A little encouragement with Kerberos for NFS

Andrew B. Young andrew at an3e.org
Fri Jul 7 20:02:41 EDT 2006 

I have been struggling for about two days now and could use a little 
encouragement.  I wish to have NFS use Kerberos but am as of yet unable 
to get it working.  But I think I am close.  Here is what I have--

ns3.an3e.org:  KDC and NSF server, Linux ns3.an3e.org 2.6.17-1.2139_FC5
# exportfs -v -> /var/lib/music  gss/krb5p(ro,wdelay,root_squash)

ns2.an3e.org: NSF Client, Linux ns2.an3e.org 2.6.16-1.2122_FC5


kadmin:  listprincs
K/M at AN3E.ORG
admin/admin at AN3E.ORG
ayoung at AN3E.ORG
host/ns2.an3e.org at AN3E.ORG
kadmin/admin at AN3E.ORG
kadmin/changepw at AN3E.ORG
kadmin/history at AN3E.ORG
kadmin/ns3.an3e.org at AN3E.ORG
krbtgt/AN3E.ORG at AN3E.ORG
nfs/ns1.an3e.org at AN3E.ORG
nfs/ns2.an3e.org at AN3E.ORG
nfs/ns3.an3e.org at AN3E.ORG
root/ns2.an3e.org at AN3E.ORG

[root at ns2 ~]# klist -e -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- 
--------------------------------------------------------------------------
   8 nfs/ns2.an3e.org at AN3E.ORG (DES cbc mode with CRC-32)
   5 root/ns2.an3e.org at AN3E.ORG (DES cbc mode with CRC-32)
   5 host/ns2.an3e.org at AN3E.ORG (DES cbc mode with CRC-32)


[root at ns3 ~]#  klist -e -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- 
--------------------------------------------------------------------------
   7 nfs/ns3.an3e.org at AN3E.ORG (DES cbc mode with CRC-32)

[root at ns3 ~]# more /etc/sysconfig/nfs
SECURE_NFS=yes

[root at ns3 ~]# authconfig --enablekrb5 --update


This above from all sorts of pages offered by Google.
So here is what I get---

[root at ns2 ~]# mount -t nfs4 -o ro,sec=krb5p ns3.an3e.org:/var/lib/music 
/mnt/ns3/music
mount: cannot mount block device ns3.an3e.org:/var/lib/music read-only
|--ns2:/var/log/messages---------------
|Jul  7 16:50:26 ns2 rpc.gssd[2911]: WARNING: Failed to create krb5 
context for user with uid 0 with any |credentials cache for server 
ns3.an3e.org

|--ns3:/var/log/krb5kdc.log-----------
|Jul 07 15:06:18 ns3.an3e.org krb5kdc[1802](info): TGS_REQ (7 etypes {18 
17 16 23 1 3 2}) 64.165.113.66: |VALIDATE VALID TICKET: authtime 
1152309967,  host/ns2.an3e.org at AN3E.ORG for krbtgt/AN3E.ORG at AN3E.ORG, 
KDC |can't fulfill requested option



I could sure use a kind word heading into the weekend.
Thanks!
Andrew

More information about the Kerberos mailing list