[CentOS] Windows 2003 AD, Winbind, Kerberos and NFSv4

Fri Jul 2 22:36:06 UTC 2010
James A. Peltier <jpeltier at fas.sfu.ca>

On Fri, 2 Jul 2010, Louis Lagendijk wrote:

> On Fri, 2010-07-02 at 11:27 -0700, James A. Peltier wrote:
>> Hi All,
>
>> To support NFSv4 with Kerberos security, we also need to generate service
>> principal for NFS:
>>
>> [root at aconite ~]# net -U administrator ads keytab add nfs
>>
>> which then looks like this
>>
>> [root at aconite ~]# klist -k
>> Keytab name: FILE:/etc/krb5.keytab
>> KVNO Principal
>> ---- --------------------------------------------------------------------------
>>     3 host/aconite.my.ad.name at MY.AD.NAME
>>     3 host/aconite.my.ad.name at MY.AD.NAME
>>     3 host/aconite.my.ad.name at MY.AD.NAME
>>     3 host/aconite at MY.AD.NAME
>>     3 host/aconite at MY.AD.NAME
>>     3 host/aconite at MY.AD.NAME
>>     3 ACONITE$@MY.AD.NAME
>>     3 ACONITE$@MY.AD.NAME
>>     3 ACONITE$@MY.AD.NAME
>>     3 nfs/aconite.my.ad.name at MY.AD.NAME
>>     3 nfs/aconite.my.ad.name at MY.AD.NAME
>>     3 nfs/aconite.my.ad.name at MY.AD.NAME
>>     3 nfs/aconite at MY.AD.NAME
>>     3 nfs/aconite at MY.AD.NAME
>>     3 nfs/aconite at MY.AD.NAME
>>
> did you create the keytab on the CLIENT also?

Do you mean did I run the net ads keytab add nfs on the client?  If so the 
answer is yes.  I've even tried mounting the NFS export directly from the 
NFS server

> is rpc.gssd running on the client?
> rpc.svc.gssd on the server?

Yes and Yes.

> so you most likely do not have a keytab on the client.

I do but I'm not sure it is correct.  If you are doing it can you please 
provide me some sample output to compare your server/client keytabs to 
mine?

> Using kerberos is not simple....

I'm getting that picture. :)

-- 
James A. Peltier
Systems Analyst (FASNet), VIVARIUM Technical Director
HPC Coordinator
Simon Fraser University - Burnaby Campus
Phone   : 778-782-6573
Fax     : 778-782-3045
E-Mail  : jpeltier at sfu.ca
Website : http://www.fas.sfu.ca | http://vivarium.cs.sfu.ca
           http://blogs.sfu.ca/people/jpeltier
MSN     : subatomic_spam at hotmail.com

TEAMWORK
  There's power in numbers.  Learn to work together.