nfs not working with kerberos

Edward Murrell edward at murrell.co.nz
Mon May 7 17:20:55 EDT 2007 

It sounds like reverse DNS is not configured properly, or you don't have 
all the appropriate keytabs setup properly.
The fact that daemon.log mentions localhost instead of the actual name 
of the hosts is worrying.
If you run;
host 130.251.17.158
What does it return? The output of ' hostname -s ' and ' hostname -f ' 
would be interesting as well.


Both the client In your /etc/krb5.keytab you should have the appropriate 
keytab for nfs/hostname at REALM
eg;
nfs/sequoia.reti.dist.unige.it at RETI.DIST.UNIGE.IT
with encryption type of; des-cbc-crc:normal

Also, I'm pretty sure that you have to create /export directory and bind 
filesystems to that, using a line like the following in /etc/fstab;
/home /export/home none bind 0 0

See this entry for more details; http://gentoo-wiki.com/HOWTO_NFSv4#Exports


Depending on how much work is done for you, you may also need to do one 
or more of the following tasks;

* On the server, edit /etc/default/nfs-kernel-server, and set; 
NEED_SVCGSSD=yes
* On the client and the server add to /etc/default/nfs-common set; 
NEED_IDMAPD=yes
* On the client and the server add to /etc/default/nfs-common set; 
NEED_GSSD=yes
* Create the /var/lib/nfs/rpc_pipefs directory
* Add to /etc/modules : rpcsec_gss_krb5
* Add to /etc/fstab: rpc_pipefs /var/lib/nfs/rpc_pipefs rpc_pipefs 
defaults 0 0
* Add to /etc/fstab: nfsd /proc/fs/nfsd nfsd defaults 0 0

This is collated from my notes on NFSv4 for Ubuntu Dapper, so it may or 
may not be completely the same.

This is a working command to test the setup, and the following fstab entry;

	mount -t nfs4 sequoia:/home /mnt -o sec=krb5,port=2049
	sequoia:/home  /home nfs4    sec=krb5,port=2049,auto 0 0

I found that rsize=16384,wsize=16384 tend to give the best performance. I recommend some experimenting.


Hope this helps!

Cheers,
Edward Murrell

Luca Lauretta wrote:
> hi i'm struggling in configuring nfsv4 working with mit kerberos v5
>
>
> /etc/exports on server (sequoia)
>
> #/home/condivisa sughero.reti.dist.unige.it(rw,sync)
> /home/condivisa gss/krb5(rw,fsid=0,insecure,no_subtree_check,no_root_squash)
> #/home/prova sughero.reti.dist.unige.it(rw,sync)
> /home/prova gss/krb5(rw,sync)
>
> (commented lines are to do more testing, same for different options in 
> gss/krb5 lines; without kerberos i get to mount the filesystems)
>
> /etc/fstab on client (sughero)
>
> sequoia:/home/condivisa /home/importata nfs defaults,noauto,sec=krb5
> sequoia:/home/prova /home/verifica nfs defaults,noauto,sec=krb5
>
>
>
> from server (sequoia) /var/log/daemon.log i get:
>
> localhost mountd[30504]: mount request from unknown host 130.251.17.158 for 
> /home/condivisa (/home/condivisa)
>
> (130.251.17.158 is sughero, even if it says unknown host and i get to 
> connect to sughero thru other services, like ssh)
>
> from client (sughero) /var/log/daemon.log i get:
>
> localhost rpc.gssd[7950]: WARNING: Failed to obtain machine credentials for 
> connection to server sequoia.reti.dist.unige.it
>
> when i try to mount the filesystem (for example mount /home/importata) i 
> get:
> mount: sequoia:/home/condivisa failed, reason given by server: Permission 
> denied (i use gnomed debian 2.14.3, no ldap netapp and similars)
>
> i hope you can find the solution, i'm going out crazy
>
> thank you
>
> _________________________________________________________________
> Calcio, Quiz, Sudoku, Scacchi… Inizia la sfida su Messenger, GRATIS! 
> http://www.messenger.it/giochi_e_attivita.html
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

More information about the Kerberos mailing list