nfs/kerberos problems
Chantal Rosmuller
chantal at antenna.nl
Wed Aug 19 13:34:27 EDT 2009
On Wednesday 19 August 2009 19:28:41 Chantal Rosmuller wrote:
> On Tuesday 18 August 2009 18:50:20 Kevin Coffman wrote:
> > On Tue, Aug 18, 2009 at 6:00 AM, Chantal Rosmuller<chantal at antenna.nl>
>
> wrote:
> > > Hi list,
> > >
> > >
> > >
> > > I cannot get nfs with kerberos working on my Ubuntu 8.04 servers,
> > > here's what I did:
> > >
> > > first I installed nfs server on ubuntuhardy1 and client on
> > > ubuntuhardy2, nfs mounting from ubuntuhardy2 to ubuntuhardy1 without
> > > kerberos works
> > >
> > > changed the following on /etc/default/nfs-kernel-server:
> > >
> > > NEED_SVCGSSD=yes
> > > RPCSVCGSSDOPTS="-vvv"
> > >
> > > then I installed ntp on both servers
> > >
> > > On the nfs/kerberos server ubuntuhardy1
> > >
> > > aptitude install krb5-admin-server krb5-kdc
> > >
> > > edit /etc/hosts
> > >
> > > 127.0.0.1 ubuntuhardy1.localhost.network ubuntuhardy1 localhost
> > > 192.168.0.109 ubuntuhardy1.localhost.network
> > > 192.168.0.110 ubuntuhardy2.localhost.network
> > >
> > > change hostname
> > >
> > > hostname ubuntuhardy1.localhost.network
> > >
> > > edit /etc/krb5.conf
> > >
> > > [libdefaults]
> > > default_realm = LOCALHOST.NETWORK
> > > [realms]
> > > LOCALHOST.NETWORK = {
> > > kdc = ubuntuhardy1.localhost.network
> > > admin_server = ubuntuhardy1.localhost.network
> > > default_domain = localhost.network
> > > }
> > > [domain_realm]
> > > localhost.network = LOCALHOST.NETWORK
> > > .localhost.network = LOCALHOST.NETWORK
> > > [logging]
> > > kdc = FILE:/var/log/krb5kdc.log
> > > admin_server = FILE:/var/log/kadmin.log
> > > default = FILE:/var/log/krb5lib.log
> > >
> > > change /etc/krb5kdc/kdc.conf:
> > >
> > > [kdcdefaults]
> > > kdc_ports = 750,88
> > > [realms]
> > > LOCALHOST.NETWORK = {
> > > database_name = /var/lib/krb5kdc/principal
> > > admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
> > > acl_file = /etc/krb5kdc/kadm5.acl
> > > key_stash_file = /etc/krb5kdc/stash
> > > kdc_ports = 750,88
> > > max_life = 10h 0m 0s
> > > max_renewable_life = 7d 0h 0m 0s
> > > master_key_type = des3-hmac-sha1
> > > supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal
> > > des:normal des:v4 des:norealm des:onlyrealm des:afs3
> > > default_principal_flags = +preauth
> > > }
> > >
> > > create realm:
> > >
> > > kdb5_util create -s
> > >
> > > loading random data
> > > Initializing database '/var/lib/krb5kdc/principal' for realm
> > > 'LOCALHOST.NETWORK',
> > > master key name 'K/M at LOCALHOST.NETWORK'
> > > You will be prompted for the database Master Password.
> > > It is important that you NOT FORGET this password.
> > > Enter KDC database master key:
> > >
> > > restarted kerberos
> > >
> > > /etc/init.d/krb5-admin-server restart
> > > /etc/init.d/krb5-kdc restart Nu kunt u uw <meer> benaderen met het
> > > volegnde commando:
> > >
> > > started kadmin
> > >
> > > kadmin.local
> > >
> > > aded user:
> > >
> > > addprinc admin/admin
> > >
> > > added Host key for the server:
> > >
> > > addprinc -randkey
> > > host/ubuntuhardy1.localhost.network at LOCALHOST.NETWORK
> > >
> > > add princial to local key table <meer>
> > >
> > > ktadd host/ubuntuhardy1.localhost.network at LOCALHOST.NETWORK
> > > output:
> > >
> > > Entry for principal
> > > host/ubuntuhardy1.localhost.network at LOCALHOST.NETWORK with kvno 3,
> > > encryption type Triple DES cbc mode with HMAC/sha1 added to keytab
> > > WRFILE:/etc/krb5.keytab. Entry for principal
> > > host/ubuntuhardy1.localhost.network at LOCALHOST.NETWORK with kvno 3,
> > > encryption type DES cbc mode with CRC-32 added to keytab
> > > WRFILE:/etc/krb5.keytab.
