On 02/07/2012 06:33 AM, Ondrej Valousek wrote:
Enable debugging on rpc.gssd and prc.svcgssd daemons and paste the output
note from my previous troubleshooting
1. the configuration file for nfs mount is: /etc/sysconfig/nfs
2. make the following changes to /etc/sysconfig/nfs file
(1) uncomment the line: SECURE_NFS="yes"
(2) add debug flag for rpc gss : RPCGSSDARGS="vvv"
in short: you file /etc/sysconfig/nfs should have the following block:
# Set to turn on Secure NFS mounts.
SECURE_NFS="yes"
# Optional arguments passed to rpc.gssd. See rpc.gssd(8)
RPCGSSDARGS="vvv"
# Optional arguments passed to rpc.svcgssd. See rpc.svcgssd(8)
RPCSVCGSSDARGS="vvv"
3. at end, if you are using rhel5.7 you should specify the nfs version
when you do mount, mounting command should something like:
mount -t nfs4 -o sec=krb5 ipaserver:/ /mylocalmount point
--- 2 things you might want to pay attention here --
(1) for -o sec=xxx : "xxx" here is depends on your nfs server
configuration, specifically your /etc/export file, if you have krb5p,
then you should use -o sec=krb5p
(2) when krb5 protocol is used, regardless what directory you have in
/etc/export file, you always (and only) use "/" , not your actual
directory name
Good luck!
Yi Zhang
Ondrej
On 02/07/2012 01:11 PM, Westerlund Johnny wrote:
Hey all.
I've been trying to setup kerberized NFS with IPA running on RHEL6.2 and NFS
running on RHEL5.7.
The documentation states that if you are using an older kernel (like the one in
RHEL5) you need to use allow_weak_crypto = yes in your krb5.conf and make sure
you specify -e des-cbc-crc
when exporting your keytab from the IPA server. However things are not working
out.
I do manage to export a des-cbc-crc key but when trying to mount the NFS share
from an IPA client on rhel 6.2 it doesnt work.
I have put the allow_weak_crypto = yes in the libdefaults section of my
krb5.conf on all machines in the domain. And i've tried changing my password
after that. But it still doesnt work.
I'm unsure what to expect but if i do a klist -e i dont see any des-cbc-crc key
in my keytab as the user i logged in as.
If i move the NFS server to a RHEL 6.2 the mount from the RHEL6.2 client works
just fine but then i'm unable to mount the share from the RHEL5.7 client.
If i do a kinitu...@myrealm.bla and check the klist -e i dont have any des-cbc
keys. I only get the AES ones.
I did find this thread about running rhel5/rhel6 clients but with an AD
kerberos domain so it's not the same problem. but they do get some of the same
symptoms.
http://www.spinics.net/lists/linux-nfs/msg22188.html
There they specify default_tgs_enctypes and default_tkt_enctypes to get it
working.
Anyone here know's whats wrong or what i'm doing wrong?
Regards
Johnny
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
------------------------------------------------------------------------
Proud winners of the prestigious Irish Software Exporter Award 2011
from Irish Exporters Association (IEA). Please, refer to our web site
for more details regarding the award.
------------------------------------------------------------------------
The information contained in this e-mail and in any attachments is
confidential and is designated solely for the attention of the
intended recipient(s). If you are not an intended recipient, you must
not use, disclose, copy, distribute or retain this e-mail or any part
thereof. If you have received this e-mail in error, please notify the
sender by return e-mail and delete all copies of this e-mail from your
computer system(s). Please direct any additional queries to:
communicati...@s3group.com. Thank You. Silicon and Software Systems
Limited. Registered in Ireland no. 378073. Registered Office: South
County Business Park, Leopardstown, Dublin 18
------------------------------------------------------------------------
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| Yi Zhang |
| QA @ Mountain View, Calinfornia |
| Cell: 408-509-6375 |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
