Re: [Freeipa-users] IPA and NFSv4 with krb5 security

2016-07-01 Thread Joanna Delaporte 
Which services actually need to be running for Kerberized NFS? On the
server and client sides? What needs to be enabled?

When I go through the list in the RHEL 7 Domain Auth guide (p 271), I
cannot get rpcsvcgssd.service to start. It doesn't give any errors when I
send it a start command, but status always shows it as condition failed,
and inactive (dead). I also cannot enable it, with the error "No such file
or directory." Is this deprecated/replaced with some other service for rpc
gss server-side service?


On Thu, Jun 30, 2016 at 3:05 PM, Youenn PIOLET  wrote:

> Hi,
> First questions (sorry if it's obvious):
> - Do you have a valid token on the client? (obtained with kinit)
> - Did you import the keytab for NFS service on the server?
> - Did you put "domain = yourdomain.tld" in your NFS server config file? On
> your client?
> - Depending on your (ipa? nfs?) version you may have to enable weak crypto
> (I saw this everywhere but never had to do it for a reason I still ignore)
>
> I'm far from being the most informed people on this list, but I think it
> may be the first things to check.
>
> Hope this helps,
> Regards
> --
> Youenn Piolet
> piole...@gmail.com
>
>
> 2016-06-30 21:47 GMT+02:00 Joanna Delaporte :
>
>> I need some pointers for getting NFSv4 to use krb5 authorization in my
>> IPA realm.
>>
>> My realm is new. I have just migrated some users from an NIS domain to
>> the IPA realm. The numerical UIDs and GIDs do not all match. I set up NFS
>> server and client, and automaps using the recommended methods in the RHEL 7
>> Storage and Domain Auth/Policy guides.
>>
>> In the exports file on the nfsserver, as long as I
>> have sec=krb5p:krb5i:krb5:sys in my options, I can successfully automount.
>> However, when I remove sys, I no longer am able to mount. I have
>> root_squash set.
>>
>> Automount hangs when I restart it, while trying to mount the first NFS
>> directory.
>>
>> If I try to mount on the command line, I get this:
>> root$ mount -t nfs4 -o rw,sec=krb5,vers=4.0 arcturus:/ /mnt
>> mount.nfs4: access denied by server while mounting arcturus:/
>>
>> If I take out sec=krb5, it works. It just rolls back to sec=sys
>> (confirmed with mountstats).
>> I am not seeing anything related to the mount attempts on the nfsserver
>> logs, but I'm not sure I am looking in the right logs.
>>
>> I don't see anything happening in the ipaserver's krb5kdc.log, or httpd
>> error or access logs.
>>
>> What am I missing?
>>
>> Thanks!
>> Joanna
>>
>>
>>
>> --
>>
>>
>> Joanna Delaporte
>> Linux Systems Administrator | Parkland College
>> joannadelapo...@gmail.com
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
>
>


-- 


Joanna Delaporte
Linux Systems Administrator | Parkland College
joannadelapo...@gmail.com
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA and NFSv4 with krb5 security

2016-06-30 Thread Youenn PIOLET 
Hi,
First questions (sorry if it's obvious):
- Do you have a valid token on the client? (obtained with kinit)
- Did you import the keytab for NFS service on the server?
- Did you put "domain = yourdomain.tld" in your NFS server config file? On
your client?
- Depending on your (ipa? nfs?) version you may have to enable weak crypto
(I saw this everywhere but never had to do it for a reason I still ignore)

I'm far from being the most informed people on this list, but I think it
may be the first things to check.

Hope this helps,
Regards
--
Youenn Piolet
piole...@gmail.com


2016-06-30 21:47 GMT+02:00 Joanna Delaporte :

> I need some pointers for getting NFSv4 to use krb5 authorization in my IPA
> realm.
>
> My realm is new. I have just migrated some users from an NIS domain to the
> IPA realm. The numerical UIDs and GIDs do not all match. I set up NFS
> server and client, and automaps using the recommended methods in the RHEL 7
> Storage and Domain Auth/Policy guides.
>
> In the exports file on the nfsserver, as long as I
> have sec=krb5p:krb5i:krb5:sys in my options, I can successfully automount.
> However, when I remove sys, I no longer am able to mount. I have
> root_squash set.
>
> Automount hangs when I restart it, while trying to mount the first NFS
> directory.
>
> If I try to mount on the command line, I get this:
> root$ mount -t nfs4 -o rw,sec=krb5,vers=4.0 arcturus:/ /mnt
> mount.nfs4: access denied by server while mounting arcturus:/
>
> If I take out sec=krb5, it works. It just rolls back to sec=sys (confirmed
> with mountstats).
> I am not seeing anything related to the mount attempts on the nfsserver
> logs, but I'm not sure I am looking in the right logs.
>
> I don't see anything happening in the ipaserver's krb5kdc.log, or httpd
> error or access logs.
>
> What am I missing?
>
> Thanks!
> Joanna
>
>
>
> --
>
>
> Joanna Delaporte
> Linux Systems Administrator | Parkland College
> joannadelapo...@gmail.com
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project