Rob Kampen wrote: > On 07/19/2011 04:43 PM, Olaf Mueller wrote: >> Rob Kampen wrote: >> >> Hello, >> >> nfs4 with kerberos works fine here on CentOS 5.6. >> >>> change exports to >>> [...]gss/krb([...] >>> [...]gss/krb([...] >> My /etc/exports says '... gss/krb5(...'. > Got this already >> And 'SECURE_NFS="yes"' is set in /etc/sysconfig/nfs. > This too is set >> All needed services are running? >> - rpcsvcgssd (server) >> - rpcidmapd (server) >> - rpcgssd (client) > Yes all running >> A very good instruction, in my opinion, to get it running is >> http://sadiquepp.blogspot.com/2009/02/how-to-configure-nfsv4-with-kerberos-in.html. >> > This was one of the ones I used - will start from the beginning again. > Thanks for comments >> >> regards >> Olaf I have put the nfs4 with Kerberos on hold as it seems there may be a problem with the basic kerberos install. I have chased many dozen of references (most seems at least 4 years old) and worked step-by-step through their examples only to find problems. I have a master KDC set up on an older i386 box (uptodate 5.6) that also runs centos-directory-server (not yet functioning) and also runs as my DNS master (not internet accessible). It appears to be running as advertised. So before I go live, all the docs recommend having at least one slave per lan segment, so I thought that should be easy. I followed http://tldp.org/HOWTO/Kerberos-Infrastructure-HOWTO/server-replication.html and also http://www.linuxtopia.org/online_books/linux_system_administration/kerberos_guides/kerberos-5.15_installation_guide/Set-Up-the-Slave-KDCs-for-Database-Propagation.html#Set%20Up%20the%20Slave%20KDCs%20for%20Database%20Propagation and find I cannot get past this error: /usr/kerberos/sbin/kprop: Decrypt integrity check failed while getting initial ticket the kdc log shows the principal I'm missing, and sure enough >kvno host/www.nealdevelopment.com host/www.nealdevelopment.com at NDGONLINE.NET: kvno = 5 yet > sudo klist -k /etc/krb5.keytab |grep www 3 host/www.nealdevelopment.com at NDGONLINE.NET 3 host/www.nealdevelopment.com at NDGONLINE.NET 3 host/www.nealdevelopment.com at NDGONLINE.NET 3 host/www.nealdevelopment.com at NDGONLINE.NET 4 host/www.nealdevelopment.com at NDGONLINE.NET 4 host/www.nealdevelopment.com at NDGONLINE.NET 4 host/www.nealdevelopment.com at NDGONLINE.NET 4 host/www.nealdevelopment.com at NDGONLINE.NET 6 host/www.nealdevelopment.com at NDGONLINE.NET 6 host/www.nealdevelopment.com at NDGONLINE.NET 6 host/www.nealdevelopment.com at NDGONLINE.NET 6 host/www.nealdevelopment.com at NDGONLINE.NET sure enough the version numbers do not match so I do another kadmin ktadd to add the appropriate ticket to the keytab only to find it bumps the version number What on earth am I missing!!! I just cannot seems to get the numbers to match!! As you can see my patience is all gone - I'm obviously missing something basic. BTW, I have tried both copying and generating local keytabs - neither solve the problem - documentation varies and some say only do it this way and others say another - in my case none work. There is thus some magic foo I am not able to discern. All help appreciated. >> _______________________________________________ >> CentOS mailing list >> CentOS at centos.org >> http://lists.centos.org/mailman/listinfo/centos > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos > -------------- next part -------------- A non-text attachment was scrubbed... Name: rkampen.vcf Type: text/x-vcard Size: 322 bytes Desc: not available URL: <http://lists.centos.org/pipermail/centos/attachments/20110725/e02104b3/attachment-0005.vcf>