On Wed, 26 May 2010 20:09:16 +0200 Thomas Sailer <sai...@sailer.dynip.lugs.ch> wrote:
> Hi, > > After upgrading one IPA client from Fedora12 to Fedora13 (the server > runs Fedora12), I'm experiencing NFS4 problems. > > I can still mount the server from the client like this: > mount -t nfs4 -o soft,intr,rsize=8192,wsize=8192,rw,sec=krb5p > server.xxx.com:/home /tmp/z root can then successfully list > subdirectories with ls /tmp/z. However, when a normal user tries to > do this, he gets -EACCES. > > Permissions of /tmp/z should be ok: > > # ls -ldZ /tmp/z > drwxr-xr-x. root root system_u:object_r:nfs_t:s0 /tmp/z > > # getfacl /tmp/z > getfacl: Removing leading '/' from absolute path names > # file: tmp/z > # owner: root > # group: root > user::rwx > group::r-x > other::r-x > > # nfs4_getfacl /tmp/z > A::OWNER@:rwaDxtTcCy > A::GROUP@:rxtcy > A::EVERYONE@:rxtcy > > It worked under Fedora 12. Does anybody have an idea what went wrong? Tom, if you have only a DES key in your keytab for NFS (and you do if you used in in F12 as NFS supported only DES) then you probably see the effect of the new kerberos libraries disallowing DES. Try adding allow_weak_crypto = true to your krb5.conf or alternatively rekey your NFS credentials to add RC4/AES keys (rekeying works only if both client and server kernels supporting anything but DES, I think F13's kernels should have those patches now, but old kernels support only DES). Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
