On 04/12/2013 03:35 PM, Natxo Asenjo wrote: > hi, > > apparently what I am trying to do is not very usual because I do not > get any answer on the omnios (opensolaris derivative) mailing list. > > I have successfully joined a host to the ipa domain, I can log in the > omnios host as an ipa user, getent works, kerberos works (thanks to > Johan Petersson in this thread: > https://www.redhat.com/archives/freeipa-users/2013-January/msg00021.html) > > But when configuring nfs with krb5(i/p) security I get an error:
I am completely unaware how zfs works but... > > # zfs set sharenfs=sec=krb5 rpool/export/home > cannot set property for 'rpool/export/home': 'sharenfs' cannot be set > to invalid options That looks like a syntax error. It seems like krb5 is an invalid option. May be something needs to be restarted after you changed the config file? > > # share -F nfs -o sec=krb5 -d "homedirs" /export/home/ > Could not share: /export/home: invalid security type > > The omnios host has a keytab with both host and nfs principals: > > # klist -k -e > > Keytab name: FILE:/etc/krb5/krb5.keytab > KVNO Principal > ---- > -------------------------------------------------------------------------- > 1 nfs/testomnios.ipa.asenjo...@ipa.asenjo.nx (AES-256 CTS mode with > 96-bit SHA-1 HMAC) > 1 nfs/testomnios.ipa.asenjo...@ipa.asenjo.nx (AES-128 CTS mode with > 96-bit SHA-1 HMAC) > 1 nfs/testomnios.ipa.asenjo...@ipa.asenjo.nx (Triple DES cbc mode > with HMAC/sha1) > 1 nfs/testomnios.ipa.asenjo...@ipa.asenjo.nx (ArcFour with HMAC/md5) > 2 host/testomnios.ipa.asenjo...@ipa.asenjo.nx (AES-256 CTS mode > with 96-bit SHA-1 HMAC) > 2 host/testomnios.ipa.asenjo...@ipa.asenjo.nx (AES-128 CTS mode > with 96-bit SHA-1 HMAC) > 2 host/testomnios.ipa.asenjo...@ipa.asenjo.nx (Triple DES cbc mode > with HMAC/sha1) > 2 host/testomnios.ipa.asenjo...@ipa.asenjo.nx (ArcFour with HMAC/md5) > > I can kinit with both principals: > > root@testomnios:~# kinit -k > root@testomnios:~# klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: host/testomnios.ipa.asenjo...@ipa.asenjo.nx > > Valid starting Expires Service principal > 04/12/13 11:56:07 04/13/13 11:56:07 krbtgt/ipa.asenjo...@ipa.asenjo.nx > renew until 04/19/13 11:56:07 > root@testomnios:~# kinit -k nfs/testomnios.ipa.asenjo.nx > root@testomnios:~# klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: nfs/testomnios.ipa.asenjo...@ipa.asenjo.nx > > Valid starting Expires Service principal > 04/12/13 11:56:28 04/13/13 11:56:28 krbtgt/ipa.asenjo...@ipa.asenjo.nx > renew until 04/19/13 11:56:28 > > so the keytab is correct > > I have edited /etc/nfssec.conf and removed the comments for the krb5 > lines. > > According to all my google-fu it should work, but it does not. Any > tips greatly appreciated. > . > -- > Groeten, > natxo > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users