Re: [CentOS] nfsv4 and kerberos - fails to mount
On Mon, 2011-07-25 at 12:58 -0400, Rob Kampen wrote: Rob Kampen wrote: On 07/19/2011 04:43 PM, Olaf Mueller wrote: Rob Kampen wrote: Hello, nfs4 with kerberos works fine here on CentOS 5.6. change exports to [...]gss/krb([...] [...]gss/krb([...] My /etc/exports says '... gss/krb5(...'. Got this already And 'SECURE_NFS=yes' is set in /etc/sysconfig/nfs. This too is set All needed services are running? - rpcsvcgssd (server) - rpcidmapd (server) - rpcgssd (client) Yes all running A very good instruction, in my opinion, to get it running is http://sadiquepp.blogspot.com/2009/02/how-to-configure-nfsv4-with-kerberos-in.html. This was one of the ones I used - will start from the beginning again. Thanks for comments regards Olaf I have put the nfs4 with Kerberos on hold as it seems there may be a problem with the basic kerberos install. Probably an issue with your keytab. the link above cotains some hints: 1) you need to add an nfs (not host!) principal and 2) use ktadd -e des-cbc-crc:normal Add only the des-cbc-crc:normal key, not one of the others as (at least in the past, I have not checked later kernels like the one in centos 6) to see if this is still applies. In order to allow the des key to work you need the following in /etc/krb5.conf (in the libdefaults section): allow_weak_crypto = true With these settings nfs mounting works for me, but see my comments below first, before you try to mount a nfs file system /usr/kerberos/sbin/kprop: Decrypt integrity check failed while getting initial ticket With the keytab you showed, first try a kinit for a user. does that succeed? What does a klist show after this? This way you can check the ticket generation. Only when that succeeds try the nfs mount Louis ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] nfsv4 and kerberos - fails to mount
I have been trying all sorts of things to get this working. nfsv4 works fine if I just use the nfs-v3 form of export i.e. /nfs4exports 192.168.230.237/24(ro,fsid=0,sync,insecure,no_root_squash,no_subtree_check,squash_uids=0-99) /nfs4exports/NDG 192.168.230.237/24(rw,insecure,no_subtree_check,nohide,sync,no_root_squash,squash_uids=0-99) but this is inherently open to all on this machine. so then using this recipe http://www.techrepublic.com/blog/opensource/kerberos-authentication-with-nfsv4/1965 and many others that hours of google foo shows change exports to /nfs4exports gss/krb5(ro,fsid=0,sync,insecure,no_root_squash,no_subtree_check,squash_uids=0-99) /nfs4exports/NDG gss/krb5(rw,insecure,no_subtree_check,nohide,sync,no_root_squash,squash_uids=0-99) now from the client I can see [rkampen@timsws ~]$ showmount -e example.com Export list for example.com: /nfs4exports gss/krb5 /nfs4exports/NDG gss/krb5 but [rkampen@timsws /]$ sudo mount -t nfs4 -o sec=krb5 ndgonline.net:/ /NDG/ mount.nfs4: access denied by server while mounting ndgonline.net:/ and [rkampen@timsws /]$ sudo mount -t nfs4 -o sec=krb5 ndgonline.net:/NDG /NDG/ mount.nfs4: access denied by server while mounting ndgonline.net:/NDG And I cannot find any log entries relating to the kerberos KDC or on the nfs server - two different machines. I have set up all the principals in the KDC and used kadmin/ktadd to load into the client and the server /etc/krb5.keytab as per the above url. How and where do I get logging to occur so I can find out the missing piece in my kerberos setup? Any help or directions appreciated. TIA attachment: rkampen.vcf___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] nfsv4 and kerberos - fails to mount
Rob Kampen wrote: Hello, nfs4 with kerberos works fine here on CentOS 5.6. change exports to [...]gss/krb([...] [...]gss/krb([...] My /etc/exports says '... gss/krb5(...'. And 'SECURE_NFS=yes' is set in /etc/sysconfig/nfs. All needed services are running? - rpcsvcgssd (server) - rpcidmapd (server) - rpcgssd (client) A very good instruction, in my opinion, to get it running is http://sadiquepp.blogspot.com/2009/02/how-to-configure-nfsv4-with-kerberos-in.html. regards Olaf ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] nfsv4 and kerberos - fails to mount
On 07/19/2011 04:43 PM, Olaf Mueller wrote: Rob Kampen wrote: Hello, nfs4 with kerberos works fine here on CentOS 5.6. change exports to [...]gss/krb([...] [...]gss/krb([...] My /etc/exports says '... gss/krb5(...'. Got this already And 'SECURE_NFS=yes' is set in /etc/sysconfig/nfs. This too is set All needed services are running? - rpcsvcgssd (server) - rpcidmapd (server) - rpcgssd (client) Yes all running A very good instruction, in my opinion, to get it running is http://sadiquepp.blogspot.com/2009/02/how-to-configure-nfsv4-with-kerberos-in.html. This was one of the ones I used - will start from the beginning again. Thanks for comments regards Olaf ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos attachment: rkampen.vcf___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos