On Tue, Aug 18, 2009 at 6:00 AM, Chantal Rosmuller<chan...@antenna.nl> wrote: > > > Hi list, > > > > I cannot get nfs with kerberos working on my Ubuntu 8.04 servers, here's what > I did: > > first I installed nfs server on ubuntuhardy1 and client on ubuntuhardy2, nfs > mounting from ubuntuhardy2 to ubuntuhardy1 without kerberos works > > changed the following on /etc/default/nfs-kernel-server: > > NEED_SVCGSSD=yes > RPCSVCGSSDOPTS="-vvv" > > then I installed ntp on both servers > > On the nfs/kerberos server ubuntuhardy1 > > aptitude install krb5-admin-server krb5-kdc > > edit /etc/hosts > > 127.0.0.1 ubuntuhardy1.localhost.network ubuntuhardy1 localhost > 192.168.0.109 ubuntuhardy1.localhost.network > 192.168.0.110 ubuntuhardy2.localhost.network > > change hostname > > hostname ubuntuhardy1.localhost.network > > edit /etc/krb5.conf > > [libdefaults] > default_realm = LOCALHOST.NETWORK > [realms] > LOCALHOST.NETWORK = { > kdc = ubuntuhardy1.localhost.network > admin_server = ubuntuhardy1.localhost.network > default_domain = localhost.network > } > [domain_realm] > localhost.network = LOCALHOST.NETWORK > .localhost.network = LOCALHOST.NETWORK > [logging] > kdc = FILE:/var/log/krb5kdc.log > admin_server = FILE:/var/log/kadmin.log > default = FILE:/var/log/krb5lib.log > > change /etc/krb5kdc/kdc.conf: > > [kdcdefaults] > kdc_ports = 750,88 > [realms] > LOCALHOST.NETWORK = { > database_name = /var/lib/krb5kdc/principal > admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab > acl_file = /etc/krb5kdc/kadm5.acl > key_stash_file = /etc/krb5kdc/stash > kdc_ports = 750,88 > max_life = 10h 0m 0s > max_renewable_life = 7d 0h 0m 0s > master_key_type = des3-hmac-sha1 > supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal > des:normal des:v4 des:norealm des:onlyrealm des:afs3 > default_principal_flags = +preauth > } > > create realm: > > kdb5_util create -s > > loading random data > Initializing database '/var/lib/krb5kdc/principal' for realm > 'LOCALHOST.NETWORK', > master key name 'K/m...@localhost.network' > You will be prompted for the database Master Password. > It is important that you NOT FORGET this password. > Enter KDC database master key: > > restarted kerberos > > /etc/init.d/krb5-admin-server restart > /etc/init.d/krb5-kdc restart Nu kunt u uw <meer> benaderen met het volegnde > commando: > > started kadmin > > kadmin.local > > aded user: > > addprinc admin/admin > > added Host key for the server: > > addprinc -randkey host/ubuntuhardy1.localhost.netw...@localhost.network > > add princial to local key table <meer> > > ktadd host/ubuntuhardy1.localhost.netw...@localhost.network > output: > > Entry for principal host/ubuntuhardy1.localhost.netw...@localhost.network > with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to > keytab WRFILE:/etc/krb5.keytab. Entry for principal > host/ubuntuhardy1.localhost.netw...@localhost.network with kvno 3, encryption > type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab. > > edit /etc/exports > > /var/www gss/krb5i(rw,sync) > > restarted nfs server > > on the client ubuntuhardy2: > > > edit /etc/hosts > > 127.0.0.1 ubuntuhardy2.localhost.network ubuntuhardy2 localhost > 192.168.0.110 ubuntuhardy2.localhost.network > 192.168.0.109 ubuntuhardy1.localhost.network > > > install software > > aptitude install krb5-user krb5-clients libpam-krb5 > > copied /etc/krb5.conf from server > > tested kerberos access: > > kinit admin/admin > > and got this output: > > Password for admin/ad...@localhost.network: > > logged in again on the SERVER > > kadmin > > added principal for client ubuntuhardy2 > > addprinc -randkey host/ubuntuhardy2.localhost.network addprinc -randkey > nfs/ubuntuhardy2.localhost.network > client > > logged in on the client: > > kinit admin/admin > Password for admin/ad...@localhost.network: r > > add principal for client > > kadmin: addprinc -randkey nfs/ubuntuhardy2.localhost.network > > WARNING: no policy specified for > nfs/ubuntuhardy2.localhost.netw...@localhost.network; defaulting to no policy > Principal “nfs/ubuntuhardy2.localhost.netw...@localhost.network” created. > > create key in keytab > > kadmin: ktadd nfs/ubuntuhardy2.localhost.network > > Entry for principal nfs/ubuntuhardy2.localhost.network with kvno 3, > encryption type Triple DES cbc mode with HMAC/sha1 added to keytab > WRFILE:/etc/krb5.keytab. Entry for principal > nfs/ubuntuhardy2.localhost.network with kvno 3, encryption type DES cbc mode > with CRC-32 added to keytab WRFILE:/etc/krb5.keytab. kadmin: quit > > then I try to mount the nfs share > > mount -t nfs -o sec=krb5 ubuntuhardy1.localhost.network:/var/www > /mnt/websites/ > > I get > > mount.nfs: access denied by server while mounting > ubuntuhardy1.localhost.network:/var/www > > and in /var/log/daemon.log on the server > > ubuntuhardy1 mountd[1913]: mount request from unknown host 192.168.0.110 for > /var/www (/var/www) > > Does anyone know what I am doing wrong?
Currently, you must limit the encryption type for the nfs principals to only des-cbc-crc. So, in both cases ktadd nfs/ubuntuhardy1.localhost.netw...@localhost.network ktadd nfs/ubuntuhardy2.localhost.netw...@localhost.network should be ktadd -e des-cbc-crc:normal nfs/ubuntuhardy1.localhost.netw...@localhost.network ktadd -e des-cbc-crc:normal nfs/ubuntuhardy2.localhost.netw...@localhost.network (See http://www.citi.umich.edu/projects/nfsv4/linux/krb5-setup.html) K.C. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos