Re: Windows 2003 AD, Winbind, Kerberos and NFSv4

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Fri, 2010-07-02 at 11:27 -0700, James A. Peltier wrote:
> Hi All,

> To support NFSv4 with Kerberos security, we also need to generate service 
> principal for NFS:
> 
> [root@aconite ~]# net -U administrator ads keytab add nfs
> 
> which then looks like this
> 
> [root@aconite ~]# klist -k
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Principal
> ---- --------------------------------------------------------------------------
>     3 host/aconite.my.ad.name@xxxxxxxxxx
>     3 host/aconite.my.ad.name@xxxxxxxxxx
>     3 host/aconite.my.ad.name@xxxxxxxxxx
>     3 host/aconite@xxxxxxxxxx
>     3 host/aconite@xxxxxxxxxx
>     3 host/aconite@xxxxxxxxxx
>     3 ACONITE$@MY.AD.NAME
>     3 ACONITE$@MY.AD.NAME
>     3 ACONITE$@MY.AD.NAME
>     3 nfs/aconite.my.ad.name@xxxxxxxxxx
>     3 nfs/aconite.my.ad.name@xxxxxxxxxx
>     3 nfs/aconite.my.ad.name@xxxxxxxxxx
>     3 nfs/aconite@xxxxxxxxxx
>     3 nfs/aconite@xxxxxxxxxx
>     3 nfs/aconite@xxxxxxxxxx
> 
did you create the keytab on the CLIENT also?

> 
> Test on the client
> 
> [root@celastrina ~]# showmount -e aconite
> Export list for aconite:
> /exports *
> [root@celastrina ~]# mount -t nfs4 aconite:/ /mnt
> [root@celastrina ~]# mount |grep -i nfs4
> aconite:/ on /mnt type nfs4 (rw,addr=199.60.1.84)
> [root@celastrina ~]#
> 
> So as you can see everything is now working *without* Kerberos.  However, 
> if I change the /etc/exports file on aconite to
> 
> [root@aconite ~]# cat /etc/exports
> /exports        gss/krb5(rw,fsid=0)
> [root@aconite ~]# exportfs
> /exports        gss/krb5
> 
> 
> and then try to mount with the -o sec=krb5 on the client
> 
is rpc.gssd running on the client?
rpc.svc.gssd on the server?

> [root@celastrina ~]# mount -t nfs4 -o sec=krb5 aconite:/ /mnt
> mount.nfs4: Permission denied
> 
> and the entry in /var/log/messages on celastrina is
> 
> Jul  2 11:21:57 celastrina rpc.gssd[3302]: Using keytab file 
> '/etc/krb5.keytab'
> Jul  2 11:21:57 celastrina rpc.gssd[3302]: WARNING: Failed to obtain 
> machine credentials for connection to server aconite.my.ad.name
> 
> nothing appears in the logs on aconite.
> 
so you most likely do not have a keytab on the client.

Using kerberos is not simple....

Louis


_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos


[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux