Newbie nfsv4 debian, netapp

Tom_Krauss thomas.krauss at itserv.de
Tue Oct 29 04:14:25 EDT 2013


>>If I do a ktadd -e des-cbc-crc:normal, it adds only the  des key on the
keytab file (as shown by a klist command)

The resulting keytab must be moved from whereever you exported it to the
Config Volume of your netapp filer.
The path and name must be: configvolume/etc/UNIX_krb5.keytab if you use an
MIT based KDC.

>>... but than I can't do a kinit on the nfs/server at REAM using the resulting
keytab file.<quote 
Not sure what you mean since I am not aware of a kinit cmd within DataOntap.

You may check the filer`s service principal from i.e. a Linux client by
using the kvno cmd after successful authentication. 
If you want to check the keytab you may try: kinit -kt &lt;keytab>
<principal> from i.e. your filer`s management workstation.

If the mount still does not work be sure to use "nfs setup" to configure the
filer.
Check if you have "allow_weak_crypto = true" in your clients` configs if
they are MIT 1.8 or later.

After the mount a client must have tickets like these in it`s machine(or
root) cache:

10/29/13 01:57:21  10/29/13 11:57:21  krbtgt/my.dom at my.dom
        renew until 11/12/13 01:57:21, Etype(skey, tkt): AES-256 CTS mode
with 96-bit SHA-1 HMAC, AES-256 CTS mode with 96-bit SHA-1 HMAC
10/29/13 01:57:21  10/29/13 11:57:21  nfs/netapp-filer at my.dom
        renew until 11/12/13 01:57:21, Etype(skey, tkt): DES cbc mode with
RSA-MD5, DES cbc mode with RSA-MD5

If not you have a problem on the client or on the KDC (nfs principal not
there or not correctly resolved)

If the tickets are there but you still do not have access but receive i.e.
IO-error:
check the keytab, redo the "nfs setup" on the filer

If you receive permission denied:
Check your filer`s exports file, check if the Unix permissions fit on the
share, try with an ID other than root.
It may be necessary to add "root" to a "passwd" file in the filer´s config
volume (below etc) in order to properly authorize root.



--
View this message in context: http://kerberos.996246.n3.nabble.com/AW-Newbie-nfsv4-debian-netapp-tp38763p38804.html
Sent from the Kerberos - General mailing list archive at Nabble.com.



More information about the Kerberos mailing list