpcgssd (client) > > Yes all running > >> A very good instruction, in my opinion, to get it running is > >> http://sadiquepp.blogspot.com/2009/02/how-to-configure-nfsv4-with-kerberos-in.html. > >> > > This was one of the ones I used - will start from the beginning again. > > Thanks for comments > >> > >> regards > >> Olaf > I have put the nfs4 with Kerberos on hold as it seems there may be a > problem with the basic kerberos install. Probably an issue with your keytab. the link above cotains some hints: 1) you need to add an nfs (not host!) principal and 2) use ktadd -e des-cbc-crc:normal Add only the des-cbc-crc:normal key, not one of the others as (at least in the past, I have not checked later kernels like the one in centos 6) to see if this is still applies. In order to allow the des key to work you need the following in /etc/krb5.conf (in the libdefaults section): allow_weak_crypto = true With these settings nfs mounting works for me, but see my comments below first, before you try to mount a nfs file system > /usr/kerberos/sbin/kprop: Decrypt integrity check failed while getting > initial ticket With the keytab you showed, first try a kinit for a user. does that succeed? What does a klist show after this? This way you can check the ticket generation. Only when that succeeds try the nfs mount Louis _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos