Kerberos and NFS V4 Configuration

Keagle, Chuck chuck.keagle at boeing.com
Thu Oct 12 17:41:27 EDT 2006 

Here is one we would like to figure out how to resolve or work around.
It has already been posted to the Kerberos Mailing List and a
recommendation was made that this might be a better place for
resolution.

	The KDC is running on AIX Major Release 3.

Kerberos is used to protect access to data on NFS V3 and NFS V4 file
systems.

	Exported filesystems are also on AIX 3.

	AIX specific Process Authentication Group maps NFS V4 encryption
keys and Kerberos keys together.  It is used on the KDC for NFS V4 file
system encrypted mounts.

	Other AIX systems have Kerberos access to NFS V3, NFS V4
unencrypted, and NFS V4 encrypted data.

In setting up RedHat  RHEL WS 4.3 to access Kerberos controlled data
from the AIX KDC, NFS V3 and NFS V4 unencrypted mounts become
accessible.

When trying to mount over NFS V4 with encryption, the mount options are:

	rw,hard,intr,proto=tcp,port=xxxx,sec=krb5,noauto 0 0
	Note that the xxxx represents the correct port number.

When trying to mount a file system in this manner from the KDC on an
RHEL WS 3.4, the following error appears:

	mount: block device hostname:/filesystem is write-protected,
mounting read-only
	mount: cannot mount block device hostname:/filesystem read-only
	Note that hostname and filesystem represent other correct but
sensitive information.

I'm wondering if this is stumbling over that AIX specific Process
Authentication Group issue between Kerberos encryption and NFS V4
encryption.  Is there a way to overcome this?  Hopefully just on the
client.  If changes have to also be made on KDC, it will be a tough
road.

Thanks.

----
Not all who wander are lost.

                          |     ----  ___o  |  chuck.keagle at boeing.com
Chuck Keagle              |  -------  \ <,  |  Work:  (425) 865-1488
Enterprise Servers:  HPC  |  ----- ( )/ ( ) |  Cell:  (425) 417-3434
http://card.web.boeing.com/Webcard.cfm?id=73990
 <<Keagle, Chuck.vcf>> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Keagle, Chuck.vcf
Type: text/x-vcard
Size: 396 bytes
Desc: Keagle, Chuck.vcf
Url : http://linux-nfs.org/pipermail/nfsv4/attachments/20061012/a0788e02/KeagleChuck.vcf

More information about the NFSv4 mailing list