AW: Newbie nfsv4 debian, netapp

Thomas Krauss - ITServ GmbH thomas.krauss at itserv.de
Fri Oct 25 08:29:16 EDT 2013 

Two possible solutions:
a.) Delete all but DES keys from Netapps nfs principal in KDB.
b.) configure default_tgs_enctypes to only use DES

In fact it works with arcfour as well but Netapp does not support it officially.



 
 
-----Ursprüngliche Nachricht-----
> Von:Frédéric Goudal <frederic.goudal at ipb.fr <mailto:frederic.goudal at ipb.fr> >
> Gesendet: Fre 25 Oktober 2013 09:17
> An: Thomas Krauss - ITServ GmbH <thomas.krauss at itserv.de <mailto:thomas.krauss at itserv.de> >
> CC: Frédéric Goudal <frederic.goudal at ipb.fr <mailto:frederic.goudal at ipb.fr> >; kerberos at mit.edu <mailto:kerberos at mit.edu> 
> Betreff: Re: Newbie nfsv4 debian, netapp
> 
> Ok, you are right.
> 
> What I did was mount.nfs4 -o sec=krb5 
> But the correct command is 
> mount -t nfs -o "vers=4,sec=krb5"
> 
> THe result is : 
> 
> Oct 25 08:47:02 kerberos krb5kdc[2631](info): AS_REQ (2 etypes {16 17}) 147.210.18.37: NEEDED_PREAUTH: nfs/client.fqdnr at IPB.FR <mailto:client.fqdnr at IPB.FR>  for krbtgt/DO.M at DO.M, Additional pre-authentication required
> Oct 25 08:47:02 kerberos krb5kdc[2631](info): AS_REQ (2 etypes {16 17}) 147.210.18.37: ISSUE: authtime 1382683622, etypes {rep=16 tkt=18 ses=16}, nfs/client.fqdnr at DO.M for krbtgt/DO.M at DO.M
> Oct 25 08:47:03 kerberos krb5kdc[2631](info): TGS_REQ (2 etypes {16 17}) 147.210.18.37: ISSUE: authtime 1382683622, etypes {rep=16 tkt=18 ses=16}, nfs/client.fqdnr at DO.M for nfs/serv.fqdn at DO.M
> 
> So as far as I understand it seemst that the service ticket to access the nfs server is delivered.
> 
> But on the netapp filer I have 
> Kerberos: encryption type 18 not supported
> 
> From what I read in the netapp doc it seems that the netapp does only support des + crc encryption
> 
> I tried to remove all but (des-cbc-crc) encryption in the /etc/krb5.keytab on the client for the nfs/client principal
> but the kerberos server does not go further thant needed_preauth...
> 
> I guess I have something to do in the configuration so that dec encryption can be used ?
> 
> f.g.
> 
> 
> Le 25 oct. 2013 à 08:14, Tom_Krauss <thomas.krauss at itserv.de <mailto:thomas.krauss at itserv.de> > a écrit :
> 
> > You probably do not mount kerberized at all.
> > Use "mount -o sec=krb5 ..." or change the clients defaults.
> > 
> > Hth
> > 
> > 
> > 
> > --
> > View this message in context: http://kerberos.996246.n3.nabble.com/Newbie-nfsv4-debian-netapp-tp38752p38761.html <http://kerberos.996246.n3.nabble.com/Newbie-nfsv4-debian-netapp-tp38752p38761.html> 
> > Sent from the Kerberos - General mailing list archive at Nabble.com.
> > ________________________________________________
> > Kerberos mailing list           Kerberos at mit.edu <mailto:Kerberos at mit.edu> 
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 



--
Angaben gemäß §35a GmbH-Gesetz:
ITServ GmbH
Sitz der Gesellschaft: 55294 Bodenheim/Rhein
Eingetragen unter Registernummer HRB 41668 beim Amtsgericht Mainz
Vertretungsberechtiger Geschäftsführer: Peter Bauer, 55294 Bodenheim
Umsatzsteuer-ID: DE182270475

More information about the Kerberos mailing list