Please forgive joining the broadcast already in progress, and for top
posting. However, I have found that removing all but the DES CBC keytab
entries on the client helps.
With Windows 2003, you may also have to set the default encryption type
for the kerberos account to DES, and use ADSIEDIT.msc to change the
UserPrincipalName to nfs/hostname.fqdn.
For what its worth, "net", part of the Samba client package, populates
the keytabs accordingly.
For advanced debugging, the rpc.*gssd services can be configured to run
very verbosely, by adding multiple -v arguments on start.
Louis Lagendijk wrote:
> On Fri, 2010-07-02 at 11:27 -0700, James A. Peltier wrote:
>> Hi All,
>
>> To support NFSv4 with Kerberos security, we also need to generate service
>> principal for NFS:
>>
>> [root@aconite ~]# net -U administrator ads keytab add nfs
>>
>> which then looks like this
>>
>> [root@aconite ~]# klist -k
>> Keytab name: FILE:/etc/krb5.keytab
>> KVNO Principal
>> ---- --------------------------------------------------------------------------
>> 3 host/aconite.my.ad.name@xxxxxxxxxx
>> 3 host/aconite.my.ad.name@xxxxxxxxxx
>> 3 host/aconite.my.ad.name@xxxxxxxxxx
>> 3 host/aconite@xxxxxxxxxx
>> 3 host/aconite@xxxxxxxxxx
>> 3 host/aconite@xxxxxxxxxx
>> 3 ACONITE$@MY.AD.NAME
>> 3 ACONITE$@MY.AD.NAME
>> 3 ACONITE$@MY.AD.NAME
>> 3 nfs/aconite.my.ad.name@xxxxxxxxxx
>> 3 nfs/aconite.my.ad.name@xxxxxxxxxx
>> 3 nfs/aconite.my.ad.name@xxxxxxxxxx
>> 3 nfs/aconite@xxxxxxxxxx
>> 3 nfs/aconite@xxxxxxxxxx
>> 3 nfs/aconite@xxxxxxxxxx
>>
> did you create the keytab on the CLIENT also?
>
>> Test on the client
>>
>> [root@celastrina ~]# showmount -e aconite
>> Export list for aconite:
>> /exports *
>> [root@celastrina ~]# mount -t nfs4 aconite:/ /mnt
>> [root@celastrina ~]# mount |grep -i nfs4
>> aconite:/ on /mnt type nfs4 (rw,addr=199.60.1.84)
>> [root@celastrina ~]#
>>
>> So as you can see everything is now working *without* Kerberos. However,
>> if I change the /etc/exports file on aconite to
>>
>> [root@aconite ~]# cat /etc/exports
>> /exports gss/krb5(rw,fsid=0)
>> [root@aconite ~]# exportfs
>> /exports gss/krb5
>>
>>
>> and then try to mount with the -o sec=krb5 on the client
>>
> is rpc.gssd running on the client?
> rpc.svc.gssd on the server?
>
>> [root@celastrina ~]# mount -t nfs4 -o sec=krb5 aconite:/ /mnt
>> mount.nfs4: Permission denied
>>
>> and the entry in /var/log/messages on celastrina is
>>
>> Jul 2 11:21:57 celastrina rpc.gssd[3302]: Using keytab file
>> '/etc/krb5.keytab'
>> Jul 2 11:21:57 celastrina rpc.gssd[3302]: WARNING: Failed to obtain
>> machine credentials for connection to server aconite.my.ad.name
>>
>> nothing appears in the logs on aconite.
>>
> so you most likely do not have a keytab on the client.
>
> Using kerberos is not simple....
>
> Louis
>
>
> _______________________________________________
> CentOS mailing list
> CentOS@xxxxxxxxxx
> http://lists.centos.org/mailman/listinfo/centos
--
-- John E. Jasen (jjasen@xxxxxxxxxxxxxxxxxx)
-- "Deserve Victory." -- Terry Goodkind, Naked Empire
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
