Re: nfs4 keytabs [was:Re: where can I ask user qns about nfs4]?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]




On Thu, Feb 2, 2012 at 3:56 PM, steve <steve@xxxxxxxxxxxx> wrote:
> On 02/02/12 14:29, steve wrote:
>>
>> On 02/02/2012 02:05 PM, Tigran Mkrtchyan wrote:
>>>
>>> On Thu, Feb 2, 2012 at 12:33 PM, steve<steve@xxxxxxxxxxxx>  wrote:
>>>>
>>>> On 02/02/12 11:58, Tigran Mkrtchyan wrote:
>>>>>
>>>>> Hi Steve,
>>>>>
>>>>>> I already use nfs4 to serve my Linux clients. I'm going to kerberize
>>>>>> it.
>>>>>> My
>>>>>> clients already have machine and host principals. What else do they
>>>>>> need?
>>>>>>
>>>>>> 1. nfs/client.domain.name
>>>>>> 2. nfs/server.domain/name
>>>>>> 3. neither
>>>>>> 4. both
>>>>>>
>>>>> We run kerberized NFS.
>>>>>
>>>>> our keytab contains:
>>>>>
>>>>> on server;
>>>>>   nfs/server.domain
>>>>>
>>>>> on client:
>>>>>   nfs/client.domain
>>>>>
>>>>> and, of course, you need a consistent  idmap configuration.
>>>>>
>>>>> Tigran.
>>>>>
>>>> Hi Tigran
>>>>
>>>> That's what we have on our test lan at the moment. I can understand that
>>>> the
>>>> server would need the service principal:
>>>>   nfs/server.domain
>>>> but not the client, as it's not offering any kerberized service.
>>>
>>> The mount step happens on behalf of host as there are no user requests
>>> yet.
>>> Client host credentials are used at that time.
>>>
>>>> As an experiment, I removed the nfs/client.domain from a client keytab,
>>>> rebooted and remounted the share. We could still access the kerberized
>>>> nfs
>>>> share. Maybe there were still some tickets left somewhere? That has me
>>>> really confused.
>>>
>>> Huh! did you enforce kerberos in /etc/exports?
>>>
>> Yes. /etc/exports exports as gss/krb5
>> I made a screenshot:
>>
>>
>> http://3.bp.blogspot.com/-g40b11Ys_DA/TypYtlO-ixI/AAAAAAAAAIc/cZdeRhnVuY4/s1600/s4all.png
>>
>> That's why I'm confused.
>> Steve
>
>
> Digging a bit further, here is the output of mount on the client:
> http://dl.dropbox.com/u/45150875/krb5testnfs.png
>
> And this appears immediately after the mount:
> http://dl.dropbox.com/u/45150875/krb5nfstmp.png
>
> Most of the documentation tells you to stick nfs into the client keytab as
> well as the server keytab, but here, I only have the principal on the
> server.
>
> What am I missing?

I think client simply falls back to 'host' if nfs entry is not available.

Tigran.
> Thanks,
> Steve
>
--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Linux USB Development]     [Linux Media Development]     [Video for Linux]     [Linux NILFS]     [Linux Audio Users]     [Photo]     [Yosemite Info]    [Yosemite Photos]    [POF Sucks]     [Linux Kernel]     [Linux SCSI]     [XFree86]

Add to Google Powered by Linux