Transferring NFSv4 nfs/ keys from KDC to client?
steve
steve at steve-ss.com
Tue Mar 18 18:54:24 EDT 2014
On Tue, 2014-03-18 at 23:20 +0100, Wendy Lin wrote:
> Asking here to make sure I got the mechanism right:
>
> I created the principal nfs/china.mytest.org at TEST1.MYTEST.ORG on the
> KDC machine so that NFSv4 client china.mytest.org can mount a NFSv4
> filesystem.
>
> How does the client china.mytest.org now get the keys?
Hi
It doesn't need to. rpc.gssd can use any of the following keys:
<HOSTNAME>$@<REALM>
root/<hostname>@<REALM>
nfs/<hostname>@<REALM>
host/<hostname>@<REALM>
root/<anyname>@<REALM>
nfs/<anyname>@<REALM>
host/<anyname>@<REALM>
Just make sure that your keytab has one of them. Usually it will already
have the CHINA$ key, so you can mount using that. The nfs server keytab
should have both the nfs servivce and machine keys.
There are many misunderstandings about kerberized nfs:
http://linuxcostablanca.blogspot.com.es/2012/02/nfsv4-myths-and-legends.html
HTH
Steve
More information about the Kerberos
mailing list