[CentOS] Windows 2003 AD, Winbind, Kerberos and NFSv4

Louis Lagendijk louis at lagendijk.xs4all.nl
Fri Jul 2 20:50:08 UTC 2010 

On Fri, 2010-07-02 at 11:27 -0700, James A. Peltier wrote:
> Hi All,

> To support NFSv4 with Kerberos security, we also need to generate service 
> principal for NFS:
> 
> [root at aconite ~]# net -U administrator ads keytab add nfs
> 
> which then looks like this
> 
> [root at aconite ~]# klist -k
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Principal
> ---- --------------------------------------------------------------------------
>     3 host/aconite.my.ad.name at MY.AD.NAME
>     3 host/aconite.my.ad.name at MY.AD.NAME
>     3 host/aconite.my.ad.name at MY.AD.NAME
>     3 host/aconite at MY.AD.NAME
>     3 host/aconite at MY.AD.NAME
>     3 host/aconite at MY.AD.NAME
>     3 ACONITE$@MY.AD.NAME
>     3 ACONITE$@MY.AD.NAME
>     3 ACONITE$@MY.AD.NAME
>     3 nfs/aconite.my.ad.name at MY.AD.NAME
>     3 nfs/aconite.my.ad.name at MY.AD.NAME
>     3 nfs/aconite.my.ad.name at MY.AD.NAME
>     3 nfs/aconite at MY.AD.NAME
>     3 nfs/aconite at MY.AD.NAME
>     3 nfs/aconite at MY.AD.NAME
> 
did you create the keytab on the CLIENT also?

> 
> Test on the client
> 
> [root at celastrina ~]# showmount -e aconite
> Export list for aconite:
> /exports *
> [root at celastrina ~]# mount -t nfs4 aconite:/ /mnt
> [root at celastrina ~]# mount |grep -i nfs4
> aconite:/ on /mnt type nfs4 (rw,addr=199.60.1.84)
> [root at celastrina ~]#
> 
> So as you can see everything is now working *without* Kerberos.  However, 
> if I change the /etc/exports file on aconite to
> 
> [root at aconite ~]# cat /etc/exports
> /exports        gss/krb5(rw,fsid=0)
> [root at aconite ~]# exportfs
> /exports        gss/krb5
> 
> 
> and then try to mount with the -o sec=krb5 on the client
> 
is rpc.gssd running on the client?
rpc.svc.gssd on the server?

> [root at celastrina ~]# mount -t nfs4 -o sec=krb5 aconite:/ /mnt
> mount.nfs4: Permission denied
> 
> and the entry in /var/log/messages on celastrina is
> 
> Jul  2 11:21:57 celastrina rpc.gssd[3302]: Using keytab file 
> '/etc/krb5.keytab'
> Jul  2 11:21:57 celastrina rpc.gssd[3302]: WARNING: Failed to obtain 
> machine credentials for connection to server aconite.my.ad.name
> 
> nothing appears in the logs on aconite.
> 
so you most likely do not have a keytab on the client.

Using kerberos is not simple....

Louis

More information about the CentOS mailing list