[CentOS] Windows 2003 AD, Winbind, Kerberos and NFSv4

John Jasen

jjasen at realityfailure.org
Sat Jul 3 00:50:06 UTC 2010


Please forgive joining the broadcast already in progress, and for top
posting. However, I have found that removing all but the DES CBC keytab
entries on the client helps.

With Windows 2003, you may also have to set the default encryption type
for the kerberos account to DES, and use ADSIEDIT.msc to change the
UserPrincipalName to nfs/hostname.fqdn.

For what its worth, "net", part of the Samba client package, populates
the keytabs accordingly.

For advanced debugging, the rpc.*gssd services can be configured to run
very verbosely, by adding multiple -v arguments on start.

Louis Lagendijk wrote:
> On Fri, 2010-07-02 at 11:27 -0700, James A. Peltier wrote:
>> Hi All,
> 
>> To support NFSv4 with Kerberos security, we also need to generate service 
>> principal for NFS:
>>
>> [root at aconite ~]# net -U administrator ads keytab add nfs
>>
>> which then looks like this
>>
>> [root at aconite ~]# klist -k
>> Keytab name: FILE:/etc/krb5.keytab
>> KVNO Principal
>> ---- --------------------------------------------------------------------------
>>     3 host/aconite.my.ad.name at MY.AD.NAME
>>     3 host/aconite.my.ad.name at MY.AD.NAME
>>     3 host/aconite.my.ad.name at MY.AD.NAME
>>     3 host/aconite at MY.AD.NAME
>>     3 host/aconite at MY.AD.NAME
>>     3 host/aconite at MY.AD.NAME
>>     3 ACONITE$@MY.AD.NAME
>>     3 ACONITE$@MY.AD.NAME
>>     3 ACONITE$@MY.AD.NAME
>>     3 nfs/aconite.my.ad.name at MY.AD.NAME
>>     3 nfs/aconite.my.ad.name at MY.AD.NAME
>>     3 nfs/aconite.my.ad.name at MY.AD.NAME
>>     3 nfs/aconite at MY.AD.NAME
>>     3 nfs/aconite at MY.AD.NAME
>>     3 nfs/aconite at MY.AD.NAME
>>
> did you create the keytab on the CLIENT also?
> 
>> Test on the client
>>
>> [root at celastrina ~]# showmount -e aconite
>> Export list for aconite:
>> /exports *
>> [root at celastrina ~]# mount -t nfs4 aconite:/ /mnt
>> [root at celastrina ~]# mount |grep -i nfs4
>> aconite:/ on /mnt type nfs4 (rw,addr=199.60.1.84)
>> [root at celastrina ~]#
>>
>> So as you can see everything is now working *without* Kerberos.  However, 
>> if I change the /etc/exports file on aconite to
>>
>> [root at aconite ~]# cat /etc/exports
>> /exports        gss/krb5(rw,fsid=0)
>> [root at aconite ~]# exportfs
>> /exports        gss/krb5
>>
>>
>> and then try to mount with the -o sec=krb5 on the client
>>
> is rpc.gssd running on the client?
> rpc.svc.gssd on the server?
> 
>> [root at celastrina ~]# mount -t nfs4 -o sec=krb5 aconite:/ /mnt
>> mount.nfs4: Permission denied
>>
>> and the entry in /var/log/messages on celastrina is
>>
>> Jul  2 11:21:57 celastrina rpc.gssd[3302]: Using keytab file 
>> '/etc/krb5.keytab'
>> Jul  2 11:21:57 celastrina rpc.gssd[3302]: WARNING: Failed to obtain 
>> machine credentials for connection to server aconite.my.ad.name
>>
>> nothing appears in the logs on aconite.
>>
> so you most likely do not have a keytab on the client.
> 
> Using kerberos is not simple....
> 
> Louis
> 
> 
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos


-- 
-- John E. Jasen (jjasen at realityfailure.org)
-- "Deserve Victory." -- Terry Goodkind, Naked Empire



More information about the CentOS mailing list