Re: mount hangs in NFS4+Kerberos setup

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 02/10/2012 06:41 PM, whats_up@xxxxxxx wrote:



Some older kernels do not support strong keys. Try adding:
allow_weak_crypto = true
to the
   [libdefaults]
in /etc/krb5.conf

yes. I painfully (mount only says access denied) found out this already
and I use allow_weak_crypto to limit to DES. More encryption
types have been introduced with kernel 2.6.39...

I tried to use kernel 3.2 from squeeze-backports but this introduced new
errors, thus I decided to try with 2.6 first.



Also it's not recommended to use the pseudo-root fsid=0 method for
nfs exports under Linux:
   http://wiki.linux-nfs.org/wiki/index.php/Nfsv4_configuration

hmm, as far as I have understood I have to:
- export the root folder /exports explicitly beside the "real"
   exports p.ex. /exports/opt
- use fsid=0 for the root folder to force version 4 of NFS

What's your suggestion to improve/secure my configuration?

regards
   knut
Officially, you should not export from a pseudo root. Please see the last few lines in the link I sent. 
man rpc.gssd(8) adds:
<quote>
Previous versions of
rpc.gssd used only "nfs/*" keys found within the keytab. To be more consistent with other implementations, we now look for specific keytab entries. The search order for keytabs to be used for "machine credentials" is now: 
<HOSTNAME>$@<REALM>
root/<hostname>@<REALM>

nfs/<hostname>@<REALM>

host/<hostname>@<REALM>

root/<anyname>@<REALM>

nfs/<anyname>@<REALM>

host/<anyname>@<REALM>
</quote>
I see your setup uses the root principal. If you still get access denied, create another keytab with just the machine$ and host/fqdn keys. I can remember having to fiddle with nfs-utils and keytabs on openSUSE at some stage last year.
If none of this works you can either stick with the old kernel and accept he security, get an up to date nfs-utils and see if hat fixes it with the DES keys or grab an up to date distro where all this stuff will work out of the box. 
Cheers,
Steve

--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Filesystem Development]     [Linux USB Development]     [Linux Media Development]     [Video for Linux]     [Linux NILFS]     [Linux Audio Users]     [Yosemite Info]     [Linux SCSI]

  Powered by Linux