On Fri, 2 Jul 2010, Louis Lagendijk wrote:
On Fri, 2010-07-02 at 11:27 -0700, James A. Peltier wrote:
Hi All,
To support NFSv4 with Kerberos security, we also need to generate service principal for NFS:
[root@aconite ~]# net -U administrator ads keytab add nfs
which then looks like this
[root@aconite ~]# klist -k Keytab name: FILE:/etc/krb5.keytab KVNO Principal
3 host/aconite.my.ad.name@MY.AD.NAME 3 host/aconite.my.ad.name@MY.AD.NAME 3 host/aconite.my.ad.name@MY.AD.NAME 3 host/aconite@MY.AD.NAME 3 host/aconite@MY.AD.NAME 3 host/aconite@MY.AD.NAME 3 ACONITE$@MY.AD.NAME 3 ACONITE$@MY.AD.NAME 3 ACONITE$@MY.AD.NAME 3 nfs/aconite.my.ad.name@MY.AD.NAME 3 nfs/aconite.my.ad.name@MY.AD.NAME 3 nfs/aconite.my.ad.name@MY.AD.NAME 3 nfs/aconite@MY.AD.NAME 3 nfs/aconite@MY.AD.NAME 3 nfs/aconite@MY.AD.NAMEdid you create the keytab on the CLIENT also?
Do you mean did I run the net ads keytab add nfs on the client? If so the answer is yes. I've even tried mounting the NFS export directly from the NFS server
is rpc.gssd running on the client? rpc.svc.gssd on the server?
Yes and Yes.
so you most likely do not have a keytab on the client.
I do but I'm not sure it is correct. If you are doing it can you please provide me some sample output to compare your server/client keytabs to mine?
Using kerberos is not simple....
I'm getting that picture. :)