help getting kerberized nfs4 mounts working
Kevin Coffman
kwc at citi.umich.edu
Sun May 11 08:20:12 EDT 2008
On Sat, May 10, 2008 at 1:13 PM, Trond Myklebust
<trond.myklebust at fys.uio.no> wrote:
> On Sat, 2008-05-10 at 11:13 -0400, Rohit Kumar Mehta wrote:
>> Thanks
>>
>> I feel pretty confident that kerberos is used in the v3 case. I have
>> just removed all sec=sys export from the NFS server, and retested
>> and I am able to mount successfully. The one krb5/nfs3 export is
>> the only remote filesystem mount on the client. However trying
>> to mount the same filesystem sec=krb5, fstype=nfs4 still fails.
>>
>> I'll poke around in wireshark a little...
>>
>> Rohit
>
> It isn't using kerberos when _mounting_ the NFSv3 filesystem. That's why
> you can get away with broken machine creds. If you look at the tcpdump
> trace you'll see that all the operations that go on the wire when
> mounting are in auth_sys format.
>
> As for your cross-realm issue: the rpc.gssd daemon is telling you that
> it is looking for a cred in the AD.ENGR.UCONN.EDU realm, presumably
> because your krb5.conf file is telling it that is the domain to which
> filesm.ad.engr.uconn.edu belongs.
> Try adding the lines
>
> .ad.engr.uconn.edu = ENGR.UCONN.EDU
> ad.engr.uconn.edu = ENGR.UCONN.EDU
>
> to the [domain_realm] section (and wipe out any existing entries for
> ad.engr.uconn.edu there).
>
Actually, I think you need to have the following entries:
.engr.uconn.edu = ENGR.UCONN.EDU
.ad.engr.uconn.edu = AD.ENGR.UCONN.EDU
So that client, user.engr.uconn.edu, realizes it is in the
ENGR.UCONN.EDU realm and the server, filesm.ad.engr.uconn.edu, is in
the AD.ENGR.UCONN.EDU realm.
K.C.
More information about the NFSv4
mailing list