Weblog entry #137 for ajt
See all weblog entries made by ajt.
#137
How do I make NFSv4 talk Kerberos?
Posted by ajt on Wed 23 Jul 2008 at 21:19
Some time ago I switched to NFSv4 (RFC 3530) at home on my Lenny boxen. Everything seems to work okay, it seems stable enough, in theory it allows you to better take advantage of modern giggabit networking and if you configure the Kerberos bit up it's apparently quite secure - unlike NFSv3 (RFC 1813) and older.
I followed various recipes and set up a Kerberos domain on the NFSv4 server and followed set-up on the client, but so far I've not had any success in getting the client to talk to the server using Kerberos, only plain old security i.e. no security, seems to work.
Does anyone know how to get Kerberos and NFSv4 working on Debian Lenny?
Comments on this Entry
Start by reading the MIT Kerberos documentation and the file /usr/share/doc/nfs-common/README.Debian.nfsv4 . The Debian wiki has pretty good LDAP documentation although a bit out of date. And Google is your friend. You're in for a lot of work, I'm almost through it myself but I haven't got it documented (yet). Maybe I'll write a blog entry sometime. You can contact me on on IRC: ptman@freenode
[ Parent | Reply to this comment ]
Thanks, the NFSv4 README had some stuff in I'd not seen before so I'll see if that helps tonight. I'll also have a look at the Debian wiki. I have tried Google in the past, which tended to point to the same high level NFSv4 stuff, that did not include some elements in the Debian README.
--
"It's Not Magic, It's Work"
Adam
[ Parent | Reply to this comment ]
I've had this page bookmarked for a while now, for when I get around to really playing with this stuff. Seems to have a some info that might also be useful for you.
Cheers.:wq
[ Parent | Reply to this comment ]
The basic NFSv4 stuff seems okay, but the Kerberos advice didn't seem to help much...
--
"It's Not Magic, It's Work"
Adam
[ Parent | Reply to this comment ]
Thanks for the pointers. I've started the daemons as suggested by the Debian notes, set krb5 in the exports and fstab and hey-presto.. it still doesn't work. I did at least get kerberised-telnet to work, so one box knows the other and trusts me to be the right user.
Running mount give me:
mount: fstab path: "/etc/fstab"
mount: lock path: "/etc/mtab~"
mount: temp path: "/etc/mtab.tmp"
mount: spec: "server:/nfs4"
mount: node: "/mnt/server/nfs4/"
mount: types: "nfs4"
mount: opts: "sec=krb5,proto=tcp"
mount: external mount: argv[0] = "/sbin/mount.nfs4"
mount: external mount: argv[1] = "server:/nfs4"
mount: external mount: argv[2] = "/mnt/server/nfs4/"
mount: external mount: argv[3] = "-v"
mount: external mount: argv[4] = "-o"
mount: external mount: argv[5] = "rw,sec=krb5,proto=tcp"
mount.nfs4: pinging: prog 100003 vers 4 prot tcp port 2049
mount.nfs4: Operation not permitted
I'm sure it's possible, it's also possible I've made a typo somewhere or missed a step, but it's not very well documented yet. If you get your procedure working I'm sure others would like to know what you did - I certainly would.
At least I've got unkerberised NFSv4 working and kerberised-telnet working, should I want it.
--
"It's Not Magic, It's Work"
Adam
[ Parent | Reply to this comment ]
I have NFSv4 working with Kerberos, but I use Heimdal, not MIT, so I cannot give you the exact steps for MIT. But i can give you some clues:
- Have you made the principals for both the client and server machine?
- Have you got the credentials for both the server and client machine, and put them in /etc/krb5.keytab?
The page pointed from the Ubuntu wiki (https://help.ubuntu.com/community/NFSv4Howto) tells you how to do it, but in order to make it work I had to remove the option "-e des-cbc-crc:normal".
If you are not sure, then please post the output of "ktutil list" (oops, that's for Heimdal, on MIT try "klist -e -k /etc/krb5.keytab") on both the server and client.
