Re: [Freeipa-users] bit OT: trouble getting nfsv4 with kerberos with ipa and opensolaris
# zfs set sharenfs='sec=krb5' rpool/export/home cannot set property for 'rpool/export/home': 'sharenfs' cannot be set to invalid options I am starting to think this is a bug in illumos, Thanks anyway! -- Groeten, natxo On Fri, Apr 12, 2013 at 11:57 PM, Sigbjorn Lie sigbj...@nixtra.com wrote: zfs set sharenfs='sec=krb5' pool/dataset Natxo Asenjo natxo.ase...@gmail.com wrote: hi, thanks, still not working though: # share -F nfs -o sec=krb5 -d homedirs /export/home Could not share: /export/home: invalid security type # zfs set sharenfs=sec=krb5 rpool/export/home cannot set property for 'rpool/export/home': 'sharenfs' cannot be set to invalid options # zfs set sharenfs=sec=krb5 rpool/export/home cannot set property for 'rpool/export/home': 'sharenfs' cannot be set to invalid options # zfs set sharenfs=sec=krb5 rpool/export/home cannot set property for 'rpool/export/home': 'sharenfs' cannot be set to invalid options # zfs set sharenfs=sec=krb5 rpool/export/home cannot set property for 'rpool/export/home': 'sharenfs' cannot be set to invalid options # zfs set sharenfs=sec=krb5 rpool/export/home cannot set property for 'rpool/export/home': 'sharenfs' cannot be set to invalid options -- Groeten, natxo On Fri, Apr 12, 2013 at 11:30 PM, Sigbjorn Lie sigbj...@nixtra.comwrote: Your syntax seem correct but you need to quote the value. -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] bit OT: trouble getting nfsv4 with kerberos with ipa and opensolaris
On 04/12/2013 03:35 PM, Natxo Asenjo wrote: hi, apparently what I am trying to do is not very usual because I do not get any answer on the omnios (opensolaris derivative) mailing list. I have successfully joined a host to the ipa domain, I can log in the omnios host as an ipa user, getent works, kerberos works (thanks to Johan Petersson in this thread: https://www.redhat.com/archives/freeipa-users/2013-January/msg00021.html) But when configuring nfs with krb5(i/p) security I get an error: I am completely unaware how zfs works but... # zfs set sharenfs=sec=krb5 rpool/export/home cannot set property for 'rpool/export/home': 'sharenfs' cannot be set to invalid options That looks like a syntax error. It seems like krb5 is an invalid option. May be something needs to be restarted after you changed the config file? # share -F nfs -o sec=krb5 -d homedirs /export/home/ Could not share: /export/home: invalid security type The omnios host has a keytab with both host and nfs principals: # klist -k -e Keytab name: FILE:/etc/krb5/krb5.keytab KVNO Principal -- 1 nfs/testomnios.ipa.asenjo...@ipa.asenjo.nx (AES-256 CTS mode with 96-bit SHA-1 HMAC) 1 nfs/testomnios.ipa.asenjo...@ipa.asenjo.nx (AES-128 CTS mode with 96-bit SHA-1 HMAC) 1 nfs/testomnios.ipa.asenjo...@ipa.asenjo.nx (Triple DES cbc mode with HMAC/sha1) 1 nfs/testomnios.ipa.asenjo...@ipa.asenjo.nx (ArcFour with HMAC/md5) 2 host/testomnios.ipa.asenjo...@ipa.asenjo.nx (AES-256 CTS mode with 96-bit SHA-1 HMAC) 2 host/testomnios.ipa.asenjo...@ipa.asenjo.nx (AES-128 CTS mode with 96-bit SHA-1 HMAC) 2 host/testomnios.ipa.asenjo...@ipa.asenjo.nx (Triple DES cbc mode with HMAC/sha1) 2 host/testomnios.ipa.asenjo...@ipa.asenjo.nx (ArcFour with HMAC/md5) I can kinit with both principals: root@testomnios:~# kinit -k root@testomnios:~# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: host/testomnios.ipa.asenjo...@ipa.asenjo.nx Valid startingExpiresService principal 04/12/13 11:56:07 04/13/13 11:56:07 krbtgt/ipa.asenjo...@ipa.asenjo.nx renew until 04/19/13 11:56:07 root@testomnios:~# kinit -k nfs/testomnios.ipa.asenjo.nx root@testomnios:~# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: nfs/testomnios.ipa.asenjo...@ipa.asenjo.nx Valid startingExpiresService principal 04/12/13 11:56:28 04/13/13 11:56:28 krbtgt/ipa.asenjo...@ipa.asenjo.nx renew until 04/19/13 11:56:28 so the keytab is correct I have edited /etc/nfssec.conf and removed the comments for the krb5 lines. According to all my google-fu it should work, but it does not. Any tips greatly appreciated. . -- Groeten, natxo ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] bit OT: trouble getting nfsv4 with kerberos with ipa and opensolaris
