On Fri, 2 Jul 2010, Louis Lagendijk wrote:
> On Fri, 2010-07-02 at 11:27 -0700, James A. Peltier wrote:
>> Hi All,
>
>> To support NFSv4 with Kerberos security, we also need to generate service
>> principal for NFS:
>>
>> [root@aconite ~]# net -U administrator ads keytab add nfs
>>
>> which then looks like this
>>
>> [root@aconite ~]# klist -k
>> Keytab name: FILE:/etc/krb5.keytab
>> KVNO Principal
>> ---- --------------------------------------------------------------------------
>> 3 host/aconite.my.ad.name@xxxxxxxxxx
>> 3 host/aconite.my.ad.name@xxxxxxxxxx
>> 3 host/aconite.my.ad.name@xxxxxxxxxx
>> 3 host/aconite@xxxxxxxxxx
>> 3 host/aconite@xxxxxxxxxx
>> 3 host/aconite@xxxxxxxxxx
>> 3 ACONITE$@MY.AD.NAME
>> 3 ACONITE$@MY.AD.NAME
>> 3 ACONITE$@MY.AD.NAME
>> 3 nfs/aconite.my.ad.name@xxxxxxxxxx
>> 3 nfs/aconite.my.ad.name@xxxxxxxxxx
>> 3 nfs/aconite.my.ad.name@xxxxxxxxxx
>> 3 nfs/aconite@xxxxxxxxxx
>> 3 nfs/aconite@xxxxxxxxxx
>> 3 nfs/aconite@xxxxxxxxxx
>>
> did you create the keytab on the CLIENT also?
Do you mean did I run the net ads keytab add nfs on the client? If so the
answer is yes. I've even tried mounting the NFS export directly from the
NFS server
> is rpc.gssd running on the client?
> rpc.svc.gssd on the server?
Yes and Yes.
> so you most likely do not have a keytab on the client.
I do but I'm not sure it is correct. If you are doing it can you please
provide me some sample output to compare your server/client keytabs to
mine?
> Using kerberos is not simple....
I'm getting that picture. :)
--
James A. Peltier
Systems Analyst (FASNet), VIVARIUM Technical Director
HPC Coordinator
Simon Fraser University - Burnaby Campus
Phone : 778-782-6573
Fax : 778-782-3045
E-Mail : jpeltier@xxxxxx
Website : http://www.fas.sfu.ca | http://vivarium.cs.sfu.ca
http://blogs.sfu.ca/people/jpeltier
MSN : subatomic_spam@xxxxxxxxxxx
TEAMWORK
There's power in numbers. Learn to work together.
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
