nfs/kerberos problems

Kevin Coffman kwcoffman at gmail.com
Tue Aug 18 12:50:20 EDT 2009 

On Tue, Aug 18, 2009 at 6:00 AM, Chantal Rosmuller<chantal at antenna.nl> wrote:
>
>
> Hi list,
>
>
>
> I cannot get nfs with kerberos working on my Ubuntu 8.04 servers, here's what
> I did:
>
> first I installed nfs server on ubuntuhardy1 and client on ubuntuhardy2, nfs
> mounting from ubuntuhardy2 to ubuntuhardy1 without kerberos works
>
> changed the following on /etc/default/nfs-kernel-server:
>
> NEED_SVCGSSD=yes
> RPCSVCGSSDOPTS="-vvv"
>
> then I installed ntp on both servers
>
> On the nfs/kerberos server ubuntuhardy1
>
>  aptitude install krb5-admin-server krb5-kdc
>
> edit /etc/hosts
>
>  127.0.0.1 ubuntuhardy1.localhost.network ubuntuhardy1 localhost
>  192.168.0.109 ubuntuhardy1.localhost.network
>  192.168.0.110 ubuntuhardy2.localhost.network
>
> change hostname
>
>  hostname ubuntuhardy1.localhost.network
>
> edit /etc/krb5.conf
>
> [libdefaults]
>        default_realm = LOCALHOST.NETWORK
> [realms]
>        LOCALHOST.NETWORK = {
>                kdc = ubuntuhardy1.localhost.network
>                admin_server = ubuntuhardy1.localhost.network
>                default_domain = localhost.network
>        }
>  [domain_realm]
>        localhost.network = LOCALHOST.NETWORK
>        .localhost.network = LOCALHOST.NETWORK
>  [logging]
>        kdc = FILE:/var/log/krb5kdc.log
>        admin_server = FILE:/var/log/kadmin.log
>        default = FILE:/var/log/krb5lib.log
>
> change /etc/krb5kdc/kdc.conf:
>
> [kdcdefaults]
>    kdc_ports = 750,88
> [realms]
>    LOCALHOST.NETWORK = {
>        database_name = /var/lib/krb5kdc/principal
>        admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
>        acl_file = /etc/krb5kdc/kadm5.acl
>        key_stash_file = /etc/krb5kdc/stash
>        kdc_ports = 750,88
>        max_life = 10h 0m 0s
>        max_renewable_life = 7d 0h 0m 0s
>        master_key_type = des3-hmac-sha1
>        supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal
> des:normal des:v4 des:norealm des:onlyrealm des:afs3
>        default_principal_flags = +preauth
>    }
>
> create realm:
>
> kdb5_util create -s
>
>  loading random data
>  Initializing database '/var/lib/krb5kdc/principal' for realm
> 'LOCALHOST.NETWORK',
>  master key name 'K/M at LOCALHOST.NETWORK'
>  You will be prompted for the database Master Password.
>  It is important that you NOT FORGET this password.
>  Enter KDC database master key:
>
> restarted kerberos
>
>  /etc/init.d/krb5-admin-server restart
>  /etc/init.d/krb5-kdc restart Nu kunt u uw <meer> benaderen met het volegnde
> commando:
>
> started kadmin
>
>  kadmin.local
>
> aded user:
>
>  addprinc admin/admin
>
> added Host key for the server:
>
>  addprinc -randkey host/ubuntuhardy1.localhost.network at LOCALHOST.NETWORK
>
> add princial to local key table <meer>
>
>  ktadd host/ubuntuhardy1.localhost.network at LOCALHOST.NETWORK
>  output:
>
>  Entry for principal host/ubuntuhardy1.localhost.network at LOCALHOST.NETWORK
> with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to
> keytab WRFILE:/etc/krb5.keytab. Entry for principal
> host/ubuntuhardy1.localhost.network at LOCALHOST.NETWORK with kvno 3, encryption
> type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab.
>
> edit /etc/exports
>
>  /var/www gss/krb5i(rw,sync)
>
> restarted nfs server
>
> on the client ubuntuhardy2:
>
>
> edit /etc/hosts
>
>  127.0.0.1 ubuntuhardy2.localhost.network ubuntuhardy2 localhost
>  192.168.0.110 ubuntuhardy2.localhost.network
>  192.168.0.109 ubuntuhardy1.localhost.network
>
>
> install software
>
>  aptitude install krb5-user krb5-clients libpam-krb5
>
> copied /etc/krb5.conf from server
>
> tested kerberos access:
>
>  kinit admin/admin
>
> and got this output:
>
>  Password for admin/admin at LOCALHOST.NETWORK:
>
> logged in again on the SERVER
>
> kadmin
>
> added principal for client ubuntuhardy2
>
>  addprinc -randkey host/ubuntuhardy2.localhost.network addprinc -randkey
> nfs/ubuntuhardy2.localhost.network
> client
>
> logged in on the client:
>
>  kinit admin/admin
>  Password for admin/admin at LOCALHOST.NETWORK: r
>
> add principal for client
>
>  kadmin: addprinc -randkey nfs/ubuntuhardy2.localhost.network
>
>  WARNING: no policy specified for
> nfs/ubuntuhardy2.localhost.network at LOCALHOST.NETWORK; defaulting to no policy
> Principal “nfs/ubuntuhardy2.localhost.network at LOCALHOST.NETWORK” created.
>
> create key in keytab
>
>  kadmin: ktadd nfs/ubuntuhardy2.localhost.network
>
>  Entry for principal nfs/ubuntuhardy2.localhost.network with kvno 3,
> encryption type Triple DES cbc mode with HMAC/sha1 added to keytab
> WRFILE:/etc/krb5.keytab. Entry for principal
> nfs/ubuntuhardy2.localhost.network with kvno 3, encryption type DES cbc mode
> with CRC-32 added to keytab WRFILE:/etc/krb5.keytab. kadmin: quit
>
> then I try to mount the nfs share
>
>  mount -t nfs -o sec=krb5 ubuntuhardy1.localhost.network:/var/www
> /mnt/websites/
>
> I get
>
>  mount.nfs: access denied by server while mounting
> ubuntuhardy1.localhost.network:/var/www
>
> and in /var/log/daemon.log on the server
>
>  ubuntuhardy1 mountd[1913]: mount request from unknown host 192.168.0.110 for
> /var/www (/var/www)
>
> Does anyone know what I am doing wrong?

Currently, you must limit the encryption type for the nfs principals
to only des-cbc-crc.

So, in both cases
  ktadd nfs/ubuntuhardy1.localhost.network at LOCALHOST.NETWORK
  ktadd nfs/ubuntuhardy2.localhost.network at LOCALHOST.NETWORK
should be
  ktadd -e des-cbc-crc:normal
nfs/ubuntuhardy1.localhost.network at LOCALHOST.NETWORK
  ktadd -e des-cbc-crc:normal
nfs/ubuntuhardy2.localhost.network at LOCALHOST.NETWORK

(See http://www.citi.umich.edu/projects/nfsv4/linux/krb5-setup.html)

K.C.

More information about the Kerberos mailing list