On Fri, 2010-07-02 at 11:27 -0700, James A. Peltier wrote:
Hi All,
To support NFSv4 with Kerberos security, we also need to generate service principal for NFS:
[root@aconite ~]# net -U administrator ads keytab add nfs
which then looks like this
[root@aconite ~]# klist -k Keytab name: FILE:/etc/krb5.keytab KVNO Principal
3 host/aconite.my.ad.name@MY.AD.NAME 3 host/aconite.my.ad.name@MY.AD.NAME 3 host/aconite.my.ad.name@MY.AD.NAME 3 host/aconite@MY.AD.NAME 3 host/aconite@MY.AD.NAME 3 host/aconite@MY.AD.NAME 3 ACONITE$@MY.AD.NAME 3 ACONITE$@MY.AD.NAME 3 ACONITE$@MY.AD.NAME 3 nfs/aconite.my.ad.name@MY.AD.NAME 3 nfs/aconite.my.ad.name@MY.AD.NAME 3 nfs/aconite.my.ad.name@MY.AD.NAME 3 nfs/aconite@MY.AD.NAME 3 nfs/aconite@MY.AD.NAME 3 nfs/aconite@MY.AD.NAME
did you create the keytab on the CLIENT also?
Test on the client
[root@celastrina ~]# showmount -e aconite Export list for aconite: /exports * [root@celastrina ~]# mount -t nfs4 aconite:/ /mnt [root@celastrina ~]# mount |grep -i nfs4 aconite:/ on /mnt type nfs4 (rw,addr=199.60.1.84) [root@celastrina ~]#
So as you can see everything is now working *without* Kerberos. However, if I change the /etc/exports file on aconite to
[root@aconite ~]# cat /etc/exports /exports gss/krb5(rw,fsid=0) [root@aconite ~]# exportfs /exports gss/krb5
and then try to mount with the -o sec=krb5 on the client
is rpc.gssd running on the client? rpc.svc.gssd on the server?
[root@celastrina ~]# mount -t nfs4 -o sec=krb5 aconite:/ /mnt mount.nfs4: Permission denied
and the entry in /var/log/messages on celastrina is
Jul 2 11:21:57 celastrina rpc.gssd[3302]: Using keytab file '/etc/krb5.keytab' Jul 2 11:21:57 celastrina rpc.gssd[3302]: WARNING: Failed to obtain machine credentials for connection to server aconite.my.ad.name
nothing appears in the logs on aconite.
so you most likely do not have a keytab on the client.
Using kerberos is not simple....
Louis