NFSv4
steve
steve at steve-ss.com
Wed Oct 2 03:55:12 EDT 2013
On Wed, 2013-10-02 at 00:30 -0700, Tom_Krauss wrote:
> In my experience when mounting a kerberized nfs the key which is picked from
> the keytab always depends on the implementation.
> It may require a key of a certain principal or the system runs through a
> list of possible names for which it looks up keys.
>
> I.e. RHEL clients prior to release 6 use nfs/* to authenticate.
>
> If k5start is used for access to the filesystem afaik it is possible to
> specify the principal to look up keys for (-u option).
Hi
Maybe Red Hat does it differently, but for deciding on a key from the
keytab, other distros follow the guidelines in rpc.gsssd(8). Any of the
following keys are fine for kerberized nfs on a client:
<HOSTNAME>$@<REALM>root/<hostname>@<REALM>
nfs/<hostname>@<REALM>
host/<hostname>@<REALM>
root/<anyname>@<REALM>
nfs/<anyname>@<REALM>
host/<anyname>@<REALM>
We use the MACHINE$ key simply because it already happens to be there.
Only the server must have the nfs/ service key.
HTH,
Steve
More information about the Kerberos
mailing list