On Tuesday 18 August 2009 18:50:20 Kevin Coffman wrote: > On Tue, Aug 18, 2009 at 6:00 AM, Chantal Rosmuller<chan...@antenna.nl> wrote: > > Hi list, > > > > > > > > I cannot get nfs with kerberos working on my Ubuntu 8.04 servers, here's > > what I did: > > > > first I installed nfs server on ubuntuhardy1 and client on ubuntuhardy2, > > nfs mounting from ubuntuhardy2 to ubuntuhardy1 without kerberos works > > > > changed the following on /etc/default/nfs-kernel-server: > > > > NEED_SVCGSSD=yes > > RPCSVCGSSDOPTS="-vvv" > > > > then I installed ntp on both servers > > > > On the nfs/kerberos server ubuntuhardy1 > > > > aptitude install krb5-admin-server krb5-kdc > > > > edit /etc/hosts > > > > 127.0.0.1 ubuntuhardy1.localhost.network ubuntuhardy1 localhost > > 192.168.0.109 ubuntuhardy1.localhost.network > > 192.168.0.110 ubuntuhardy2.localhost.network > > > > change hostname > > > > hostname ubuntuhardy1.localhost.network > > > > edit /etc/krb5.conf > > > > [libdefaults] > > default_realm = LOCALHOST.NETWORK > > [realms] > > LOCALHOST.NETWORK = { > > kdc = ubuntuhardy1.localhost.network > > admin_server = ubuntuhardy1.localhost.network > > default_domain = localhost.network > > } > > [domain_realm] > > localhost.network = LOCALHOST.NETWORK > > .localhost.network = LOCALHOST.NETWORK > > [logging] > > kdc = FILE:/var/log/krb5kdc.log > > admin_server = FILE:/var/log/kadmin.log > > default = FILE:/var/log/krb5lib.log > > > > change /etc/krb5kdc/kdc.conf: > > > > [kdcdefaults] > > kdc_ports = 750,88 > > [realms] > > LOCALHOST.NETWORK = { > > database_name = /var/lib/krb5kdc/principal > > admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab > > acl_file = /etc/krb5kdc/kadm5.acl > > key_stash_file = /etc/krb5kdc/stash > > kdc_ports = 750,88 > > max_life = 10h 0m 0s > > max_renewable_life = 7d 0h 0m 0s > > master_key_type = des3-hmac-sha1 > > supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal > > des:normal des:v4 des:norealm des:onlyrealm des:afs3 > > default_principal_flags = +preauth > > } > > > > create realm: > > > > kdb5_util create -s > > > > loading random data > > Initializing database '/var/lib/krb5kdc/principal' for realm > > 'LOCALHOST.NETWORK', > > master key name 'K/m...@localhost.network' > > You will be prompted for the database Master Password. > > It is important that you NOT FORGET this password. > > Enter KDC database master key: > > > > restarted kerberos > > > > /etc/init.d/krb5-admin-server restart > > /etc/init.d/krb5-kdc restart Nu kunt u uw <meer> benaderen met het > > volegnde commando: > > > > started kadmin > > > > kadmin.local > > > > aded user: > > > > addprinc admin/admin > > > > added Host key for the server: > > > > addprinc -randkey host/ubuntuhardy1.localhost.netw...@localhost.network > > > > add princial to local key table <meer> > > > > ktadd host/ubuntuhardy1.localhost.netw...@localhost.network > > output: > > > > Entry for principal > > host/ubuntuhardy1.localhost.netw...@localhost.network with kvno 3, > > encryption type Triple DES cbc mode with HMAC/sha1 added to keytab > > WRFILE:/etc/krb5.keytab. Entry for principal > > host/ubuntuhardy1.localhost.netw...@localhost.network with kvno 3, > > encryption type DES cbc mode with CRC-32 added to keytab > > WRFILE:/etc/krb5.keytab. > > > > edit /etc/exports > > > > /var/www gss/krb5i(rw,sync) > > > > restarted nfs server > > > > on the client ubuntuhardy2: > > > > > > edit /etc/hosts > > > > 127.0.0.1 ubuntuhardy2.localhost.network ubuntuhardy2 localhost > > 192.168.0.110 ubuntuhardy2.localhost.network > > 192.168.0.109 ubuntuhardy1.localhost.network > > > > > > install software > > > > aptitude install krb5-user krb5-clients libpam-krb5 > > > > copied /etc/krb5.conf from server > > > > tested kerberos access: > > > > kinit admin/admin > > > > and got this output: > > > > Password for admin/ad...@localhost.network: > > > > logged in again on the SERVER > > > > kadmin > > > > added principal for client ubuntuhardy2 > > > > addprinc -randkey host/ubuntuhardy2.localhost.network addprinc -randkey > > nfs/ubuntuhardy2.localhost.network > > client > > > > logged in on the client: > > > > kinit admin/admin > > Password for admin/ad...@localhost.network: r > > > > add principal for client > > > > kadmin: addprinc -randkey nfs/ubuntuhardy2.localhost.network > > > > WARNING: no policy specified for > > nfs/ubuntuhardy2.localhost.netw...@localhost.network; defaulting to no > > policy Principal “nfs/ubuntuhardy2.localhost.netw...@localhost.network” > > created. > > > > create key in keytab > > > > kadmin: ktadd nfs/ubuntuhardy2.localhost.network > > > > Entry for principal nfs/ubuntuhardy2.localhost.network with kvno 3, > > encryption type Triple DES cbc mode with HMAC/sha1 added to keytab > > WRFILE:/etc/krb5.keytab. Entry for principal > > nfs/ubuntuhardy2.localhost.network with kvno 3, encryption type DES cbc > > mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab. kadmin: quit > > > > then I try to mount the nfs share > > > > mount -t nfs -o sec=krb5 ubuntuhardy1.localhost.network:/var/www > > /mnt/websites/ > > > > I get > > > > mount.nfs: access denied by server while mounting > > ubuntuhardy1.localhost.network:/var/www > > > > and in /var/log/daemon.log on the server > > > > ubuntuhardy1 mountd[1913]: mount request from unknown host 192.168.0.110 > > for /var/www (/var/www) > > > > Does anyone know what I am doing wrong? > > Currently, you must limit the encryption type for the nfs principals > to only des-cbc-crc. > > So, in both cases > ktadd nfs/ubuntuhardy1.localhost.netw...@localhost.network > ktadd nfs/ubuntuhardy2.localhost.netw...@localhost.network > should be > ktadd -e des-cbc-crc:normal > nfs/ubuntuhardy1.localhost.netw...@localhost.network > ktadd -e des-cbc-crc:normal > nfs/ubuntuhardy2.localhost.netw...@localhost.network > > (See http://www.citi.umich.edu/projects/nfsv4/linux/krb5-setup.html) >nfs/ubuntuhardy2.localhost.netw...@localhost.network > K.C.
It does get rid of the double keys but its not working yet....... do I need to do the same for host/ubuntuhardy2.localhost.netw...@localhost.network and host/ubuntuhardy1.localhost.netw...@localhost.network? ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos