nfs/kerberos problems

[Chantal Rosmuller]

Hi list, 



I cannot get nfs with kerberos working on my Ubuntu 8.04 servers, here's what 
I did:

first I installed nfs server on ubuntuhardy1 and client on ubuntuhardy2, nfs 
mounting from ubuntuhardy2 to ubuntuhardy1 without kerberos works

changed the following on /etc/default/nfs-kernel-server:

NEED_SVCGSSD=yes
RPCSVCGSSDOPTS="-vvv"

then I installed ntp on both servers

On the nfs/kerberos server ubuntuhardy1

 aptitude install krb5-admin-server krb5-kdc

edit /etc/hosts

 127.0.0.1 ubuntuhardy1.localhost.network ubuntuhardy1 localhost
 192.168.0.109 ubuntuhardy1.localhost.network
 192.168.0.110 ubuntuhardy2.localhost.network

change hostname
 
 hostname ubuntuhardy1.localhost.network

edit /etc/krb5.conf 

[libdefaults]
        default_realm = LOCALHOST.NETWORK
[realms]
        LOCALHOST.NETWORK = {
                kdc = ubuntuhardy1.localhost.network
                admin_server = ubuntuhardy1.localhost.network
                default_domain = localhost.network
        }
 [domain_realm]
        localhost.network = LOCALHOST.NETWORK
        .localhost.network = LOCALHOST.NETWORK
 [logging]
        kdc = FILE:/var/log/krb5kdc.log
        admin_server = FILE:/var/log/kadmin.log
        default = FILE:/var/log/krb5lib.log
        
change /etc/krb5kdc/kdc.conf:

[kdcdefaults]
    kdc_ports = 750,88
[realms]
    LOCALHOST.NETWORK = {
        database_name = /var/lib/krb5kdc/principal
        admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
        acl_file = /etc/krb5kdc/kadm5.acl
        key_stash_file = /etc/krb5kdc/stash
        kdc_ports = 750,88
        max_life = 10h 0m 0s
        max_renewable_life = 7d 0h 0m 0s
        master_key_type = des3-hmac-sha1
        supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal 
des:normal des:v4 des:norealm des:onlyrealm des:afs3
        default_principal_flags = +preauth
    }

create realm:

kdb5_util create -s

 loading random data
 Initializing database '/var/lib/krb5kdc/principal' for realm 
'LOCALHOST.NETWORK',
 master key name 'K/M at LOCALHOST.NETWORK'
 You will be prompted for the database Master Password.
 It is important that you NOT FORGET this password.
 Enter KDC database master key:

restarted kerberos

 /etc/init.d/krb5-admin-server restart
 /etc/init.d/krb5-kdc restart Nu kunt u uw <meer> benaderen met het volegnde 
commando:

started kadmin

 kadmin.local

aded user:

 addprinc admin/admin

added Host key for the server:

 addprinc -randkey host/ubuntuhardy1.localhost.network at LOCALHOST.NETWORK

add princial to local key table <meer>

 ktadd host/ubuntuhardy1.localhost.network at LOCALHOST.NETWORK 
 output:
 
 Entry for principal host/ubuntuhardy1.localhost.network at LOCALHOST.NETWORK 
with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to 
keytab WRFILE:/etc/krb5.keytab. Entry for principal 
host/ubuntuhardy1.localhost.network at LOCALHOST.NETWORK with kvno 3, encryption 
type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab.

edit /etc/exports

 /var/www gss/krb5i(rw,sync)
 
restarted nfs server

on the client ubuntuhardy2:


edit /etc/hosts

 127.0.0.1 ubuntuhardy2.localhost.network ubuntuhardy2 localhost
 192.168.0.110 ubuntuhardy2.localhost.network
 192.168.0.109 ubuntuhardy1.localhost.network


install software

 aptitude install krb5-user krb5-clients libpam-krb5

copied /etc/krb5.conf from server

tested kerberos access:

 kinit admin/admin

and got this output:

 Password for admin/admin at LOCALHOST.NETWORK:

logged in again on the SERVER

kadmin

added principal for client ubuntuhardy2

 addprinc -randkey host/ubuntuhardy2.localhost.network addprinc -randkey 
nfs/ubuntuhardy2.localhost.network
client

logged in on the client:

 kinit admin/admin 
 Password for admin/admin at LOCALHOST.NETWORK: r

add principal for client

 kadmin: addprinc -randkey nfs/ubuntuhardy2.localhost.network 
 
 WARNING: no policy specified for 
nfs/ubuntuhardy2.localhost.network at LOCALHOST.NETWORK; defaulting to no policy 
Principal “nfs/ubuntuhardy2.localhost.network at LOCALHOST.NETWORK” created. 
 
create key in keytab

 kadmin: ktadd nfs/ubuntuhardy2.localhost.network 
 
 Entry for principal nfs/ubuntuhardy2.localhost.network with kvno 3, 
encryption type Triple DES cbc mode with HMAC/sha1 added to keytab 
WRFILE:/etc/krb5.keytab. Entry for principal 
nfs/ubuntuhardy2.localhost.network with kvno 3, encryption type DES cbc mode 
with CRC-32 added to keytab WRFILE:/etc/krb5.keytab. kadmin: quit

then I try to mount the nfs share

 mount -t nfs -o sec=krb5 ubuntuhardy1.localhost.network:/var/www 
/mnt/websites/
 
I get 

 mount.nfs: access denied by server while mounting 
ubuntuhardy1.localhost.network:/var/www

and in /var/log/daemon.log on the server

 ubuntuhardy1 mountd[1913]: mount request from unknown host 192.168.0.110 for 
/var/www (/var/www)
 
Does anyone know what I am doing wrong?