nfs not working with kerberos
Edward Murrell
edward at murrell.co.nz
Thu May 10 17:09:46 EDT 2007
Your DNS looks like it's working correctly then.
I would guess that client is trying to connect using NFSv3, and the
server is correctly complaining that the client is not listed for NFSv3
in /etc/exports.
Although it will generate huge amounts of text, try running the
following as root to help you debug. Sometimes you can quite decent
debug messages;
/usr/sbin/rpc.gssd -fvvv
/usr/sbin/rpc.idmapd -fvvv
Cheers,
Edward
On Thu, 2007-05-10 at 10:27 +0200, Luca Lauretta wrote:
> >If you run;
> >host 130.251.17.158
> >What does it return? The output of ' hostname -s ' and ' hostname -f '
> >would be interesting as well.
>
> output of host 130.251.17.158 :
>
> 158.17.251.130.in-addr.arpa domain name pointer sughero.reti.dist.unige.it.
> (yes there is also a final full point..maybe is this the problem? in this
> case, what should i correct?)
>
> output of hostname -s :
>
> sughero
>
> output of hostname -f
>
> sughero.reti.dist.unige.it
>
>
> >Both the client In your /etc/krb5.keytab you should have the appropriate
> >keytab for nfs/hostname at REALM
> >eg;
> >nfs/sequoia.reti.dist.unige.it at RETI.DIST.UNIGE.IT
> >with encryption type of; des-cbc-crc:normal
>
> yep they have
>
>
> >* On the server, edit /etc/default/nfs-kernel-server, and set;
> >NEED_SVCGSSD=yes
>
> i tried it but it works if i want only kerberized nfsv4 mounts, in fact it
> substitutes the mountd daemon with this one
>
> >* On the client and the server add to /etc/default/nfs-common set;
> >NEED_IDMAPD=yes
> >* On the client and the server add to /etc/default/nfs-common set;
> >NEED_GSSD=yes
> >* Create the /var/lib/nfs/rpc_pipefs directory
> >* Add to /etc/modules : rpcsec_gss_krb5
> >* Add to /etc/fstab: rpc_pipefs /var/lib/nfs/rpc_pipefs rpc_pipefs defaults
> >0 0
> >* Add to /etc/fstab: nfsd /proc/fs/nfsd nfsd defaults 0 0
>
> set yet
>
> >* Add to /etc/modules : rpcsec_gss_krb5
>
> i'll let you know about his possibility
>
>
> >Hope this helps!
>
> thx for answering
>
>
> Luca Lauretta wrote:
> >hi i'm struggling in configuring nfsv4 working with mit kerberos v5
> >
> >
> >/etc/exports on server (sequoia)
> >
> >#/home/condivisa sughero.reti.dist.unige.it(rw,sync)
> >/home/condivisa
> >gss/krb5(rw,fsid=0,insecure,no_subtree_check,no_root_squash)
> >#/home/prova sughero.reti.dist.unige.it(rw,sync)
> >/home/prova gss/krb5(rw,sync)
> >
> >(commented lines are to do more testing, same for different options in
> >gss/krb5 lines; without kerberos i get to mount the filesystems)
> >
> >/etc/fstab on client (sughero)
> >
> >sequoia:/home/condivisa /home/importata nfs defaults,noauto,sec=krb5
> >sequoia:/home/prova /home/verifica nfs defaults,noauto,sec=krb5
> >
> >
> >
> >from server (sequoia) /var/log/daemon.log i get:
> >
> >localhost mountd[30504]: mount request from unknown host 130.251.17.158 for
> >/home/condivisa (/home/condivisa)
> >
> >(130.251.17.158 is sughero, even if it says unknown host and i get to
> >connect to sughero thru other services, like ssh)
> >
> >from client (sughero) /var/log/daemon.log i get:
> >
> >localhost rpc.gssd[7950]: WARNING: Failed to obtain machine credentials for
> >connection to server sequoia.reti.dist.unige.it
> >
> >when i try to mount the filesystem (for example mount /home/importata) i
> >get:
> >mount: sequoia:/home/condivisa failed, reason given by server: Permission
> >denied (i use gnomed debian 2.14.3, no ldap netapp and similars)
> >
> >i hope you can find the solution, i'm going out crazy
> >
> >thank you
> >
>
> _________________________________________________________________
> Windows Live Hotmail: 2GB, protezione da virus e spam. GRATIS!
> http://imagine-windowslive.com/hotmail/default.aspx?locale=it#0
>
More information about the Kerberos
mailing list