kerberos/nfs problems: unmatched host

Chantal Rosmuller chantal at antenna.nl
Mon Nov 23 02:04:49 EST 2009



Hi list,

I can't get kerberos and NFS wotking on my Centos 5.4 testervers.

This is the error I get: Nov 22 11:14:54 nfsserver mountd[3155]: refused mount 
request from 172.16.153.128 for /export/data (/export/data): unmatched host

Does it have something to do with DNS?

here's what I did:

SETUP

nfsserver.domein.nl 172.16.153.129 (vmware guest)
nfsclient.domein.nl 172.16.153.128 (vmware guest)
realm : DOMEIN.NL

SERVER


* get time right with ntpd

* disable firewall

* install packages  

yum install krb5-libs krb5-server  krb5-workstation

* edit /etc/hosts

172.16.153.129 nfsserver.domein.nl
127.0.0.1		nfsserver localhost.localdomain localhost
::1		localhost6.localdomain6 localhost6
172.16.153.128 nfsclient.domein.nl

* edit /etc/krb5.conf

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = DOMEIN.NL
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes

[realms]
 DOMEIN.NL = {
  kdc = nfsserver.domein.nl:88
  admin_server = nfsserver.domein.nl:749
  default_domain = domein.nl
 }

[domain_realm]
 .domein.nl = DOMEIN.NL
 domein.nl = DOMEIN.NL

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

* edit /var/kerberos/krb5kdc/kdc.conf

[kdcdefaults]
 v4_mode = nopreauth
 kdc_tcp_ports = 88

[realms]
 DOMEIN.NL = {
  #master_key_type = des3-hmac-sha1
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-
sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-
crc:afs3
 }

* edit /var/kerberos/krb5kdc/kadm5.acl

*/admin at DOMEIN.NL	*

* start services

/sbin/service krb5kdc start
/sbin/service kadmin start
/sbin/service krb524 start

* create database:

/usr/kerberos/sbin/kdb5_util create -s

* addroot principal

addprinc root/admin

* add host principal

addprinc host/nfsserver.domein.nl

* add nfs principal

addprinc nfs/nfsserver.domein.nl

* add client host and nfs principal

addprinc host/nfsclient.domein.nl
addprinc nfs/nfsclient.domein.nl

* add keys

ktadd host/nfsserver.domein.nl
ktadd -e des-cbc-crc:normal nfs/nfsserver.domein.nl

* edit /etc/sysconfig/nfs

SECURE_NFS="yes"

* edit /etc/idmap.conf

Domain = domein.nl

* edit /etc/exports

/export      gss/krb5(sync,rw,fsid=0)

* restart nfs

/sbin/service nfs restart

CLIENT

* get time right with ntpd

* disable firewall

* install packages  

yum install krb5-libs pam_krb5  krb5-workstation

* edit /etc/hosts

172.16.153.128 nfsclient.domein.nl
127.0.0.1		nfsclient nfsclient localhost.localdomain localhost
::1		localhost6.localdomain6 localhost6
172.16.153.129 nfsserver.domein.nl

* copy /etc/krb5.conf from nfsserver

* login with kadmin

* add keys 
* add keys

ktadd host/nfsclient.domein.nl
ktadd -e des-cbc-crc:normal nfs/nfsserver.domein.nl
ktadd -e des-cbc-crc:normal nfs/nfsclient.domein.nl

* mount

[root at nfsclient ~]# mount -t nfs -o sec=krb5 nfsserver.domein.nl:/ /mnt
mount: nfsserver.domein.nl:/ failed, reason given by server: Permission denied

SERVER

* tail /var/log/messages

Nov 22 11:40:42 nfsserver mountd[3155]: refused mount request from 
172.16.153.128 for / (/): unmatched host

* More logging:

[root at nfsserver ~]# rpc.gssd -fvvv
Using keytab file '/etc/krb5.keytab'
Processing keytab entry for principal 'host/nfsserver.domein.nl at DOMEIN.NL'
We will NOT use this entry (host/nfsserver.domein.nl at DOMEIN.NL)
Processing keytab entry for principal 'host/nfsserver.domein.nl at DOMEIN.NL'
We will NOT use this entry (host/nfsserver.domein.nl at DOMEIN.NL)
Processing keytab entry for principal 'host/nfsserver.domein.nl at DOMEIN.NL'
We will NOT use this entry (host/nfsserver.domein.nl at DOMEIN.NL)
Processing keytab entry for principal 'host/nfsserver.domein.nl at DOMEIN.NL'
We will NOT use this entry (host/nfsserver.domein.nl at DOMEIN.NL)
Processing keytab entry for principal 'nfs/nfsserver.domein.nl at DOMEIN.NL'
We will use this entry (nfs/nfsserver.domein.nl at DOMEIN.NL)
Using (machine) credentials cache: 'MEMORY:/tmp/krb5cc_machine_DOMEIN.NL'

I have no idea what I am doing wrong here, I reinstalled kerberos/nfs a lot of 
times and checked a lot of howtos..........
Does anyone have any idea? Can it have anything to do with the fact that they 
are vmware guests and I use NAT networking or did I do something wrong in the 
configuration?








More information about the Kerberos mailing list