Please forgive joining the broadcast already in progress, and for top posting. However, I have found that removing all but the DES CBC keytab entries on the client helps.
With Windows 2003, you may also have to set the default encryption type for the kerberos account to DES, and use ADSIEDIT.msc to change the UserPrincipalName to nfs/hostname.fqdn.
For what its worth, "net", part of the Samba client package, populates the keytabs accordingly.
For advanced debugging, the rpc.*gssd services can be configured to run very verbosely, by adding multiple -v arguments on start.
Louis Lagendijk wrote:
On Fri, 2010-07-02 at 11:27 -0700, James A. Peltier wrote:
Hi All,
To support NFSv4 with Kerberos security, we also need to generate service principal for NFS:
[root@aconite ~]# net -U administrator ads keytab add nfs
which then looks like this
[root@aconite ~]# klist -k Keytab name: FILE:/etc/krb5.keytab KVNO Principal
3 host/aconite.my.ad.name@MY.AD.NAME 3 host/aconite.my.ad.name@MY.AD.NAME 3 host/aconite.my.ad.name@MY.AD.NAME 3 host/aconite@MY.AD.NAME 3 host/aconite@MY.AD.NAME 3 host/aconite@MY.AD.NAME 3 ACONITE$@MY.AD.NAME 3 ACONITE$@MY.AD.NAME 3 ACONITE$@MY.AD.NAME 3 nfs/aconite.my.ad.name@MY.AD.NAME 3 nfs/aconite.my.ad.name@MY.AD.NAME 3 nfs/aconite.my.ad.name@MY.AD.NAME 3 nfs/aconite@MY.AD.NAME 3 nfs/aconite@MY.AD.NAME 3 nfs/aconite@MY.AD.NAMEdid you create the keytab on the CLIENT also?
Test on the client
[root@celastrina ~]# showmount -e aconite Export list for aconite: /exports * [root@celastrina ~]# mount -t nfs4 aconite:/ /mnt [root@celastrina ~]# mount |grep -i nfs4 aconite:/ on /mnt type nfs4 (rw,addr=199.60.1.84) [root@celastrina ~]#
So as you can see everything is now working *without* Kerberos. However, if I change the /etc/exports file on aconite to
[root@aconite ~]# cat /etc/exports /exports gss/krb5(rw,fsid=0) [root@aconite ~]# exportfs /exports gss/krb5
and then try to mount with the -o sec=krb5 on the client
is rpc.gssd running on the client? rpc.svc.gssd on the server?
[root@celastrina ~]# mount -t nfs4 -o sec=krb5 aconite:/ /mnt mount.nfs4: Permission denied
and the entry in /var/log/messages on celastrina is
Jul 2 11:21:57 celastrina rpc.gssd[3302]: Using keytab file '/etc/krb5.keytab' Jul 2 11:21:57 celastrina rpc.gssd[3302]: WARNING: Failed to obtain machine credentials for connection to server aconite.my.ad.name
nothing appears in the logs on aconite.
so you most likely do not have a keytab on the client.
Using kerberos is not simple....
Louis
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos