help getting kerberized nfs4 mounts working

Rohit Kumar Mehta rohitm at engr.uconn.edu
Mon May 12 13:24:05 EDT 2008 

Thanks!  I was missing the requires_preauth attribute on my
host/user.. and nfs/user.. principals.   Easily fixed!

Now if I change the default_domain, I can (as root) do
a "mount -t nfs4 -o sec=krb5 files:/ /foo" and it works!

This seems to give us great many more security features with
our NFS shares!  I will continue to play with this.  Are many people
using Linux-NFS4 in production?

Rohit

Kevin Coffman wrote:
> On Mon, May 12, 2008 at 11:19 AM, Rohit Kumar Mehta
> <rohitm at engr.uconn.edu> wrote:
>   
>>     
>>> Actually, I think you need to have the following entries:
>>>
>>> .engr.uconn.edu = ENGR.UCONN.EDU
>>> .ad.engr.uconn.edu = AD.ENGR.UCONN.EDU
>>>
>>> So that client, user.engr.uconn.edu, realizes it is in the
>>> ENGR.UCONN.EDU realm and the server, filesm.ad.engr.uconn.edu,  is in
>>> the AD.ENGR.UCONN.EDU realm.
>>>
>>> K.C.
>>>
>>>
>>>       
>>  That is what I have:  (snippet of krb5.conf follows)
>>
>>  [domain_ream]
>>
>>  .engr.uconn.edu = ENGR.UCONN.EDU
>>  engr.uconn.edu = ENGR.UCONN.EDU
>>  # ad.engr.uconn.edu = ENGR.UCONN.EDU
>>  # .ad.engr.uconn.edu = ENGR.UCONN.EDU
>>  .ad.engr.uconn.edu = AD.ENGR.UCONN.EDU
>>
>>  ad.engr.uconn.edu = AD.ENGR.UCONN.EDU
>>     
>
>
> This looks fine from your description of the realms.
>
>
>   
>>  Also I have set the default_realm in [libdefaults] to AD.ENGR.UCONN.EDU
>>  to force users to authenticate off the Active Directory.
>>     
>
> You said the client is in the ENGR.UCONN.EDU realm.  If so, it's
> default_realm should be ENGR.UCONN.EDU.
>
>
>   
>>  This error persists:
>>  May 12 10:49:46 user rpc.gssd[3534]: Key table entry not found while
>> getting keytab entry for 'host/user.engr.uconn.edu at AD.ENGR.UCONN.EDU'
>>  In wireshark I see quite a few error messages from the MIT KDC to the NFS
>> client with the type
>>  (KRB5KRB_ERR_GENERIC).  The message looks like this:
>>    MSG Type: KRB-ERROR (30)
>>    error_code: KRB5KRB_ERR_GENERIC (60)
>>    Client Name (Principal): nfs/user.engr.uconn.edu
>>    Realm: ENGR.UCONN.EDU
>>    Server Name (Unknown): krbtgt/AD.ENGR.UCONN.EDU
>>    e-text: NO PREAUTH
>>     
>
> Is this error followed by another successful request, or no?  If no,
> see below.  If yes, then it probably isn't a problem.
>
>   
>>  Do you the  version of nfs-utils that ships with Gutsy
>> (1.1.1~git-20070709-3ubuntu1) could be
>>  the problem?
>>     
>
> This version should be fine, AFAIK.
>
> One "feature" with the MIT Kerberos code is that if a service
> principal has the "REQUIRES_PRE_AUTH" flag set, then you must have
> used pre-authentication when obtaining your TGT, before requesting a
> service ticket for that service principal.
>
> So things to check:
>
> Since your service principal (krbtgt/AD.ENGR.UCONN.EDU at ENGR.UCONN.EDU)
> requires preauth, you need to make sure that your client principal
> (nfs/client.engr.uconn.edu at ENGR.UCONN.EDU) also requires preauth.  If
> not, you need to set that flag for your client principal.  You'll need
> to restart rpc.gssd on the client after making this change.
>
> If making that change doesn't help, send me a wireshark trace along
> with a copy of your /etc/krb5.conf on the NFS client machine.  (And
> perhaps output from getprinc for the same two principals in the
> ENGR.UCONN.EDU realm.)
>
> K.C.
>
>

More information about the NFSv4 mailing list