On Mon, 2011-07-25 at 12:58 -0400, Rob Kampen wrote:
Rob Kampen wrote:
On 07/19/2011 04:43 PM, Olaf Mueller wrote:
Rob Kampen wrote:
Hello,
nfs4 with kerberos works fine here on CentOS 5.6.
change exports to
[...]gss/krb([...]
[...]gss/krb([...]
My /etc/exports says '... gss/krb5(...'.
Got this already
And 'SECURE_NFS=yes' is set in /etc/sysconfig/nfs.
This too is set
All needed services are running?
- rpcsvcgssd (server)
- rpcidmapd (server)
- rpcgssd (client)
Yes all running
A very good instruction, in my opinion, to get it running is
http://sadiquepp.blogspot.com/2009/02/how-to-configure-nfsv4-with-kerberos-in.html.
This was one of the ones I used - will start from the beginning again.
Thanks for comments
regards
Olaf
I have put the nfs4 with Kerberos on hold as it seems there may be a
problem with the basic kerberos install.
Probably an issue with your keytab. the link above cotains some hints:
1) you need to add an nfs (not host!) principal and
2) use ktadd -e des-cbc-crc:normal
Add only the des-cbc-crc:normal key, not one of the others as (at least
in the past, I have not checked later kernels like the one in centos 6)
to see if this is still applies. In order to allow the des key to work
you need the following in /etc/krb5.conf (in the libdefaults section):
allow_weak_crypto = true
With these settings nfs mounting works for me, but see my comments below
first, before you try to mount a nfs file system
/usr/kerberos/sbin/kprop: Decrypt integrity check failed while getting
initial ticket
With the keytab you showed, first try a kinit for a user. does that
succeed? What does a klist show after this?
This way you can check the ticket generation. Only when that succeeds
try the nfs mount
Louis
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