Post also /etc/krb5.conf and /etc/default/nfs-common on both server and client, and /etc/default/nfs-kernel-server on server.
--
Blessed be God.
- Have you made the principals for both the client and server machine?
- Have you got the credentials for both the server and client machine, and put them in /etc/krb5.keytab?
The page pointed from the Ubuntu wiki (https://help.ubuntu.com/community/NFSv4Howto) tells you how to do it, but in order to make it work I had to remove the option "-e des-cbc-crc:normal".
If you are not sure, then please post the output of "ktutil list" (oops, that's for Heimdal, on MIT try "klist -e -k /etc/krb5.keytab") on both the server and client.
Post also /etc/krb5.conf and /etc/default/nfs-common on both server and client, and /etc/default/nfs-kernel-server on server.
--
Blessed be God.
[ Parent | Reply to this comment ]
Okay, so you advice is the opposite of the Ubuntu page regarding the encryption option. It can't help to try it that way round.
--
"It's Not Magic, It's Work"
Adam
[ Parent | Reply to this comment ]
Posted by Anonymous (81.39.xx.xx) on Mon 28 Jul 2008 at 18:13
No, I don't need to try it: I have it working in a production environment! :)
I'm just telling it you, just to be helpful.
I'm just telling it you, just to be helpful.
[ Parent | Reply to this comment ]
I gave it a go and it still didn't work. Detail as requested below.
$ uname -a Linux client 2.6.25-2-amd64 #1 SMP Mon Jul 14 11:05:23 UTC 2008 x86_64 GNU/Linux $ sudo klist -e -k /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- ----------------------------------------------------------------- --------- 9 nfs/client.iredale.net@IREDALE.NET (Triple DES cbc mode with HMAC/sha1) 9 nfs/client.iredale.net@IREDALE.NET (DES cbc mode with CRC-32) $sudo cat /etc/krb5.conf [libdefaults] default_realm = IREDALE.NET # The following krb5.conf variables are only for MIT Kerberos. krb4_config = /etc/krb.conf krb4_realms = /etc/krb.realms kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true # The following encryption type specification will be used by MIT Kerberos # if uncommented. In general, the defaults in the MIT Kerberos code are # correct and overriding these specifications only serves to disable new # encryption types as they are added, creating interoperability problems. # default_tgs_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5 # default_tkt_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5 # permitted_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5 default_tgs_enctypes = des-cbc-crc default_tkt_enctypes = des-cbc-crc # The following libdefaults parameters are only for Heimdal Kerberos. v4_instance_resolve = false v4_name_convert = { host = { rcmd = host ftp = ftp } plain = { something = something-else } } fcc-mit-ticketflags = true [realms] IREDALE.NET = { kdc = server admin_server = server default_domain = iredale.net } ATHENA.MIT.EDU = { kdc = kerberos.mit.edu:88 kdc = kerberos-1.mit.edu:88 kdc = kerberos-2.mit.edu:88 admin_server = kerberos.mit.edu default_domain = mit.edu } MEDIA-LAB.MIT.EDU = { kdc = kerberos.media.mit.edu admin_server = kerberos.media.mit.edu } ZONE.MIT.EDU = { kdc = casio.mit.edu kdc = seiko.mit.edu admin_server = casio.mit.edu } MOOF.MIT.EDU = { kdc = three-headed-dogcow.mit.edu:88 kdc = three-headed-dogcow-1.mit.edu:88 admin_server = three-headed-dogcow.mit.edu } CSAIL.MIT.EDU = { kdc = kerberos-1.csail.mit.edu kdc = kerberos-2.csail.mit.edu admin_server = kerberos.csail.mit.edu default_domain = csail.mit.edu krb524_server = krb524.csail.mit.edu } IHTFP.ORG = { kdc = kerberos.ihtfp.org admin_server = kerberos.ihtfp.org } GNU.ORG = { kdc = kerberos.gnu.org kdc = kerberos-2.gnu.org kdc = kerberos-3.gnu.org admin_server = kerberos.gnu.org } 1TS.ORG = { kdc = kerberos.1ts.org admin_server = kerberos.1ts.org } GRATUITOUS.ORG = { kdc = kerberos.gratuitous.org admin_server = kerberos.gratuitous.org } DOOMCOM.ORG = { kdc = kerberos.doomcom.org admin_server = kerberos.doomcom.org } ANDREW.CMU.EDU = { kdc = vice28.fs.andrew.cmu.edu kdc = vice2.fs.andrew.cmu.edu kdc = vice11.fs.andrew.cmu.edu kdc = vice12.fs.andrew.cmu.edu admin_server = vice28.fs.andrew.cmu.edu default_domain = andrew.cmu.edu } CS.CMU.EDU = { kdc = kerberos.cs.cmu.edu kdc = kerberos-2.srv.cs.cmu.edu admin_server = kerberos.cs.cmu.edu } DEMENTIA.ORG = { kdc = kerberos.dementia.org kdc = kerberos2.dementia.org admin_server = kerberos.dementia.org } stanford.edu = { kdc = krb5auth1.stanford.edu kdc = krb5auth2.stanford.edu kdc = krb5auth3.stanford.edu admin_server = krb5-admin.stanford.edu default_domain = stanford.edu } [domain_realm] .mit.edu = ATHENA.MIT.EDU mit.edu = ATHENA.MIT.EDU .media.mit.edu = MEDIA-LAB.MIT.EDU media.mit.edu = MEDIA-LAB.MIT.EDU .csail.mit.edu = CSAIL.MIT.EDU csail.mit.edu = CSAIL.MIT.EDU .whoi.edu = ATHENA.MIT.EDU whoi.edu = ATHENA.MIT.EDU .stanford.edu = stanford.edu .iredale.net = IREDALE.NET iredale.net = IREDALE.NET [login] krb4_convert = true krb4_get_tickets = false $ sudo cat /etc/default/nfs-common # If you do not set values for the NEED_ options, they will be attempted # autodetected; this should be sufficient for most people. Valid alternatives # for the NEED_ options are "yes" and "no". # Do you want to start the statd daemon? It is not needed for NFSv4. NEED_STATD= # Options for rpc.statd. # Should rpc.statd listen on a specific port? This is especially useful # when you have a port-based firewall. To use a fixed port, set this # this variable to a statd argument like: "--port 4000 --outgoing-port 4001". # For more information, see rpc.statd(8) or http://wiki.debian.org/?SecuringNFS STATDOPTS= # Do you want to start the idmapd daemon? It is only needed for NFSv4. NEED_IDMAPD=yes # Do you want to start the gssd daemon? It is required for Kerberos mounts. NEED_GSSD=yes RPCGSSDOPTS="-vvv -rrr" $ uname -a Linux server 2.6.24-1-amd64 #1 SMP Sat May 10 09:28:10 UTC 2008 x86_64 GNU/Linux $ sudo klist -e -k /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- ----------------------------------------------------------------- --------- 7 nfs/server.iredale.net@IREDALE.NET (Triple DES cbc mode with HMAC/sha1) 7 nfs/server.iredale.net@IREDALE.NET (DES cbc mode with CRC-32) $ sudo cat /etc/krb5.conf [libdefaults] default_realm = IREDALE.NET # The following krb5.conf variables are only for MIT Kerberos. krb4_config = /etc/krb.conf krb4_realms = /etc/krb.realms kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true # The following encryption type specification will be used by MIT Kerberos # if uncommented. In general, the defaults in the MIT Kerberos code are # correct and overriding these specifications only serves to disable new # encryption types as they are