Transferring NFSv4 nfs/ keys from KDC to client?

Wendy Lin wendlin1974 at gmail.com
Wed Mar 19 08:32:39 EDT 2014


On 19 March 2014 09:55, steve <steve at steve-ss.com> wrote:
> On Wed, 2014-03-19 at 00:09 +0100, Wendy Lin wrote:
>> On 18 March 2014 23:54, steve <steve at steve-ss.com> wrote:
>> > On Tue, 2014-03-18 at 23:20 +0100, Wendy Lin wrote:
>> >> Asking here to make sure I got the mechanism right:
>> >>
>> >> I created the principal nfs/china.mytest.org at TEST1.MYTEST.ORG on the
>> >> KDC machine so that NFSv4 client china.mytest.org can mount a NFSv4
>> >> filesystem.
>> >>
>> >> How does the client china.mytest.org now get the keys?
>> >
>> > Hi
>> > It doesn't need to. rpc.gssd can use any of the following keys:
>> > <HOSTNAME>$@<REALM>
>> > root/<hostname>@<REALM>
>> > nfs/<hostname>@<REALM>
>> > host/<hostname>@<REALM>
>> > root/<anyname>@<REALM>
>> > nfs/<anyname>@<REALM>
>> > host/<anyname>@<REALM>
>> >
>> > Just make sure that your keytab has one of them. Usually it will already
>> > have the CHINA$ key, so you can mount using that. The nfs server keytab
>> > should have both the nfs servivce and machine keys.
>> >
>> > There are many misunderstandings about kerberized nfs:
>> > http://linuxcostablanca.blogspot.com.es/2012/02/nfsv4-myths-and-legends.html
>> > HTH
>> > Steve
>>
>> What I did is:
>> 1. Have kadmind running on the kdc
>> 2. Run kadmin on the client as user root. A principal root@<REALM> exists
>> 3. Use ktadd in kamin to download the keys for
>> nfs/<clienthostname>@<REALM> and host/<clienthostname>@<REALM> .
>>
>> Still it does not work here and the mount fails:
>> mount -t nfs4 test1.mytest.org:/ /mnt
>> mount.nfs4: access denied by server while mounting nexentapuzzle.nrubsig.org:/
>
> Tell it to use Kerberos:
> mount -t nfs4 test1.mytest.org:/ /mnt -osec=krb5
>>
>> gssd is running:
>> # ps -ef | fgrep gss
>> root      1403     1  0 Mar18 ?        00:00:00 /usr/sbin/rpc.svcgssd
>> root      1420     1  0 Mar18 ?        00:00:00 /usr/sbin/rpc.gssd
>>
>> I have not a clue what I am doing wrong. Please help.
>
> Tell it to use Kerberos:
> mount -t nfs4 test1.mytest.org:/ /mnt -osec=krb5
>
> If still nothing send the output of:
> klist -ke
> on both the client and the server?

