subject:"Re\: \[Freeipa\-users\] bit OT\: trouble getting nfsv4 with kerberos with ipa and opensolaris"

Re: [Freeipa-users] bit OT: trouble getting nfsv4 with kerberos with ipa and opensolaris

2013-04-13 Thread Sigbjorn Lie


No that syntax is correct.

# zfs create p00/test
# zfs set sharenfs='sec=krb5' p00/test

No errors on my system. But have you remembered to enable krb5 in 
/etc/nfssec.conf? It is not enabled by default.


You may read this thread I wrote a while back for how to make 
NexentaStor work with FreeIPA. It will be the same setup for openindiana:


https://www.redhat.com/archives/freeipa-users/2011-July/msg00033.html



Rgds,
Siggi


On 04/13/2013 01:16 PM, Natxo Asenjo wrote:

# zfs set sharenfs='sec=krb5' rpool/export/home
cannot set property for 'rpool/export/home': 'sharenfs' cannot be set 
to invalid options


I am starting to think this is a bug in illumos,


Thanks anyway!

--
Groeten,
natxo


On Fri, Apr 12, 2013 at 11:57 PM, Sigbjorn Lie > wrote:


zfs set sharenfs='sec=krb5' pool/dataset


Natxo Asenjo mailto:natxo.ase...@gmail.com>> wrote:

hi,

thanks, still not working though:

# share -F nfs -o "sec=krb5" -d "homedirs" /export/home
Could not share: /export/home: invalid security type

 # zfs set sharenfs="sec"="krb5" rpool/export/home
cannot set property for 'rpool/export/home': 'sharenfs' cannot
be set to invalid options

# zfs set "sharenfs"="sec"="krb5" rpool/export/home
cannot set property for 'rpool/export/home': 'sharenfs' cannot
be set to invalid options

# zfs set sharenfs=sec="krb5" rpool/export/home
cannot set property for 'rpool/export/home': 'sharenfs' cannot
be set to invalid options

# zfs set sharenfs=sec=krb5 rpool/export/home
cannot set property for 'rpool/export/home': 'sharenfs' cannot
be set to invalid options

# zfs set "sharenfs=sec=krb5" rpool/export/home
cannot set property for 'rpool/export/home': 'sharenfs' cannot
be set to invalid options


--
Groeten,
natxo


On Fri, Apr 12, 2013 at 11:30 PM, Sigbjorn Lie
mailto:sigbj...@nixtra.com>> wrote:

Your syntax seem correct but you need to quote the value.



-- 
Sent from my Android phone with K-9 Mail. Please excuse my brevity.





___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] bit OT: trouble getting nfsv4 with kerberos with ipa and opensolaris

2013-04-13 Thread Natxo Asenjo

# zfs set sharenfs='sec=krb5' rpool/export/home
cannot set property for 'rpool/export/home': 'sharenfs' cannot be set to
invalid options

I am starting to think this is a bug in illumos,


Thanks anyway!

--
Groeten,
natxo


On Fri, Apr 12, 2013 at 11:57 PM, Sigbjorn Lie  wrote:

> zfs set sharenfs='sec=krb5' pool/dataset
>
>
> Natxo Asenjo  wrote:
>>
>> hi,
>>
>> thanks, still not working though:
>>
>> # share -F nfs -o "sec=krb5" -d "homedirs" /export/home
>> Could not share: /export/home: invalid security type
>>
>>  # zfs set sharenfs="sec"="krb5" rpool/export/home
>> cannot set property for 'rpool/export/home': 'sharenfs' cannot be set to
>> invalid options
>>
>> # zfs set "sharenfs"="sec"="krb5" rpool/export/home
>> cannot set property for 'rpool/export/home': 'sharenfs' cannot be set to
>> invalid options
>>
>> # zfs set sharenfs=sec="krb5" rpool/export/home
>> cannot set property for 'rpool/export/home': 'sharenfs' cannot be set to
>> invalid options
>>
>> # zfs set sharenfs=sec=krb5 rpool/export/home
>> cannot set property for 'rpool/export/home': 'sharenfs' cannot be set to
>> invalid options
>>
>> # zfs set "sharenfs=sec=krb5" rpool/export/home
>> cannot set property for 'rpool/export/home': 'sharenfs' cannot be set to
>> invalid options
>>
>>
>> --
>> Groeten,
>> natxo
>>
>>
>> On Fri, Apr 12, 2013 at 11:30 PM, Sigbjorn Lie wrote:
>>
>>> Your syntax seem correct but you need to quote the value.
>>>
>>
>>
> --
> Sent from my Android phone with K-9 Mail. Please excuse my brevity.
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] bit OT: trouble getting nfsv4 with kerberos with ipa and opensolaris

2013-04-12 Thread Sigbjorn Lie

zfs set sharenfs='sec=krb5' pool/dataset

Natxo Asenjo  wrote:

>hi,
>
>thanks, still not working though:
>
># share -F nfs -o "sec=krb5" -d "homedirs" /export/home
>Could not share: /export/home: invalid security type
>
> # zfs set sharenfs="sec"="krb5" rpool/export/home
>cannot set property for 'rpool/export/home': 'sharenfs' cannot be set
>to
>invalid options
>
># zfs set "sharenfs"="sec"="krb5" rpool/export/home
>cannot set property for 'rpool/export/home': 'sharenfs' cannot be set
>to
>invalid options
>
># zfs set sharenfs=sec="krb5" rpool/export/home
>cannot set property for 'rpool/export/home': 'sharenfs' cannot be set
>to
>invalid options
>
># zfs set sharenfs=sec=krb5 rpool/export/home
>cannot set property for 'rpool/export/home': 'sharenfs' cannot be set
>to
>invalid options
>
># zfs set "sharenfs=sec=krb5" rpool/export/home
>cannot set property for 'rpool/export/home': 'sharenfs' cannot be set
>to
>invalid options
>
>
>--
>Groeten,
>natxo
>
>
>On Fri, Apr 12, 2013 at 11:30 PM, Sigbjorn Lie 
>wrote:
>
>> Your syntax seem correct but you need to quote the value.
>>

-- 
Sent from my Android phone with K-9 Mail. Please excuse my brevity.___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] bit OT: trouble getting nfsv4 with kerberos with ipa and opensolaris

2013-04-12 Thread Natxo Asenjo

hi,

thanks, still not working though:

# share -F nfs -o "sec=krb5" -d "homedirs" /export/home
Could not share: /export/home: invalid security type

 # zfs set sharenfs="sec"="krb5" rpool/export/home
cannot set property for 'rpool/export/home': 'sharenfs' cannot be set to
invalid options

# zfs set "sharenfs"="sec"="krb5" rpool/export/home
cannot set property for 'rpool/export/home': 'sharenfs' cannot be set to
invalid options

# zfs set sharenfs=sec="krb5" rpool/export/home
cannot set property for 'rpool/export/home': 'sharenfs' cannot be set to
invalid options

# zfs set sharenfs=sec=krb5 rpool/export/home
cannot set property for 'rpool/export/home': 'sharenfs' cannot be set to
invalid options

# zfs set "sharenfs=sec=krb5" rpool/export/home
cannot set property for 'rpool/export/home': 'sharenfs' cannot be set to
invalid options


--
Groeten,
natxo


On Fri, Apr 12, 2013 at 11:30 PM, Sigbjorn Lie  wrote:

> Your syntax seem correct but you need to quote the value.
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] bit OT: trouble getting nfsv4 with kerberos with ipa and opensolaris

2013-04-12 Thread Sigbjorn Lie

Your syntax seem correct but you need to quote the value.

