NFSv4

steve steve at steve-ss.com
Mon Sep 30 20:58:49 EDT 2013


On Mon, 2013-09-30 at 17:16 +0000, Jaap wrote:
> On Mon, 30 Sep 2013 09:19:07 -0500, Matt Garman wrote:
> 
> > For the most part, I do use the default setup.  That is, all my servers
> > with secure NFSv4 mounts have in their /etc/krb5.keytab both
> > "host/hostname at REALM" and "nfs/hostname at REALM" entries.
> 
> All I want for now is to know how to have NFSv4 access its encryption key 
> if it is stored in a keytab file other than /etc/krb5.keytab.
> 
> Perhaps I'm making a mountain out of a molehill, but I'm under the 
> impression that programs that read keytab files tend to stop after 
> processing the first entry (with perhaps multiple encryption types). NFSv4 
> may be different in this respect, but what would happen if later on the 
> nfs key ended up as the first in your /etc/krb5.keytab with the host keys 
> after? Then your automatic TGT refreshing mechanism (e.g. k5start) may 
> select "nfs/hostname at REALM" instead of "host/hostname at REALM", which could 
> be problematic.
> 
> A workaround would be to move the host keys to a different keytab file, 
> but I'd rather move the nfs key instead.
> 
> Cheers,
> 
> Jaap


Hi
There is a lot of confusion about kerberised nfs4. The only machine that
needs the nfs/REALM principal in the default keytab is the nfs server:
http://linuxcostablanca.blogspot.com.es/2012/02/nfsv4-myths-and-legends.html

For Nfs4 clients, the host/REALM or client machine key are all that is
required.
HTH
Steve
 



More information about the Kerberos mailing list