[CentOS] Windows 2003 AD, Winbind, Kerberos and NFSv4
Louis Lagendijk
louis at lagendijk.xs4all.nlFri Jul 2 20:50:08 UTC 2010
- Previous message: [CentOS] Windows 2003 AD, Winbind, Kerberos and NFSv4
- Next message: [CentOS] Windows 2003 AD, Winbind, Kerberos and NFSv4
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Fri, 2010-07-02 at 11:27 -0700, James A. Peltier wrote: > Hi All, > To support NFSv4 with Kerberos security, we also need to generate service > principal for NFS: > > [root at aconite ~]# net -U administrator ads keytab add nfs > > which then looks like this > > [root at aconite ~]# klist -k > Keytab name: FILE:/etc/krb5.keytab > KVNO Principal > ---- -------------------------------------------------------------------------- > 3 host/aconite.my.ad.name at MY.AD.NAME > 3 host/aconite.my.ad.name at MY.AD.NAME > 3 host/aconite.my.ad.name at MY.AD.NAME > 3 host/aconite at MY.AD.NAME > 3 host/aconite at MY.AD.NAME > 3 host/aconite at MY.AD.NAME > 3 ACONITE$@MY.AD.NAME > 3 ACONITE$@MY.AD.NAME > 3 ACONITE$@MY.AD.NAME > 3 nfs/aconite.my.ad.name at MY.AD.NAME > 3 nfs/aconite.my.ad.name at MY.AD.NAME > 3 nfs/aconite.my.ad.name at MY.AD.NAME > 3 nfs/aconite at MY.AD.NAME > 3 nfs/aconite at MY.AD.NAME > 3 nfs/aconite at MY.AD.NAME > did you create the keytab on the CLIENT also? > > Test on the client > > [root at celastrina ~]# showmount -e aconite > Export list for aconite: > /exports * > [root at celastrina ~]# mount -t nfs4 aconite:/ /mnt > [root at celastrina ~]# mount |grep -i nfs4 > aconite:/ on /mnt type nfs4 (rw,addr=199.60.1.84) > [root at celastrina ~]# > > So as you can see everything is now working *without* Kerberos. However, > if I change the /etc/exports file on aconite to > > [root at aconite ~]# cat /etc/exports > /exports gss/krb5(rw,fsid=0) > [root at aconite ~]# exportfs > /exports gss/krb5 > > > and then try to mount with the -o sec=krb5 on the client > is rpc.gssd running on the client? rpc.svc.gssd on the server? > [root at celastrina ~]# mount -t nfs4 -o sec=krb5 aconite:/ /mnt > mount.nfs4: Permission denied > > and the entry in /var/log/messages on celastrina is > > Jul 2 11:21:57 celastrina rpc.gssd[3302]: Using keytab file > '/etc/krb5.keytab' > Jul 2 11:21:57 celastrina rpc.gssd[3302]: WARNING: Failed to obtain > machine credentials for connection to server aconite.my.ad.name > > nothing appears in the logs on aconite. > so you most likely do not have a keytab on the client. Using kerberos is not simple.... Louis
- Previous message: [CentOS] Windows 2003 AD, Winbind, Kerberos and NFSv4
- Next message: [CentOS] Windows 2003 AD, Winbind, Kerberos and NFSv4
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the CentOS mailing list