Re: nfs4 keytabs [was:Re: where can I ask user qns about nfs4]?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]




On 02/03/2012 06:22 PM, steve wrote:
On 02/02/2012 07:57 PM, Tigran Mkrtchyan wrote:
On Thu, Feb 2, 2012 at 3:56 PM, steve<steve@xxxxxxxxxxxx>  wrote:
On 02/02/12 14:29, steve wrote:
On 02/02/2012 02:05 PM, Tigran Mkrtchyan wrote:
On Thu, Feb 2, 2012 at 12:33 PM, steve<steve@xxxxxxxxxxxx>    wrote:
On 02/02/12 11:58, Tigran Mkrtchyan wrote:
Hi Steve,

I already use nfs4 to serve my Linux clients. I'm going to kerberize
it.
My
clients already have machine and host principals. What else do they
need?

1. nfs/client.domain.name
2. nfs/server.domain/name
3. neither
4. both

We run kerberized NFS.

our keytab contains:

on server;
   nfs/server.domain

on client:
   nfs/client.domain

and, of course, you need a consistent  idmap configuration.

Tigran.

Hi Tigran

That's what we have on our test lan at the moment. I can understand that
the
server would need the service principal:
   nfs/server.domain
but not the client, as it's not offering any kerberized service.
The mount step happens on behalf of host as there are no user requests
yet.
Client host credentials are used at that time.

As an experiment, I removed the nfs/client.domain from a client keytab, rebooted and remounted the share. We could still access the kerberized
nfs
share. Maybe there were still some tickets left somewhere? That has me
really confused.
Huh! did you enforce kerberos in /etc/exports?

Yes. /etc/exports exports as gss/krb5
I made a screenshot:


http://3.bp.blogspot.com/-g40b11Ys_DA/TypYtlO-ixI/AAAAAAAAAIc/cZdeRhnVuY4/s1600/s4all.png

That's why I'm confused.
Steve

Digging a bit further, here is the output of mount on the client:
http://dl.dropbox.com/u/45150875/krb5testnfs.png

And this appears immediately after the mount:
http://dl.dropbox.com/u/45150875/krb5nfstmp.png

Most of the documentation tells you to stick nfs into the client keytab as
well as the server keytab, but here, I only have the principal on the
server.

What am I missing?
I think client simply falls back to 'host' if nfs entry is not available.

Tigran.

Yep. You're right. And not just host. They changed it to look for other keys too:
http://linux.die.net/man/8/rpc.gssd
So in my case that's why I see HOSTNAME$@REALM during the nfs mount.

Thanks so much for your time.
Steve



--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Linux USB Development]     [Linux Media Development]     [Video for Linux]     [Linux NILFS]     [Linux Audio Users]     [Photo]     [Yosemite Info]    [Yosemite Photos]    [POF Sucks]     [Linux Kernel]     [Linux SCSI]     [XFree86]

Add to Google Powered by Linux