On 02/03/2012 06:22 PM, steve wrote:
Yep. You're right. And not just host. They changed it to look for other keys too:On 02/02/2012 07:57 PM, Tigran Mkrtchyan wrote:On Thu, Feb 2, 2012 at 3:56 PM, steve<steve@xxxxxxxxxxxx> wrote:I think client simply falls back to 'host' if nfs entry is not available.On 02/02/12 14:29, steve wrote:On 02/02/2012 02:05 PM, Tigran Mkrtchyan wrote:On Thu, Feb 2, 2012 at 12:33 PM, steve<steve@xxxxxxxxxxxx> wrote:The mount step happens on behalf of host as there are no user requestsOn 02/02/12 11:58, Tigran Mkrtchyan wrote:Hi Steve,I already use nfs4 to serve my Linux clients. I'm going to kerberizeit. Myclients already have machine and host principals. What else do theyneed? 1. nfs/client.domain.name 2. nfs/server.domain/name 3. neither 4. bothWe run kerberized NFS. our keytab contains: on server; nfs/server.domain on client: nfs/client.domain and, of course, you need a consistent idmap configuration. Tigran.Hi TigranThat's what we have on our test lan at the moment. I can understand thatthe server would need the service principal: nfs/server.domain but not the client, as it's not offering any kerberized service.yet. Client host credentials are used at that time.As an experiment, I removed the nfs/client.domain from a client keytab, rebooted and remounted the share. We could still access the kerberizednfsshare. Maybe there were still some tickets left somewhere? That has mereally confused.Huh! did you enforce kerberos in /etc/exports?Yes. /etc/exports exports as gss/krb5 I made a screenshot:http://3.bp.blogspot.com/-g40b11Ys_DA/TypYtlO-ixI/AAAAAAAAAIc/cZdeRhnVuY4/s1600/s4all.pngThat's why I'm confused. SteveDigging a bit further, here is the output of mount on the client: http://dl.dropbox.com/u/45150875/krb5testnfs.png And this appears immediately after the mount: http://dl.dropbox.com/u/45150875/krb5nfstmp.pngMost of the documentation tells you to stick nfs into the client keytab aswell as the server keytab, but here, I only have the principal on the server. What am I missing?Tigran.
http://linux.die.net/man/8/rpc.gssd So in my case that's why I see HOSTNAME$@REALM during the nfs mount. Thanks so much for your time. Steve -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html