Transferring NFSv4 nfs/ keys from KDC to client?
Wendy Lin
wendlin1974 at gmail.com
Tue Mar 18 19:09:54 EDT 2014
On 18 March 2014 23:54, steve <steve at steve-ss.com> wrote:
> On Tue, 2014-03-18 at 23:20 +0100, Wendy Lin wrote:
>> Asking here to make sure I got the mechanism right:
>>
>> I created the principal nfs/china.mytest.org at TEST1.MYTEST.ORG on the
>> KDC machine so that NFSv4 client china.mytest.org can mount a NFSv4
>> filesystem.
>>
>> How does the client china.mytest.org now get the keys?
>
> Hi
> It doesn't need to. rpc.gssd can use any of the following keys:
> <HOSTNAME>$@<REALM>
> root/<hostname>@<REALM>
> nfs/<hostname>@<REALM>
> host/<hostname>@<REALM>
> root/<anyname>@<REALM>
> nfs/<anyname>@<REALM>
> host/<anyname>@<REALM>
>
> Just make sure that your keytab has one of them. Usually it will already
> have the CHINA$ key, so you can mount using that. The nfs server keytab
> should have both the nfs servivce and machine keys.
>
> There are many misunderstandings about kerberized nfs:
> http://linuxcostablanca.blogspot.com.es/2012/02/nfsv4-myths-and-legends.html
> HTH
> Steve
What I did is:
1. Have kadmind running on the kdc
2. Run kadmin on the client as user root. A principal root@<REALM> exists
3. Use ktadd in kamin to download the keys for
nfs/<clienthostname>@<REALM> and host/<clienthostname>@<REALM> .
Still it does not work here and the mount fails:
mount -t nfs4 test1.mytest.org:/ /mnt
mount.nfs4: access denied by server while mounting nexentapuzzle.nrubsig.org:/
gssd is running:
# ps -ef | fgrep gss
root 1403 1 0 Mar18 ? 00:00:00 /usr/sbin/rpc.svcgssd
root 1420 1 0 Mar18 ? 00:00:00 /usr/sbin/rpc.gssd
I have not a clue what I am doing wrong. Please help.
Wendy
More information about the Kerberos
mailing list