Your syntax seem correct but you need to quote the value. Natxo Asenjo natxo.ase...@gmail.com wrote: hi, apparently what I am trying to do is not very usual because I do not get any answer on the omnios (opensolaris derivative) mailing list. I have successfully joined a host to the ipa domain, I can log in the omnios host as an ipa user, getent works, kerberos works (thanks to Johan Petersson in this thread: https://www.redhat.com/archives/freeipa-users/2013-January/msg00021.html) But when configuring nfs with krb5(i/p) security I get an error: # zfs set sharenfs=sec=krb5 rpool/export/home cannot set property for 'rpool/export/home': 'sharenfs' cannot be set to invalid options # share -F nfs -o sec=krb5 -d homedirs /export/home/ Could not share: /export/home: invalid security type The omnios host has a keytab with both host and nfs principals: # klist -k -e Keytab name: FILE:/etc/krb5/krb5.keytab KVNO Principal -- 1 nfs/testomnios.ipa.asenjo...@ipa.asenjo.nx (AES-256 CTS mode with 96-bit SHA-1 HMAC) 1 nfs/testomnios.ipa.asenjo...@ipa.asenjo.nx (AES-128 CTS mode with 96-bit SHA-1 HMAC) 1 nfs/testomnios.ipa.asenjo...@ipa.asenjo.nx (Triple DES cbc mode with HMAC/sha1) 1 nfs/testomnios.ipa.asenjo...@ipa.asenjo.nx (ArcFour with HMAC/md5) 2 host/testomnios.ipa.asenjo...@ipa.asenjo.nx (AES-256 CTS mode with 96-bit SHA-1 HMAC) 2 host/testomnios.ipa.asenjo...@ipa.asenjo.nx (AES-128 CTS mode with 96-bit SHA-1 HMAC) 2 host/testomnios.ipa.asenjo...@ipa.asenjo.nx (Triple DES cbc mode with HMAC/sha1) 2 host/testomnios.ipa.asenjo...@ipa.asenjo.nx (ArcFour with HMAC/md5) I can kinit with both principals: root@testomnios:~# kinit -k root@testomnios:~# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: host/testomnios.ipa.asenjo...@ipa.asenjo.nx Valid startingExpiresService principal 04/12/13 11:56:07 04/13/13 11:56:07 krbtgt/ipa.asenjo...@ipa.asenjo.nx renew until 04/19/13 11:56:07 root@testomnios:~# kinit -k nfs/testomnios.ipa.asenjo.nx root@testomnios:~# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: nfs/testomnios.ipa.asenjo...@ipa.asenjo.nx Valid startingExpiresService principal 04/12/13 11:56:28 04/13/13 11:56:28 krbtgt/ipa.asenjo...@ipa.asenjo.nx renew until 04/19/13 11:56:28 so the keytab is correct I have edited /etc/nfssec.conf and removed the comments for the krb5 lines. According to all my google-fu it should work, but it does not. Any tips greatly appreciated. . -- Groeten, natxo ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Sent from my Android phone with K-9 Mail. Please excuse my brevity.___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] bit OT: trouble getting nfsv4 with kerberos with ipa and opensolaris
hi, thanks, still not working though: # share -F nfs -o sec=krb5 -d homedirs /export/home Could not share: /export/home: invalid security type # zfs set sharenfs=sec=krb5 rpool/export/home cannot set property for 'rpool/export/home': 'sharenfs' cannot be set to invalid options # zfs set sharenfs=sec=krb5 rpool/export/home cannot set property for 'rpool/export/home': 'sharenfs' cannot be set to invalid options # zfs set sharenfs=sec=krb5 rpool/export/home cannot set property for 'rpool/export/home': 'sharenfs' cannot be set to invalid options # zfs set sharenfs=sec=krb5 rpool/export/home cannot set property for 'rpool/export/home': 'sharenfs' cannot be set to invalid options # zfs set sharenfs=sec=krb5 rpool/export/home cannot set property for 'rpool/export/home': 'sharenfs' cannot be set to invalid options -- Groeten, natxo On Fri, Apr 12, 2013 at 11:30 PM, Sigbjorn Lie sigbj...@nixtra.com wrote: Your syntax seem correct but you need to quote the value. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] bit OT: trouble getting nfsv4 with kerberos with ipa and opensolaris
zfs set sharenfs='sec=krb5' pool/dataset Natxo Asenjo natxo.ase...@gmail.com wrote: hi, thanks, still not working though: # share -F nfs -o sec=krb5 -d homedirs /export/home Could not share: /export/home: invalid security type # zfs set sharenfs=sec=krb5 rpool/export/home cannot set property for 'rpool/export/home': 'sharenfs' cannot be set to invalid options # zfs set sharenfs=sec=krb5 rpool/export/home cannot set property for 'rpool/export/home': 'sharenfs' cannot be set to invalid options # zfs set sharenfs=sec=krb5 rpool/export/home cannot set property for 'rpool/export/home': 'sharenfs' cannot be set to invalid options # zfs set sharenfs=sec=krb5 rpool/export/home cannot set property for 'rpool/export/home': 'sharenfs' cannot be set to invalid options # zfs set sharenfs=sec=krb5 rpool/export/home cannot set property for 'rpool/export/home': 'sharenfs' cannot be set to invalid options -- Groeten, natxo On Fri, Apr 12, 2013 at 11:30 PM, Sigbjorn Lie sigbj...@nixtra.com wrote: Your syntax seem correct but you need to quote the value. -- Sent from my Android phone with K-9 Mail. Please excuse my brevity.___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users