AW: Newbie nfsv4 debian, netapp
Thomas Krauss - ITServ GmbH
thomas.krauss at itserv.de
Fri Oct 25 08:29:16 EDT 2013
Two possible solutions:
a.) Delete all but DES keys from Netapps nfs principal in KDB.
b.) configure default_tgs_enctypes to only use DES
In fact it works with arcfour as well but Netapp does not support it officially.
-----Ursprüngliche Nachricht-----
> Von:Frédéric Goudal <frederic.goudal at ipb.fr <mailto:frederic.goudal at ipb.fr> >
> Gesendet: Fre 25 Oktober 2013 09:17
> An: Thomas Krauss - ITServ GmbH <thomas.krauss at itserv.de <mailto:thomas.krauss at itserv.de> >
> CC: Frédéric Goudal <frederic.goudal at ipb.fr <mailto:frederic.goudal at ipb.fr> >; kerberos at mit.edu <mailto:kerberos at mit.edu>
> Betreff: Re: Newbie nfsv4 debian, netapp
>
> Ok, you are right.
>
> What I did was mount.nfs4 -o sec=krb5
> But the correct command is
> mount -t nfs -o "vers=4,sec=krb5"
>
> THe result is :
>
> Oct 25 08:47:02 kerberos krb5kdc[2631](info): AS_REQ (2 etypes {16 17}) 147.210.18.37: NEEDED_PREAUTH: nfs/client.fqdnr at IPB.FR <mailto:client.fqdnr at IPB.FR> for krbtgt/DO.M at DO.M, Additional pre-authentication required
> Oct 25 08:47:02 kerberos krb5kdc[2631](info): AS_REQ (2 etypes {16 17}) 147.210.18.37: ISSUE: authtime 1382683622, etypes {rep=16 tkt=18 ses=16}, nfs/client.fqdnr at DO.M for krbtgt/DO.M at DO.M
> Oct 25 08:47:03 kerberos krb5kdc[2631](info): TGS_REQ (2 etypes {16 17}) 147.210.18.37: ISSUE: authtime 1382683622, etypes {rep=16 tkt=18 ses=16}, nfs/client.fqdnr at DO.M for nfs/serv.fqdn at DO.M
>
> So as far as I understand it seemst that the service ticket to access the nfs server is delivered.
>
> But on the netapp filer I have
> Kerberos: encryption type 18 not supported
>
> From what I read in the netapp doc it seems that the netapp does only support des + crc encryption
>
> I tried to remove all but (des-cbc-crc) encryption in the /etc/krb5.keytab on the client for the nfs/client principal
> but the kerberos server does not go further thant needed_preauth...
>
> I guess I have something to do in the configuration so that dec encryption can be used ?
>
> f.g.
>
>
> Le 25 oct. 2013 à 08:14, Tom_Krauss <thomas.krauss at itserv.de <mailto:thomas.krauss at itserv.de> > a écrit :
>
> > You probably do not mount kerberized at all.
> > Use "mount -o sec=krb5 ..." or change the clients defaults.
> >
> > Hth
> >
> >
> >
> > --
> > View this message in context: http://kerberos.996246.n3.nabble.com/Newbie-nfsv4-debian-netapp-tp38752p38761.html <http://kerberos.996246.n3.nabble.com/Newbie-nfsv4-debian-netapp-tp38752p38761.html>
> > Sent from the Kerberos - General mailing list archive at Nabble.com.
> > ________________________________________________
> > Kerberos mailing list Kerberos at mit.edu <mailto:Kerberos at mit.edu>
> > https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
Angaben gemäß §35a GmbH-Gesetz:
ITServ GmbH
Sitz der Gesellschaft: 55294 Bodenheim/Rhein
Eingetragen unter Registernummer HRB 41668 beim Amtsgericht Mainz
Vertretungsberechtiger Geschäftsführer: Peter Bauer, 55294 Bodenheim
Umsatzsteuer-ID: DE182270475
More information about the Kerberos
mailing list