Natxo Asenjo  wrote:

>hi,
>
>apparently what I am trying to do is not very usual because I do not
>get
>any answer on the omnios (opensolaris derivative) mailing list.
>
>I have successfully joined a host to the ipa domain, I can log in the
>omnios host as an ipa user, getent works, kerberos works (thanks to
>Johan
>Petersson in this thread:
>https://www.redhat.com/archives/freeipa-users/2013-January/msg00021.html)
>
>But when configuring nfs with krb5(i/p) security I get an error:
>
># zfs set sharenfs=sec=krb5 rpool/export/home
>cannot set property for 'rpool/export/home': 'sharenfs' cannot be set
>to
>invalid options
>
># share -F nfs -o sec=krb5 -d "homedirs" /export/home/
>Could not share: /export/home: invalid security type
>
>The omnios host has a keytab with both host and nfs principals:
>
># klist -k -e
>
>Keytab name: FILE:/etc/krb5/krb5.keytab
>KVNO Principal
>
>--
>   1 nfs/testomnios.ipa.asenjo...@ipa.asenjo.nx (AES-256 CTS mode with
>96-bit SHA-1 HMAC)
>   1 nfs/testomnios.ipa.asenjo...@ipa.asenjo.nx (AES-128 CTS mode with
>96-bit SHA-1 HMAC)
> 1 nfs/testomnios.ipa.asenjo...@ipa.asenjo.nx (Triple DES cbc mode with
>HMAC/sha1)
>   1 nfs/testomnios.ipa.asenjo...@ipa.asenjo.nx (ArcFour with HMAC/md5)
>   2 host/testomnios.ipa.asenjo...@ipa.asenjo.nx (AES-256 CTS mode with
>96-bit SHA-1 HMAC)
>   2 host/testomnios.ipa.asenjo...@ipa.asenjo.nx (AES-128 CTS mode with
>96-bit SHA-1 HMAC)
>2 host/testomnios.ipa.asenjo...@ipa.asenjo.nx (Triple DES cbc mode with
>HMAC/sha1)
>  2 host/testomnios.ipa.asenjo...@ipa.asenjo.nx (ArcFour with HMAC/md5)
>
>I can kinit with both principals:
>
>root@testomnios:~# kinit -k
>root@testomnios:~# klist
>Ticket cache: FILE:/tmp/krb5cc_0
>Default principal: host/testomnios.ipa.asenjo...@ipa.asenjo.nx
>
>Valid startingExpiresService principal
>04/12/13 11:56:07  04/13/13 11:56:07 
>krbtgt/ipa.asenjo...@ipa.asenjo.nx
>renew until 04/19/13 11:56:07
>root@testomnios:~# kinit -k nfs/testomnios.ipa.asenjo.nx
>root@testomnios:~# klist
>Ticket cache: FILE:/tmp/krb5cc_0
>Default principal: nfs/testomnios.ipa.asenjo...@ipa.asenjo.nx
>
>Valid startingExpiresService principal
>04/12/13 11:56:28  04/13/13 11:56:28 
>krbtgt/ipa.asenjo...@ipa.asenjo.nx
>renew until 04/19/13 11:56:28
>
>so the keytab is correct
>
>I have edited /etc/nfssec.conf and removed the comments for the krb5
>lines.
>
>According to all my google-fu it should work, but it does not. Any tips
>greatly appreciated.
>.
>--
>Groeten,
>natxo
>
>
>
>
>___
>Freeipa-users mailing list
>Freeipa-users@redhat.com
>https://www.redhat.com/mailman/listinfo/freeipa-users

-- 
Sent from my Android phone with K-9 Mail. Please excuse my brevity.___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] bit OT: trouble getting nfsv4 with kerberos with ipa and opensolaris

