nfs/kerberos problems

Chantal Rosmuller chantal at antenna.nl
Wed Aug 19 13:28:41 EDT 2009 

On Tuesday 18 August 2009 18:50:20 Kevin Coffman wrote:
> On Tue, Aug 18, 2009 at 6:00 AM, Chantal Rosmuller<chantal at antenna.nl> 
wrote:
> > Hi list,
> >
> >
> >
> > I cannot get nfs with kerberos working on my Ubuntu 8.04 servers, here's
> > what I did:
> >
> > first I installed nfs server on ubuntuhardy1 and client on ubuntuhardy2,
> > nfs mounting from ubuntuhardy2 to ubuntuhardy1 without kerberos works
> >
> > changed the following on /etc/default/nfs-kernel-server:
> >
> > NEED_SVCGSSD=yes
> > RPCSVCGSSDOPTS="-vvv"
> >
> > then I installed ntp on both servers
> >
> > On the nfs/kerberos server ubuntuhardy1
> >
> >  aptitude install krb5-admin-server krb5-kdc
> >
> > edit /etc/hosts
> >
> >  127.0.0.1 ubuntuhardy1.localhost.network ubuntuhardy1 localhost
> >  192.168.0.109 ubuntuhardy1.localhost.network
> >  192.168.0.110 ubuntuhardy2.localhost.network
> >
> > change hostname
> >
> >  hostname ubuntuhardy1.localhost.network
> >
> > edit /etc/krb5.conf
> >
> > [libdefaults]
> >        default_realm = LOCALHOST.NETWORK
> > [realms]
> >        LOCALHOST.NETWORK = {
> >                kdc = ubuntuhardy1.localhost.network
> >                admin_server = ubuntuhardy1.localhost.network
> >                default_domain = localhost.network
> >        }
> >  [domain_realm]
> >        localhost.network = LOCALHOST.NETWORK
> >        .localhost.network = LOCALHOST.NETWORK
> >  [logging]
> >        kdc = FILE:/var/log/krb5kdc.log
> >        admin_server = FILE:/var/log/kadmin.log
> >        default = FILE:/var/log/krb5lib.log
> >
> > change /etc/krb5kdc/kdc.conf:
> >
> > [kdcdefaults]
> >    kdc_ports = 750,88
> > [realms]
> >    LOCALHOST.NETWORK = {
> >        database_name = /var/lib/krb5kdc/principal
> >        admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
> >        acl_file = /etc/krb5kdc/kadm5.acl
> >        key_stash_file = /etc/krb5kdc/stash
> >        kdc_ports = 750,88
> >        max_life = 10h 0m 0s
> >        max_renewable_life = 7d 0h 0m 0s
> >        master_key_type = des3-hmac-sha1
> >        supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal
> > des:normal des:v4 des:norealm des:onlyrealm des:afs3
> >        default_principal_flags = +preauth
> >    }
> >
> > create realm:
> >
> > kdb5_util create -s
> >
> >  loading random data
> >  Initializing database '/var/lib/krb5kdc/principal' for realm
> > 'LOCALHOST.NETWORK',
> >  master key name 'K/M at LOCALHOST.NETWORK'
> >  You will be prompted for the database Master Password.
> >  It is important that you NOT FORGET this password.
> >  Enter KDC database master key:
> >
> > restarted kerberos
> >
> >  /etc/init.d/krb5-admin-server restart
> >  /etc/init.d/krb5-kdc restart Nu kunt u uw <meer> benaderen met het
> > volegnde commando:
> >
> > started kadmin
> >
> >  kadmin.local
> >
> > aded user:
> >
> >  addprinc admin/admin
> >
> > added Host key for the server:
> >
> >  addprinc -randkey host/ubuntuhardy1.localhost.network at LOCALHOST.NETWORK
> >
> > add princial to local key table <meer>
> >
> >  ktadd host/ubuntuhardy1.localhost.network at LOCALHOST.NETWORK
> >  output:
> >
> >  Entry for principal
> > host/ubuntuhardy1.localhost.network at LOCALHOST.NETWORK with kvno 3,
