On Wednesday 19 August 2009 19:28:41 Chantal Rosmuller wrote: > On Tuesday 18 August 2009 18:50:20 Kevin Coffman wrote: > > On Tue, Aug 18, 2009 at 6:00 AM, Chantal Rosmuller<[email protected]> > > wrote: > > > Hi list, > > > > > > > > > > > > I cannot get nfs with kerberos working on my Ubuntu 8.04 servers, > > > here's what I did: > > > > > > first I installed nfs server on ubuntuhardy1 and client on > > > ubuntuhardy2, nfs mounting from ubuntuhardy2 to ubuntuhardy1 without > > > kerberos works > > > > > > changed the following on /etc/default/nfs-kernel-server: > > > > > > NEED_SVCGSSD=yes > > > RPCSVCGSSDOPTS="-vvv" > > > > > > then I installed ntp on both servers > > > > > > On the nfs/kerberos server ubuntuhardy1 > > > > > > aptitude install krb5-admin-server krb5-kdc > > > > > > edit /etc/hosts > > > > > > 127.0.0.1 ubuntuhardy1.localhost.network ubuntuhardy1 localhost > > > 192.168.0.109 ubuntuhardy1.localhost.network > > > 192.168.0.110 ubuntuhardy2.localhost.network > > > > > > change hostname > > > > > > hostname ubuntuhardy1.localhost.network > > > > > > edit /etc/krb5.conf > > > > > > [libdefaults] > > > default_realm = LOCALHOST.NETWORK > > > [realms] > > > LOCALHOST.NETWORK = { > > > kdc = ubuntuhardy1.localhost.network > > > admin_server = ubuntuhardy1.localhost.network > > > default_domain = localhost.network > > > } > > > [domain_realm] > > > localhost.network = LOCALHOST.NETWORK > > > .localhost.network = LOCALHOST.NETWORK > > > [logging] > > > kdc = FILE:/var/log/krb5kdc.log > > > admin_server = FILE:/var/log/kadmin.log > > > default = FILE:/var/log/krb5lib.log > > > > > > change /etc/krb5kdc/kdc.conf: > > > > > > [kdcdefaults] > > > kdc_ports = 750,88 > > > [realms] > > > LOCALHOST.NETWORK = { > > > database_name = /var/lib/krb5kdc/principal > > > admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab > > > acl_file = /etc/krb5kdc/kadm5.acl > > > key_stash_file = /etc/krb5kdc/stash > > > kdc_ports = 750,88 > > > max_life = 10h 0m 0s > > > max_renewable_life = 7d 0h 0m 0s > > > master_key_type = des3-hmac-sha1 > > > supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal > > > des:normal des:v4 des:norealm des:onlyrealm des:afs3 > > > default_principal_flags = +preauth > > > } > > > > > > create realm: > > > > > > kdb5_util create -s > > > > > > loading random data > > > Initializing database '/var/lib/krb5kdc/principal' for realm > > > 'LOCALHOST.NETWORK', > > > master key name 'K/[email protected]' > > > You will be prompted for the database Master Password. > > > It is important that you NOT FORGET this password. > > > Enter KDC database master key: > > > > > > restarted kerberos > > > > > > /etc/init.d/krb5-admin-server restart > > > /etc/init.d/krb5-kdc restart Nu kunt u uw <meer> benaderen met het > > > volegnde commando: > > > > > > started kadmin > > > > > > kadmin.local > > > > > > aded user: > > > > > > addprinc admin/admin > > > > > > added Host key for the server: > > > > > > addprinc -randkey > > > host/[email protected] > > > > > > add princial to local key table <meer> > > > > > > ktadd host/[email protected] > > > output: > > > > > > Entry for principal > > > host/[email protected] with kvno 3, > > > encryption type Triple DES cbc mode with HMAC/sha1 added to keytab > > > WRFILE:/etc/krb5.keytab. Entry for principal > > > host/[email protected] with kvno 3, > > > encryption type DES cbc mode with CRC-32 added to keytab > > > WRFILE:/etc/krb5.keytab. > > > > > > edit /etc/exports > > > > > > /var/www gss/krb5i(rw,sync) > > > > > > restarted nfs server > > > > > > on the client ubuntuhardy2: > > > > > > > > > edit /etc/hosts > > > > > > 127.0.0.1 ubuntuhardy2.localhost.network ubuntuhardy2 localhost > > > 192.168.0.110 ubuntuhardy2.localhost.network > > > 192.168.0.109 ubuntuhardy1.localhost.network > > > > > > > > > install software > > > > > > aptitude install krb5-user krb5-clients libpam-krb5 > > > > > > copied /etc/krb5.conf from server > > > > > > tested kerberos access: > > > > > > kinit admin/admin > > > > > > and got this output: > > > > > > Password for admin/[email protected]: > > > > > > logged in again on the SERVER > > > > > > kadmin > > > > > > added principal for client ubuntuhardy2 > > > > > > addprinc -randkey host/ubuntuhardy2.localhost.network addprinc > > > -randkey nfs/ubuntuhardy2.localhost.network > > > client > > > > > > logged in on the client: > > > > > > kinit admin/admin > > > Password for admin/[email protected]: r > > > > > > add principal for client > > > > > > kadmin: addprinc -randkey nfs/ubuntuhardy2.localhost.network > > > > > > WARNING: no policy specified for > > > nfs/[email protected]; defaulting to no > > > policy Principal “nfs/[email protected]” > > > created. > > > > > > create key in keytab > > > > > > kadmin: ktadd nfs/ubuntuhardy2.localhost.network > > > > > > Entry for principal nfs/ubuntuhardy2.localhost.network with kvno 3, > > > encryption type Triple DES cbc mode with HMAC/sha1 added to keytab > > > WRFILE:/etc/krb5.keytab. Entry for principal > > > nfs/ubuntuhardy2.localhost.network with kvno 3, encryption type DES cbc > > > mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab. kadmin: quit > > > > > > then I try to mount the nfs share > > > > > > mount -t nfs -o sec=krb5 ubuntuhardy1.localhost.network:/var/www > > > /mnt/websites/ > > > > > > I get > > > > > > mount.nfs: access denied by server while mounting > > > ubuntuhardy1.localhost.network:/var/www > > > > > > and in /var/log/daemon.log on the server > > > > > > ubuntuhardy1 mountd[1913]: mount request from unknown host > > > 192.168.0.110 for /var/www (/var/www) > > > > > > Does anyone know what I am doing wrong? > > > > Currently, you must limit the encryption type for the nfs principals > > to only des-cbc-crc. > > > > So, in both cases > > ktadd nfs/[email protected] > > ktadd nfs/[email protected] > > should be > > ktadd -e des-cbc-crc:normal > > nfs/[email protected] > > ktadd -e des-cbc-crc:normal > > nfs/[email protected] > > > > (See http://www.citi.umich.edu/projects/nfsv4/linux/krb5-setup.html) > >nfs/[email protected] > > K.C. > > It does get rid of the double keys but its not working yet....... do I need > to do the same for host/[email protected] > and host/[email protected]? > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos
still no succes :( keytabs look like this now r...@ubuntuhardy2:~# klist -e -k /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 6 nfs/[email protected] (DES cbc mode with CRC-32) 6 host/[email protected] (DES cbc mode with CRC-32) klist -e -k /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 5 host/[email protected] (DES cbc mode with CRC-32) 4 host/[email protected] (DES cbc mode with CRC-32) 4 nfs/[email protected] (DES cbc mode with CRC-32) 5 nfs/[email protected] (DES cbc mode with CRC-32) ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
