On 07/21/2012 09:01 AM, Marcel Ritter wrote:
Hi, while trying to use Samba4 as KDC for secure NFS (once again) I found something I suspect to be an error: In order for NFS (with krb5) to work it requires a nfs/... principal, so I created one using samba-tool: samba-tool user add nfs-user samba-tool spn add nfs/atom.mydomain.org nfs-user samba-tool domain exportkeytab /etc/krb5.keytab -principal=nfs/atom.mydomain.org After setting up NFS, a secure mount fails (permission denied).
Hi MarcelThe client doesn't need a nfs principal. e.g. we just use the machine$ principal.
From man rpc.gssd(8) <quote>Previous versions of rpc.gssd used only "nfs/*" keys found within the keytab. To be more consistent with other implementations, we now look for specific keytab entries. The search order for keytabs to be used for "machine credentials" is now:
<HOSTNAME>$@<REALM> root/<hostname>@<REALM> nfs/<hostname>@<REALM> host/<hostname>@<REALM> root/<anyname>@<REALM> nfs/<anyname>@<REALM> host/<anyname>@<REALM> </quote>There are lots of misunderstandings about nfs and Kerberos. We tried to collect them:
http://linuxcostablanca.blogspot.com.es/2012/02/nfsv4-myths-and-legends.html HTH, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Linux] [Info Cyrus] [LARTC] [Bugtraq] [Netfilter] [Internet Dating Forums] [RAID] [Yosemite News] [Photography]
|
|