I have been trying all sorts of things to get this working. nfsv4 works fine if I just use the nfs-v3 form of export i.e. /nfs4exports 192.168.230.237/24(ro,fsid=0,sync,insecure,no_root_squash,no_subtree_check,squash_uids=0-99) /nfs4exports/NDG 192.168.230.237/24(rw,insecure,no_subtree_check,nohide,sync,no_root_squash,squash_uids=0-99) but this is inherently open to all on this machine.
so then using this recipe http://www.techrepublic.com/blog/opensource/kerberos-authentication-with-nfs... and many others that hours of google foo shows
change exports to /nfs4exports gss/krb5(ro,fsid=0,sync,insecure,no_root_squash,no_subtree_check,squash_uids=0-99) /nfs4exports/NDG gss/krb5(rw,insecure,no_subtree_check,nohide,sync,no_root_squash,squash_uids=0-99)
now from the client I can see [rkampen@timsws ~]$ showmount -e example.com Export list for example.com: /nfs4exports gss/krb5 /nfs4exports/NDG gss/krb5
but [rkampen@timsws /]$ sudo mount -t nfs4 -o sec=krb5 ndgonline.net:/ /NDG/ mount.nfs4: access denied by server while mounting ndgonline.net:/
and [rkampen@timsws /]$ sudo mount -t nfs4 -o sec=krb5 ndgonline.net:/NDG /NDG/ mount.nfs4: access denied by server while mounting ndgonline.net:/NDG
And I cannot find any log entries relating to the kerberos KDC or on the nfs server - two different machines. I have set up all the principals in the KDC and used kadmin/ktadd to load into the client and the server /etc/krb5.keytab as per the above url. How and where do I get logging to occur so I can find out the missing piece in my kerberos setup? Any help or directions appreciated. TIA
Rob Kampen wrote:
Hello,
nfs4 with kerberos works fine here on CentOS 5.6.
change exports to [...]gss/krb([...] [...]gss/krb([...]
My /etc/exports says '... gss/krb5(...'. And 'SECURE_NFS="yes"' is set in /etc/sysconfig/nfs.
All needed services are running? - rpcsvcgssd (server) - rpcidmapd (server) - rpcgssd (client)
A very good instruction, in my opinion, to get it running is http://sadiquepp.blogspot.com/2009/02/how-to-configure-nfsv4-with-kerberos-i....
regards Olaf
On 07/19/2011 04:43 PM, Olaf Mueller wrote:
Rob Kampen wrote:
Hello,
nfs4 with kerberos works fine here on CentOS 5.6.
change exports to [...]gss/krb([...] [...]gss/krb([...]
My /etc/exports says '... gss/krb5(...'.
Got this already
And 'SECURE_NFS="yes"' is set in /etc/sysconfig/nfs.
This too is set
All needed services are running?
- rpcsvcgssd (server)
- rpcidmapd (server)
- rpcgssd (client)
Yes all running
A very good instruction, in my opinion, to get it running is http://sadiquepp.blogspot.com/2009/02/how-to-configure-nfsv4-with-kerberos-i....
This was one of the ones I used - will start from the beginning again. Thanks for comments
regards Olaf _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Rob Kampen wrote:
On 07/19/2011 04:43 PM, Olaf Mueller wrote:
Rob Kampen wrote:
Hello,
nfs4 with kerberos works fine here on CentOS 5.6.
change exports to [...]gss/krb([...] [...]gss/krb([...]
My /etc/exports says '... gss/krb5(...'.
Got this already
And 'SECURE_NFS="yes"' is set in /etc/sysconfig/nfs.
This too is set
All needed services are running?
- rpcsvcgssd (server)
- rpcidmapd (server)
- rpcgssd (client)
Yes all running
A very good instruction, in my opinion, to get it running is http://sadiquepp.blogspot.com/2009/02/how-to-configure-nfsv4-with-kerberos-i....