> > >
> > > edit /etc/exports
> > >
> > > /var/www gss/krb5i(rw,sync)
> > >
> > > restarted nfs server
> > >
> > > on the client ubuntuhardy2:
> > >
> > >
> > > edit /etc/hosts
> > >
> > > 127.0.0.1 ubuntuhardy2.localhost.network ubuntuhardy2 localhost
> > > 192.168.0.110 ubuntuhardy2.localhost.network
> > > 192.168.0.109 ubuntuhardy1.localhost.network
> > >
> > >
> > > install software
> > >
> > > aptitude install krb5-user krb5-clients libpam-krb5
> > >
> > > copied /etc/krb5.conf from server
> > >
> > > tested kerberos access:
> > >
> > > kinit admin/admin
> > >
> > > and got this output:
> > >
> > > Password for admin/admin at LOCALHOST.NETWORK:
> > >
> > > logged in again on the SERVER
> > >
> > > kadmin
> > >
> > > added principal for client ubuntuhardy2
> > >
> > > addprinc -randkey host/ubuntuhardy2.localhost.network addprinc
> > > -randkey nfs/ubuntuhardy2.localhost.network
> > > client
> > >
> > > logged in on the client:
> > >
> > > kinit admin/admin
> > > Password for admin/admin at LOCALHOST.NETWORK: r
> > >
> > > add principal for client
> > >
> > > kadmin: addprinc -randkey nfs/ubuntuhardy2.localhost.network
> > >
> > > WARNING: no policy specified for
> > > nfs/ubuntuhardy2.localhost.network at LOCALHOST.NETWORK; defaulting to no
> > > policy Principal “nfs/ubuntuhardy2.localhost.network at LOCALHOST.NETWORK”
> > > created.
> > >
> > > create key in keytab
> > >
> > > kadmin: ktadd nfs/ubuntuhardy2.localhost.network
> > >
> > > Entry for principal nfs/ubuntuhardy2.localhost.network with kvno 3,
> > > encryption type Triple DES cbc mode with HMAC/sha1 added to keytab
> > > WRFILE:/etc/krb5.keytab. Entry for principal
> > > nfs/ubuntuhardy2.localhost.network with kvno 3, encryption type DES cbc
> > > mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab. kadmin: quit
> > >
> > > then I try to mount the nfs share
> > >
> > > mount -t nfs -o sec=krb5 ubuntuhardy1.localhost.network:/var/www
> > > /mnt/websites/
> > >
> > > I get
> > >
> > > mount.nfs: access denied by server while mounting
> > > ubuntuhardy1.localhost.network:/var/www
> > >
> > > and in /var/log/daemon.log on the server
> > >
> > > ubuntuhardy1 mountd[1913]: mount request from unknown host
> > > 192.168.0.110 for /var/www (/var/www)
> > >
> > > Does anyone know what I am doing wrong?
> >
> > Currently, you must limit the encryption type for the nfs principals
> > to only des-cbc-crc.
> >
> > So, in both cases
> > ktadd nfs/ubuntuhardy1.localhost.network at LOCALHOST.NETWORK
> > ktadd nfs/ubuntuhardy2.localhost.network at LOCALHOST.NETWORK
> > should be
> > ktadd -e des-cbc-crc:normal
> > nfs/ubuntuhardy1.localhost.network at LOCALHOST.NETWORK
> > ktadd -e des-cbc-crc:normal
> > nfs/ubuntuhardy2.localhost.network at LOCALHOST.NETWORK
> >
> > (See http://www.citi.umich.edu/projects/nfsv4/linux/krb5-setup.html)
> >nfs/ubuntuhardy2.localhost.network at LOCALHOST.NETWORK
> > K.C.
>
> It does get rid of the double keys but its not working yet....... do I need
> to do the same for host/ubuntuhardy2.localhost.network at LOCALHOST.NETWORK
> and host/ubuntuhardy1.localhost.network at LOCALHOST.NETWORK?
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
still no succes :(
keytabs look like this now
root at ubuntuhardy2:~# klist -e -k /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
6 nfs/ubuntuhardy2.localhost.network at LOCALHOST.NETWORK (DES cbc mode with
CRC-32)
6 host/ubuntuhardy2.localhost.network at LOCALHOST.NETWORK (DES cbc mode with
CRC-32)
klist -e -k /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
5 host/ubuntuhardy2.localhost.network at LOCALHOST.NETWORK (DES cbc mode with
CRC-32)
4 host/ubuntuhardy1.localhost.network at LOCALHOST.NETWORK (DES cbc mode with
CRC-32)
4 nfs/ubuntuhardy1.localhost.network at LOCALHOST.NETWORK (DES cbc mode with
CRC-32)
5 nfs/ubuntuhardy2.localhost.network at LOCALHOST.NETWORK (DES cbc mode with
CRC-32)
More information about the Kerberos
mailing list