On 02/07/2012 06:33 AM, Ondrej Valousek wrote:
Enable debugging on rpc.gssd and prc.svcgssd daemons and paste the output
note from my previous troubleshooting
1. the configuration file for nfs mount is: /etc/sysconfig/nfs
2. make the following changes to /etc/sysconfig/nfs file
  (1) uncomment  the line: SECURE_NFS="yes"
  (2) add debug flag for rpc gss : RPCGSSDARGS="vvv"

in short: you file /etc/sysconfig/nfs should have the following block:

# Set to turn on Secure NFS mounts.
# Optional arguments passed to rpc.gssd. See rpc.gssd(8)
# Optional arguments passed to rpc.svcgssd. See rpc.svcgssd(8)

3. at end, if you are using rhel5.7 you should specify the nfs version when you do mount, mounting command should something like:
mount -t nfs4 -o sec=krb5 ipaserver:/ /mylocalmount point

--- 2 things you might want to pay attention here --
(1) for -o sec=xxx : "xxx" here is depends on your nfs server configuration, specifically your /etc/export file, if you have krb5p, then you should use -o sec=krb5p (2) when krb5 protocol is used, regardless what directory you have in /etc/export file, you always (and only) use "/" , not your actual directory name

Good luck!

Yi Zhang


On 02/07/2012 01:11 PM, Westerlund Johnny wrote:
Hey all.

I've been trying to setup kerberized NFS with IPA running on RHEL6.2 and NFS 
running on RHEL5.7.
The documentation states that if you are using an older kernel (like the one in 
RHEL5) you need to use allow_weak_crypto = yes in your krb5.conf and make sure 
you specify -e des-cbc-crc
when exporting your keytab from the IPA server. However things are not working 

I do manage to export a des-cbc-crc key but when trying to mount the NFS share 
from an IPA client on rhel 6.2 it doesnt work.
I have put the allow_weak_crypto = yes in the libdefaults section of my 
krb5.conf on all machines in the domain. And i've tried changing my password 
after that. But it still doesnt work.
I'm unsure what to expect but if i do a klist -e i dont see any des-cbc-crc key 
in my keytab as the user i logged in as.

If i move the NFS server to a RHEL 6.2 the mount from the RHEL6.2 client works 
just fine but then i'm unable to mount the share from the RHEL5.7 client.
If i do a kinitu...@myrealm.bla  and check the klist -e i dont have any des-cbc 
keys. I only get the AES ones.

I did find this thread about running rhel5/rhel6 clients but with an AD 
kerberos domain so it's not the same problem. but they do get some of the same 

There they specify default_tgs_enctypes and default_tkt_enctypes to get it 

Anyone here know's whats wrong or what i'm doing wrong?


Freeipa-users mailing list

Proud winners of the prestigious Irish Software Exporter Award 2011 from Irish Exporters Association (IEA). Please, refer to our web site for more details regarding the award.
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communicati...@s3group.com. Thank You. Silicon and Software Systems Limited. Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18

Freeipa-users mailing list


| Yi Zhang                          |
| QA @ Mountain View, Calinfornia   |
| Cell: 408-509-6375                |

Freeipa-users mailing list

Reply via email to