This was one of the ones I used - will start from the beginning again. Thanks for comments
regards Olaf
I have put the nfs4 with Kerberos on hold as it seems there may be a problem with the basic kerberos install. I have chased many dozen of references (most seems at least 4 years old) and worked step-by-step through their examples only to find problems. I have a master KDC set up on an older i386 box (uptodate 5.6) that also runs centos-directory-server (not yet functioning) and also runs as my DNS master (not internet accessible). It appears to be running as advertised. So before I go live, all the docs recommend having at least one slave per lan segment, so I thought that should be easy. I followed http://tldp.org/HOWTO/Kerberos-Infrastructure-HOWTO/server-replication.html and also http://www.linuxtopia.org/online_books/linux_system_administration/kerberos_... and find I cannot get past this error: /usr/kerberos/sbin/kprop: Decrypt integrity check failed while getting initial ticket the kdc log shows the principal I'm missing, and sure enough
kvno host/www.nealdevelopment.com
host/www.nealdevelopment.com@NDGONLINE.NET: kvno = 5 yet
sudo klist -k /etc/krb5.keytab |grep www
3 host/www.nealdevelopment.com@NDGONLINE.NET 3 host/www.nealdevelopment.com@NDGONLINE.NET 3 host/www.nealdevelopment.com@NDGONLINE.NET 3 host/www.nealdevelopment.com@NDGONLINE.NET 4 host/www.nealdevelopment.com@NDGONLINE.NET 4 host/www.nealdevelopment.com@NDGONLINE.NET 4 host/www.nealdevelopment.com@NDGONLINE.NET 4 host/www.nealdevelopment.com@NDGONLINE.NET 6 host/www.nealdevelopment.com@NDGONLINE.NET 6 host/www.nealdevelopment.com@NDGONLINE.NET 6 host/www.nealdevelopment.com@NDGONLINE.NET 6 host/www.nealdevelopment.com@NDGONLINE.NET sure enough the version numbers do not match so I do another kadmin ktadd to add the appropriate ticket to the keytab only to find it bumps the version number What on earth am I missing!!! I just cannot seems to get the numbers to match!! As you can see my patience is all gone - I'm obviously missing something basic. BTW, I have tried both copying and generating local keytabs - neither solve the problem - documentation varies and some say only do it this way and others say another - in my case none work. There is thus some magic foo I am not able to discern. All help appreciated.
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Mon, 2011-07-25 at 12:58 -0400, Rob Kampen wrote:
Rob Kampen wrote:
On 07/19/2011 04:43 PM, Olaf Mueller wrote:
Rob Kampen wrote:
Hello,
nfs4 with kerberos works fine here on CentOS 5.6.
change exports to [...]gss/krb([...] [...]gss/krb([...]
My /etc/exports says '... gss/krb5(...'.
Got this already
And 'SECURE_NFS="yes"' is set in /etc/sysconfig/nfs.
This too is set
All needed services are running?
- rpcsvcgssd (server)
- rpcidmapd (server)
- rpcgssd (client)
Yes all running
A very good instruction, in my opinion, to get it running is http://sadiquepp.blogspot.com/2009/02/how-to-configure-nfsv4-with-kerberos-i....
This was one of the ones I used - will start from the beginning again. Thanks for comments
regards Olaf
I have put the nfs4 with Kerberos on hold as it seems there may be a problem with the basic kerberos install.
Probably an issue with your keytab. the link above cotains some hints:
1) you need to add an nfs (not host!) principal and 2) use ktadd -e des-cbc-crc:normal Add only the des-cbc-crc:normal key, not one of the others as (at least in the past, I have not checked later kernels like the one in centos 6) to see if this is still applies. In order to allow the des key to work you need the following in /etc/krb5.conf (in the libdefaults section): allow_weak_crypto = true With these settings nfs mounting works for me, but see my comments below first, before you try to mount a nfs file system
/usr/kerberos/sbin/kprop: Decrypt integrity check failed while getting initial ticket
With the keytab you showed, first try a kinit for a user. does that succeed? What does a klist show after this? This way you can check the ticket generation. Only when that succeeds try the nfs mount
Louis
-
Louis Lagendijk -
Olaf Mueller -
Rob Kampen