[CentOS] Config for NFSv4 an Kerberos on CentOS 5.1

Fri May 30 06:54:48 UTC 2008
Sebastian Marten <sebi4711 at gmail.com>

Hi,

Barry Brimer schrieb:
> Quoting Sebastian Marten <sebi4711 at gmail.com>:
> 
>> Hi list,
>> Is it possible to set up an NFSv4/Kerberos environment on CentOS 5.1?
>> I set up Kerberos and NFS but get several erros
>>
>> "Warning: rpc.gssd appears not to be running.
>> mount.nfs4: Permission denied"
>>
>> Is this an CentOS oder an config problem?
> 
> Yes.
> 
> Are you running all of the gss services?
> Is portmap running?
> Did you uncomment the SECURE_NFS="yes" in /etc/sysconfig/nfs?
> Was your kerberos principal created with:
> "addprinc -randkey -e des-cbc-md5:normal nfs/server.domain.com"
> Was your keytab entry created with:
> "ktadd -e des-cbc-md5:normal nfs/server.domain.com"
> Do you have gss/krb5p just before the nfs options in parentheses?
> 

I've done all this + add princs for the host. (tested with ds and 
ds.example.lan)

I get this error:
ds rpc.svcgssd[4686]: ERROR: GSS-API: error in gss_acquire_cred(): 
Unspecified GSS failure.  Minor code may provide more information - No 
principal in keytab matches desired name
  ds rpc.svcgssd[4686]: Unable to obtain credentials for 'nfs'
  ds rpc.svcgssd[4686]: unable to obtain root (machine) credentials
ds rpc.svcgssd[4686]: do you have a keytab entry for 
nfs/<your.host>@<YOUR.REALM> in /etc/krb5.keytab?

But: kadmin.local listprincs return:

K/M at EXAMPLE.COM
host/ds.example.lan at EXAMPLE.COM
host/ds at EXAMPLE.COM
kadmin/admin at EXAMPLE.COM
kadmin/changepw at EXAMPLE.COM
kadmin/history at EXAMPLE.COM
kadmin/localhost.localdomain at EXAMPLE.COM
krbtgt/EXAMPLE.COM at EXAMPLE.COM
nfs/ds.example.lan at EXAMPLE.COM
nfs/ds at EXAMPLE.COM
root/admin at EXAMPLE.COM
root at EXAMPLE.COM

The hostname is ds.example.lan

/tec/krb5.conf points on the right server.

kinit and klist works

kinit
Password for root at EXAMPLE.COM:
[root at ds ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: root at EXAMPLE.COM

Valid starting     Expires            Service principal
05/30/08 08:52:48  05/31/08 08:52:47  krbtgt/EXAMPLE.COM at EXAMPLE.COM


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached


There is my problem?


> Hope this helps.
> 
> Barry




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 542 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20080530/13fcd479/attachment-0005.sig>