2013-04-12 Thread Dmitri Pal

On 04/12/2013 03:35 PM, Natxo Asenjo wrote:
> hi,
>
> apparently what I am trying to do is not very usual because I do not
> get any answer on the omnios (opensolaris derivative) mailing list.
>
> I have successfully joined a host to the ipa domain, I can log in the
> omnios host as an ipa user, getent works, kerberos works (thanks to
> Johan Petersson in this thread:
> https://www.redhat.com/archives/freeipa-users/2013-January/msg00021.html)
>
> But when configuring nfs with krb5(i/p) security I get an error:

I am completely unaware how zfs works but...
>
> # zfs set sharenfs=sec=krb5 rpool/export/home
> cannot set property for 'rpool/export/home': 'sharenfs' cannot be set
> to invalid options

That looks like a syntax error.
It seems like krb5 is an invalid option. May be something needs to be
restarted after you changed the config file?


>
> # share -F nfs -o sec=krb5 -d "homedirs" /export/home/
> Could not share: /export/home: invalid security type
>
> The omnios host has a keytab with both host and nfs principals:
>
> # klist -k -e
>
> Keytab name: FILE:/etc/krb5/krb5.keytab
> KVNO Principal
> 
> --
>1 nfs/testomnios.ipa.asenjo...@ipa.asenjo.nx (AES-256 CTS mode with
> 96-bit SHA-1 HMAC)
>1 nfs/testomnios.ipa.asenjo...@ipa.asenjo.nx (AES-128 CTS mode with
> 96-bit SHA-1 HMAC)
>1 nfs/testomnios.ipa.asenjo...@ipa.asenjo.nx (Triple DES cbc mode
> with HMAC/sha1)
>1 nfs/testomnios.ipa.asenjo...@ipa.asenjo.nx (ArcFour with HMAC/md5)
>2 host/testomnios.ipa.asenjo...@ipa.asenjo.nx (AES-256 CTS mode
> with 96-bit SHA-1 HMAC)
>2 host/testomnios.ipa.asenjo...@ipa.asenjo.nx (AES-128 CTS mode
> with 96-bit SHA-1 HMAC)
>2 host/testomnios.ipa.asenjo...@ipa.asenjo.nx (Triple DES cbc mode
> with HMAC/sha1)
>2 host/testomnios.ipa.asenjo...@ipa.asenjo.nx (ArcFour with HMAC/md5)
>
> I can kinit with both principals:
>
> root@testomnios:~# kinit -k
> root@testomnios:~# klist  
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: host/testomnios.ipa.asenjo...@ipa.asenjo.nx
>
> Valid startingExpiresService principal
> 04/12/13 11:56:07  04/13/13 11:56:07  krbtgt/ipa.asenjo...@ipa.asenjo.nx
> renew until 04/19/13 11:56:07
> root@testomnios:~# kinit -k nfs/testomnios.ipa.asenjo.nx
> root@testomnios:~# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: nfs/testomnios.ipa.asenjo...@ipa.asenjo.nx
>
> Valid startingExpiresService principal
> 04/12/13 11:56:28  04/13/13 11:56:28  krbtgt/ipa.asenjo...@ipa.asenjo.nx
> renew until 04/19/13 11:56:28
>
> so the keytab is correct
>
> I have edited /etc/nfssec.conf and removed the comments for the krb5
> lines.
>
> According to all my google-fu it should work, but it does not. Any
> tips greatly appreciated.
> .
> --
> Groeten,
> natxo
>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] bit OT: trouble getting nfsv4 with kerberos with ipa and opensolaris

Re: [Freeipa-users] bit OT: trouble getting nfsv4 with kerberos with ipa and opensolaris

Re: [Freeipa-users] bit OT: trouble getting nfsv4 with kerberos with ipa and opensolaris

Re: [Freeipa-users] bit OT: trouble getting nfsv4 with kerberos with ipa and opensolaris

Re: [Freeipa-users] bit OT: trouble getting nfsv4 with kerberos with ipa and opensolaris

Re: [Freeipa-users] bit OT: trouble getting nfsv4 with kerberos with ipa and opensolaris

6 matches

Site Navigation

Mail list logo

Footer information