NFSv4
steve
steve at steve-ss.com
Mon Sep 30 20:58:49 EDT 2013
On Mon, 2013-09-30 at 17:16 +0000, Jaap wrote:
> On Mon, 30 Sep 2013 09:19:07 -0500, Matt Garman wrote:
>
> > For the most part, I do use the default setup. That is, all my servers
> > with secure NFSv4 mounts have in their /etc/krb5.keytab both
> > "host/hostname at REALM" and "nfs/hostname at REALM" entries.
>
> All I want for now is to know how to have NFSv4 access its encryption key
> if it is stored in a keytab file other than /etc/krb5.keytab.
>
> Perhaps I'm making a mountain out of a molehill, but I'm under the
> impression that programs that read keytab files tend to stop after
> processing the first entry (with perhaps multiple encryption types). NFSv4
> may be different in this respect, but what would happen if later on the
> nfs key ended up as the first in your /etc/krb5.keytab with the host keys
> after? Then your automatic TGT refreshing mechanism (e.g. k5start) may
> select "nfs/hostname at REALM" instead of "host/hostname at REALM", which could
> be problematic.
>
> A workaround would be to move the host keys to a different keytab file,
> but I'd rather move the nfs key instead.
>
> Cheers,
>
> Jaap
Hi
There is a lot of confusion about kerberised nfs4. The only machine that
needs the nfs/REALM principal in the default keytab is the nfs server:
http://linuxcostablanca.blogspot.com.es/2012/02/nfsv4-myths-and-legends.html
For Nfs4 clients, the host/REALM or client machine key are all that is
required.
HTH
Steve
More information about the Kerberos
mailing list