> > encryption type Triple DES cbc mode with HMAC/sha1 added to keytab
> > WRFILE:/etc/krb5.keytab. Entry for principal
> > host/ubuntuhardy1.localhost.network at LOCALHOST.NETWORK with kvno 3,
> > encryption type DES cbc mode with CRC-32 added to keytab
> > WRFILE:/etc/krb5.keytab.
> >
> > edit /etc/exports
> >
> >  /var/www gss/krb5i(rw,sync)
> >
> > restarted nfs server
> >
> > on the client ubuntuhardy2:
> >
> >
> > edit /etc/hosts
> >
> >  127.0.0.1 ubuntuhardy2.localhost.network ubuntuhardy2 localhost
> >  192.168.0.110 ubuntuhardy2.localhost.network
> >  192.168.0.109 ubuntuhardy1.localhost.network
> >
> >
> > install software
> >
> >  aptitude install krb5-user krb5-clients libpam-krb5
> >
> > copied /etc/krb5.conf from server
> >
> > tested kerberos access:
> >
> >  kinit admin/admin
> >
> > and got this output:
> >
> >  Password for admin/admin at LOCALHOST.NETWORK:
> >
> > logged in again on the SERVER
> >
> > kadmin
> >
> > added principal for client ubuntuhardy2
> >
> >  addprinc -randkey host/ubuntuhardy2.localhost.network addprinc -randkey
> > nfs/ubuntuhardy2.localhost.network
> > client
> >
> > logged in on the client:
> >
> >  kinit admin/admin
> >  Password for admin/admin at LOCALHOST.NETWORK: r
> >
> > add principal for client
> >
> >  kadmin: addprinc -randkey nfs/ubuntuhardy2.localhost.network
> >
> >  WARNING: no policy specified for
> > nfs/ubuntuhardy2.localhost.network at LOCALHOST.NETWORK; defaulting to no
> > policy Principal “nfs/ubuntuhardy2.localhost.network at LOCALHOST.NETWORK> > created.
> >
> > create key in keytab
> >
> >  kadmin: ktadd nfs/ubuntuhardy2.localhost.network
> >
> >  Entry for principal nfs/ubuntuhardy2.localhost.network with kvno 3,
> > encryption type Triple DES cbc mode with HMAC/sha1 added to keytab
> > WRFILE:/etc/krb5.keytab. Entry for principal
> > nfs/ubuntuhardy2.localhost.network with kvno 3, encryption type DES cbc
> > mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab. kadmin: quit
> >
> > then I try to mount the nfs share
> >
> >  mount -t nfs -o sec=krb5 ubuntuhardy1.localhost.network:/var/www
> > /mnt/websites/
> >
> > I get
> >
> >  mount.nfs: access denied by server while mounting
> > ubuntuhardy1.localhost.network:/var/www
> >
> > and in /var/log/daemon.log on the server
> >
> >  ubuntuhardy1 mountd[1913]: mount request from unknown host 192.168.0.110
> > for /var/www (/var/www)
> >
> > Does anyone know what I am doing wrong?
>
> Currently, you must limit the encryption type for the nfs principals
> to only des-cbc-crc.
>
> So, in both cases
>   ktadd nfs/ubuntuhardy1.localhost.network at LOCALHOST.NETWORK
>   ktadd nfs/ubuntuhardy2.localhost.network at LOCALHOST.NETWORK
> should be
>   ktadd -e des-cbc-crc:normal
> nfs/ubuntuhardy1.localhost.network at LOCALHOST.NETWORK
>   ktadd -e des-cbc-crc:normal
> nfs/ubuntuhardy2.localhost.network at LOCALHOST.NETWORK
>
> (See http://www.citi.umich.edu/projects/nfsv4/linux/krb5-setup.html)
>nfs/ubuntuhardy2.localhost.network at LOCALHOST.NETWORK
> K.C.

It does get rid of the double keys but its not working yet....... do I need to 
do the same for host/ubuntuhardy2.localhost.network at LOCALHOST.NETWORK and 
host/ubuntuhardy1.localhost.network at LOCALHOST.NETWORK?

More information about the Kerberos mailing list