@(nfs|krb) server (hostname "test1.mytest.org"):
# klist -ke /etc/krb5.keytab
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   2 nfs/test1 at TEST1.MYTEST.ORG (DES cbc mode with CRC-32)
   2 nfs/test1.mytest.org at TEST1.MYTEST.ORG (DES cbc mode with CRC-32)
   2 host/china.mytest.org at TEST1.MYTEST.ORG (AES-256 CTS mode with
96-bit SHA-1 HMAC)
   2 host/china.mytest.org at TEST1.MYTEST.ORG (AES-128 CTS mode with
96-bit SHA-1 HMAC)
   2 host/china.mytest.org at TEST1.MYTEST.ORG (Triple DES cbc mode with HMAC/sha1)
   2 host/china.mytest.org at TEST1.MYTEST.ORG (ArcFour with HMAC/md5)
   3 host/china.mytest.org at TEST1.MYTEST.ORG (AES-256 CTS mode with
96-bit SHA-1 HMAC)
   3 host/china.mytest.org at TEST1.MYTEST.ORG (AES-128 CTS mode with
96-bit SHA-1 HMAC)
   3 host/china.mytest.org at TEST1.MYTEST.ORG (Triple DES cbc mode with HMAC/sha1)
   3 host/china.mytest.org at TEST1.MYTEST.ORG (ArcFour with HMAC/md5)
   2 host/test1.mytest.org at TEST1.MYTEST.ORG (AES-256 CTS mode with
96-bit SHA-1 HMAC)
   2 host/test1.mytest.org at TEST1.MYTEST.ORG (AES-128 CTS mode with
96-bit SHA-1 HMAC)
   2 host/test1.mytest.org at TEST1.MYTEST.ORG (Triple DES cbc mode with HMAC/sha1)
   2 host/test1.mytest.org at TEST1.MYTEST.ORG (ArcFour with HMAC/md5)
   2 host/test1.mytest.org at TEST1.MYTEST.ORG (AES-256 CTS mode with
96-bit SHA-1 HMAC)
   2 host/test1.mytest.org at TEST1.MYTEST.ORG (AES-128 CTS mode with
96-bit SHA-1 HMAC)
   2 host/test1.mytest.org at TEST1.MYTEST.ORG (Triple DES cbc mode with HMAC/sha1)
   2 host/test1.mytest.org at TEST1.MYTEST.ORG (ArcFour with HMAC/md5)
   2 host/china.mytest.org at TEST1.MYTEST.ORG (AES-256 CTS mode with
96-bit SHA-1 HMAC)
   2 host/china.mytest.org at TEST1.MYTEST.ORG (AES-128 CTS mode with
96-bit SHA-1 HMAC)
   2 host/china.mytest.org at TEST1.MYTEST.ORG (Triple DES cbc mode with HMAC/sha1)
   2 host/china.mytest.org at TEST1.MYTEST.ORG (ArcFour with HMAC/md5)
   2 nfs/test1.mytest.org at TEST1.MYTEST.ORG (AES-256 CTS mode with
96-bit SHA-1 HMAC)
   2 nfs/test1.mytest.org at TEST1.MYTEST.ORG (AES-128 CTS mode with
96-bit SHA-1 HMAC)
   2 nfs/test1.mytest.org at TEST1.MYTEST.ORG (Triple DES cbc mode with HMAC/sha1)
   2 nfs/test1.mytest.org at TEST1.MYTEST.ORG (ArcFour with HMAC/md5)
   2 nfs/china.mytest.org at TEST1.MYTEST.ORG (AES-256 CTS mode with
96-bit SHA-1 HMAC)
   2 nfs/china.mytest.org at TEST1.MYTEST.ORG (AES-128 CTS mode with
96-bit SHA-1 HMAC)
   2 nfs/china.mytest.org at TEST1.MYTEST.ORG (Triple DES cbc mode with HMAC/sha1)
   2 nfs/china.mytest.org at TEST1.MYTEST.ORG (ArcFour with HMAC/md5)

Why do I have duplicate entries in this output? Are they harmful?


@(nfs|krb) client (hostname "china.mytest.org"):
# klist -ke
Keytab name: FILE:/etc/krb5.keytab
klist: No such file or directory while starting keytab scan

Client is my problem, how can I get the keys to it? ssh them over?

>
> What does /etc/exports look like on the server?

# cat /etc/exports
/nfsv4krbtest   *(sec=krb5,rw,fsid=0)
# uname -a
Linux test1.mytest.org 2.6.34.10-0.6-desktop #1 SMP PREEMPT 2011-12-13
18:27:38 +0100 x86_64 x86_64 x86_64 GNU/Linux

> Note that it is no longer recommended to export nfs4 as a fsid=0 pseudo
> root. Simply export it as we always have done nfs3.

is this recommendation valid for the quite old 2.6.34.10-0.6-desktop
kernel in Suse 11.3?

Wendy


More information about the Kerberos mailing list