Transferring NFSv4 nfs/ keys from KDC to client?

steve steve at steve-ss.com
Wed Mar 19 04:55:59 EDT 2014 

On Wed, 2014-03-19 at 00:09 +0100, Wendy Lin wrote:
> On 18 March 2014 23:54, steve <steve at steve-ss.com> wrote:
> > On Tue, 2014-03-18 at 23:20 +0100, Wendy Lin wrote:
> >> Asking here to make sure I got the mechanism right:
> >>
> >> I created the principal nfs/china.mytest.org at TEST1.MYTEST.ORG on the
> >> KDC machine so that NFSv4 client china.mytest.org can mount a NFSv4
> >> filesystem.
> >>
> >> How does the client china.mytest.org now get the keys?
> >
> > Hi
> > It doesn't need to. rpc.gssd can use any of the following keys:
> > <HOSTNAME>$@<REALM>
> > root/<hostname>@<REALM>
> > nfs/<hostname>@<REALM>
> > host/<hostname>@<REALM>
> > root/<anyname>@<REALM>
> > nfs/<anyname>@<REALM>
> > host/<anyname>@<REALM>
> >
> > Just make sure that your keytab has one of them. Usually it will already
> > have the CHINA$ key, so you can mount using that. The nfs server keytab
> > should have both the nfs servivce and machine keys.
> >
> > There are many misunderstandings about kerberized nfs:
> > http://linuxcostablanca.blogspot.com.es/2012/02/nfsv4-myths-and-legends.html
> > HTH
> > Steve
> 
> What I did is:
> 1. Have kadmind running on the kdc
> 2. Run kadmin on the client as user root. A principal root@<REALM> exists
> 3. Use ktadd in kamin to download the keys for
> nfs/<clienthostname>@<REALM> and host/<clienthostname>@<REALM> .
> 
> Still it does not work here and the mount fails:
> mount -t nfs4 test1.mytest.org:/ /mnt
> mount.nfs4: access denied by server while mounting nexentapuzzle.nrubsig.org:/

Tell it to use Kerberos:
mount -t nfs4 test1.mytest.org:/ /mnt -osec=krb5
> 
> gssd is running:
> # ps -ef | fgrep gss
> root      1403     1  0 Mar18 ?        00:00:00 /usr/sbin/rpc.svcgssd
> root      1420     1  0 Mar18 ?        00:00:00 /usr/sbin/rpc.gssd
> 
> I have not a clue what I am doing wrong. Please help.

Tell it to use Kerberos:
mount -t nfs4 test1.mytest.org:/ /mnt -osec=krb5

If still nothing send the output of:
klist -ke 
on both the client and the server?

What does /etc/exports look like on the server?

Note that it is no longer recommended to export nfs4 as a fsid=0 pseudo
root. Simply export it as we always have done nfs3.
Cheers,
Steve

More information about the Kerberos mailing list