Re: [Freeipa-users] IPA and NFSv4 with krb5 security
Which services actually need to be running for Kerberized NFS? On the server and client sides? What needs to be enabled? When I go through the list in the RHEL 7 Domain Auth guide (p 271), I cannot get rpcsvcgssd.service to start. It doesn't give any errors when I send it a start command, but status always shows it as condition failed, and inactive (dead). I also cannot enable it, with the error "No such file or directory." Is this deprecated/replaced with some other service for rpc gss server-side service? On Thu, Jun 30, 2016 at 3:05 PM, Youenn PIOLETwrote: > Hi, > First questions (sorry if it's obvious): > - Do you have a valid token on the client? (obtained with kinit) > - Did you import the keytab for NFS service on the server? > - Did you put "domain = yourdomain.tld" in your NFS server config file? On > your client? > - Depending on your (ipa? nfs?) version you may have to enable weak crypto > (I saw this everywhere but never had to do it for a reason I still ignore) > > I'm far from being the most informed people on this list, but I think it > may be the first things to check. > > Hope this helps, > Regards > -- > Youenn Piolet > piole...@gmail.com > > > 2016-06-30 21:47 GMT+02:00 Joanna Delaporte : > >> I need some pointers for getting NFSv4 to use krb5 authorization in my >> IPA realm. >> >> My realm is new. I have just migrated some users from an NIS domain to >> the IPA realm. The numerical UIDs and GIDs do not all match. I set up NFS >> server and client, and automaps using the recommended methods in the RHEL 7 >> Storage and Domain Auth/Policy guides. >> >> In the exports file on the nfsserver, as long as I >> have sec=krb5p:krb5i:krb5:sys in my options, I can successfully automount. >> However, when I remove sys, I no longer am able to mount. I have >> root_squash set. >> >> Automount hangs when I restart it, while trying to mount the first NFS >> directory. >> >> If I try to mount on the command line, I get this: >> root$ mount -t nfs4 -o rw,sec=krb5,vers=4.0 arcturus:/ /mnt >> mount.nfs4: access denied by server while mounting arcturus:/ >> >> If I take out sec=krb5, it works. It just rolls back to sec=sys >> (confirmed with mountstats). >> I am not seeing anything related to the mount attempts on the nfsserver >> logs, but I'm not sure I am looking in the right logs. >> >> I don't see anything happening in the ipaserver's krb5kdc.log, or httpd >> error or access logs. >> >> What am I missing? >> >> Thanks! >> Joanna >> >> >> >> -- >> >> >> Joanna Delaporte >> Linux Systems Administrator | Parkland College >> joannadelapo...@gmail.com >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > > -- Joanna Delaporte Linux Systems Administrator | Parkland College joannadelapo...@gmail.com -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA and NFSv4 with krb5 security
Hi, First questions (sorry if it's obvious): - Do you have a valid token on the client? (obtained with kinit) - Did you import the keytab for NFS service on the server? - Did you put "domain = yourdomain.tld" in your NFS server config file? On your client? - Depending on your (ipa? nfs?) version you may have to enable weak crypto (I saw this everywhere but never had to do it for a reason I still ignore) I'm far from being the most informed people on this list, but I think it may be the first things to check. Hope this helps, Regards -- Youenn Piolet piole...@gmail.com 2016-06-30 21:47 GMT+02:00 Joanna Delaporte: > I need some pointers for getting NFSv4 to use krb5 authorization in my IPA > realm. > > My realm is new. I have just migrated some users from an NIS domain to the > IPA realm. The numerical UIDs and GIDs do not all match. I set up NFS > server and client, and automaps using the recommended methods in the RHEL 7 > Storage and Domain Auth/Policy guides. > > In the exports file on the nfsserver, as long as I > have sec=krb5p:krb5i:krb5:sys in my options, I can successfully automount. > However, when I remove sys, I no longer am able to mount. I have > root_squash set. > > Automount hangs when I restart it, while trying to mount the first NFS > directory. > > If I try to mount on the command line, I get this: > root$ mount -t nfs4 -o rw,sec=krb5,vers=4.0 arcturus:/ /mnt > mount.nfs4: access denied by server while mounting arcturus:/ > > If I take out sec=krb5, it works. It just rolls back to sec=sys (confirmed > with mountstats). > I am not seeing anything related to the mount attempts on the nfsserver > logs, but I'm not sure I am looking in the right logs. > > I don't see anything happening in the ipaserver's krb5kdc.log, or httpd > error or access logs. > > What am I missing? > > Thanks! > Joanna > > > > -- > > > Joanna Delaporte > Linux Systems Administrator | Parkland College > joannadelapo...@gmail.com > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] IPA and NFSv4 with krb5 security
I need some pointers for getting NFSv4 to use krb5 authorization in my IPA realm. My realm is new. I have just migrated some users from an NIS domain to the IPA realm. The numerical UIDs and GIDs do not all match. I set up NFS server and client, and automaps using the recommended methods in the RHEL 7 Storage and Domain Auth/Policy guides. In the exports file on the nfsserver, as long as I have sec=krb5p:krb5i:krb5:sys in my options, I can successfully automount. However, when I remove sys, I no longer am able to mount. I have root_squash set. Automount hangs when I restart it, while trying to mount the first NFS directory. If I try to mount on the command line, I get this: root$ mount -t nfs4 -o rw,sec=krb5,vers=4.0 arcturus:/ /mnt mount.nfs4: access denied by server while mounting arcturus:/ If I take out sec=krb5, it works. It just rolls back to sec=sys (confirmed with mountstats). I am not seeing anything related to the mount attempts on the nfsserver logs, but I'm not sure I am looking in the right logs. I don't see anything happening in the ipaserver's krb5kdc.log, or httpd error or access logs. What am I missing? Thanks! Joanna -- Joanna Delaporte Linux Systems Administrator | Parkland College joannadelapo...@gmail.com -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project