kerberos/nfs problems: unmatched host
Chantal Rosmuller
chantal at antenna.nl
Mon Nov 23 02:04:49 EST 2009
Hi list,
I can't get kerberos and NFS wotking on my Centos 5.4 testervers.
This is the error I get: Nov 22 11:14:54 nfsserver mountd[3155]: refused mount
request from 172.16.153.128 for /export/data (/export/data): unmatched host
Does it have something to do with DNS?
here's what I did:
SETUP
nfsserver.domein.nl 172.16.153.129 (vmware guest)
nfsclient.domein.nl 172.16.153.128 (vmware guest)
realm : DOMEIN.NL
SERVER
* get time right with ntpd
* disable firewall
* install packages
yum install krb5-libs krb5-server krb5-workstation
* edit /etc/hosts
172.16.153.129 nfsserver.domein.nl
127.0.0.1 nfsserver localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6
172.16.153.128 nfsclient.domein.nl
* edit /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = DOMEIN.NL
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
DOMEIN.NL = {
kdc = nfsserver.domein.nl:88
admin_server = nfsserver.domein.nl:749
default_domain = domein.nl
}
[domain_realm]
.domein.nl = DOMEIN.NL
domein.nl = DOMEIN.NL
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
* edit /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
v4_mode = nopreauth
kdc_tcp_ports = 88
[realms]
DOMEIN.NL = {
#master_key_type = des3-hmac-sha1
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-
sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-
crc:afs3
}
* edit /var/kerberos/krb5kdc/kadm5.acl
*/admin at DOMEIN.NL *
* start services
/sbin/service krb5kdc start
/sbin/service kadmin start
/sbin/service krb524 start
* create database:
/usr/kerberos/sbin/kdb5_util create -s
* addroot principal
addprinc root/admin
* add host principal
addprinc host/nfsserver.domein.nl
* add nfs principal
addprinc nfs/nfsserver.domein.nl
* add client host and nfs principal
addprinc host/nfsclient.domein.nl
addprinc nfs/nfsclient.domein.nl
* add keys
ktadd host/nfsserver.domein.nl
ktadd -e des-cbc-crc:normal nfs/nfsserver.domein.nl
* edit /etc/sysconfig/nfs
SECURE_NFS="yes"
* edit /etc/idmap.conf
Domain = domein.nl
* edit /etc/exports
/export gss/krb5(sync,rw,fsid=0)
* restart nfs
/sbin/service nfs restart
CLIENT
* get time right with ntpd
* disable firewall
* install packages
yum install krb5-libs pam_krb5 krb5-workstation
* edit /etc/hosts
172.16.153.128 nfsclient.domein.nl
127.0.0.1 nfsclient nfsclient localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6
172.16.153.129 nfsserver.domein.nl
* copy /etc/krb5.conf from nfsserver
* login with kadmin
* add keys
* add keys
ktadd host/nfsclient.domein.nl
ktadd -e des-cbc-crc:normal nfs/nfsserver.domein.nl
ktadd -e des-cbc-crc:normal nfs/nfsclient.domein.nl
* mount
[root at nfsclient ~]# mount -t nfs -o sec=krb5 nfsserver.domein.nl:/ /mnt
mount: nfsserver.domein.nl:/ failed, reason given by server: Permission denied
SERVER
* tail /var/log/messages
Nov 22 11:40:42 nfsserver mountd[3155]: refused mount request from
172.16.153.128 for / (/): unmatched host
* More logging:
[root at nfsserver ~]# rpc.gssd -fvvv
Using keytab file '/etc/krb5.keytab'
Processing keytab entry for principal 'host/nfsserver.domein.nl at DOMEIN.NL'
We will NOT use this entry (host/nfsserver.domein.nl at DOMEIN.NL)
Processing keytab entry for principal 'host/nfsserver.domein.nl at DOMEIN.NL'
We will NOT use this entry (host/nfsserver.domein.nl at DOMEIN.NL)
Processing keytab entry for principal 'host/nfsserver.domein.nl at DOMEIN.NL'
We will NOT use this entry (host/nfsserver.domein.nl at DOMEIN.NL)
Processing keytab entry for principal 'host/nfsserver.domein.nl at DOMEIN.NL'
We will NOT use this entry (host/nfsserver.domein.nl at DOMEIN.NL)
Processing keytab entry for principal 'nfs/nfsserver.domein.nl at DOMEIN.NL'
We will use this entry (nfs/nfsserver.domein.nl at DOMEIN.NL)
Using (machine) credentials cache: 'MEMORY:/tmp/krb5cc_machine_DOMEIN.NL'
I have no idea what I am doing wrong here, I reinstalled kerberos/nfs a lot of
times and checked a lot of howtos..........
Does anyone have any idea? Can it have anything to do with the fact that they
are vmware guests and I use NAT networking or did I do something wrong in the
configuration?
More information about the Kerberos
mailing list