added, creating interoperability problems. # default_tgs_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5 # default_tkt_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5 # permitted_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5 default_tgs_enctypes = des-cbc-crc default_tkt_enctypes = des-cbc-crc # The following libdefaults parameters are only for Heimdal Kerberos. v4_instance_resolve = false v4_name_convert = { host = { rcmd = host ftp = ftp } plain = { something = something-else } } fcc-mit-ticketflags = true [realms] IREDALE.NET = { kdc = server admin_server = server default_domain = iredale.net } ATHENA.MIT.EDU = { kdc = kerberos.mit.edu:88 kdc = kerberos-1.mit.edu:88 kdc = kerberos-2.mit.edu:88 admin_server = kerberos.mit.edu default_domain = mit.edu } MEDIA-LAB.MIT.EDU = { kdc = kerberos.media.mit.edu admin_server = kerberos.media.mit.edu } ZONE.MIT.EDU = { kdc = casio.mit.edu kdc = seiko.mit.edu admin_server = casio.mit.edu } MOOF.MIT.EDU = { kdc = three-headed-dogcow.mit.edu:88 kdc = three-headed-dogcow-1.mit.edu:88 admin_server = three-headed-dogcow.mit.edu } CSAIL.MIT.EDU = { kdc = kerberos-1.csail.mit.edu kdc = kerberos-2.csail.mit.edu admin_server = kerberos.csail.mit.edu default_domain = csail.mit.edu krb524_server = krb524.csail.mit.edu } IHTFP.ORG = { kdc = kerberos.ihtfp.org admin_server = kerberos.ihtfp.org } GNU.ORG = { kdc = kerberos.gnu.org kdc = kerberos-2.gnu.org kdc = kerberos-3.gnu.org admin_server = kerberos.gnu.org } 1TS.ORG = { kdc = kerberos.1ts.org admin_server = kerberos.1ts.org } GRATUITOUS.ORG = { kdc = kerberos.gratuitous.org admin_server = kerberos.gratuitous.org } DOOMCOM.ORG = { kdc = kerberos.doomcom.org admin_server = kerberos.doomcom.org } ANDREW.CMU.EDU = { kdc = vice28.fs.andrew.cmu.edu kdc = vice2.fs.andrew.cmu.edu kdc = vice11.fs.andrew.cmu.edu kdc = vice12.fs.andrew.cmu.edu admin_server = vice28.fs.andrew.cmu.edu default_domain = andrew.cmu.edu } CS.CMU.EDU = { kdc = kerberos.cs.cmu.edu kdc = kerberos-2.srv.cs.cmu.edu admin_server = kerberos.cs.cmu.edu } DEMENTIA.ORG = { kdc = kerberos.dementia.org kdc = kerberos2.dementia.org admin_server = kerberos.dementia.org } stanford.edu = { kdc = krb5auth1.stanford.edu kdc = krb5auth2.stanford.edu kdc = krb5auth3.stanford.edu admin_server = krb5-admin.stanford.edu default_domain = stanford.edu } [domain_realm] .mit.edu = ATHENA.MIT.EDU mit.edu = ATHENA.MIT.EDU .media.mit.edu = MEDIA-LAB.MIT.EDU media.mit.edu = MEDIA-LAB.MIT.EDU .csail.mit.edu = CSAIL.MIT.EDU csail.mit.edu = CSAIL.MIT.EDU .whoi.edu = ATHENA.MIT.EDU whoi.edu = ATHENA.MIT.EDU .stanford.edu = stanford.edu .iredale.net = IREDALE.NET iredale.net = IREDALE.NET [login] krb4_convert = true krb4_get_tickets = false $ sudo cat /etc/default/nfs-common # If you do not set values for the NEED_ options, they will be attempted # autodetected; this should be sufficient for most people. Valid alternatives # for the NEED_ options are "yes" and "no". # Do you want to start the statd daemon? It is not needed for NFSv4. NEED_STATD= # Options for rpc.statd. # Should rpc.statd listen on a specific port? This is especially useful # when you have a port-based firewall. To use a fixed port, set this # this variable to a statd argument like: "--port 4000 --outgoing-port 4001". # For more information, see rpc.statd(8) or http://wiki.debian.org/?SecuringNFS STATDOPTS= # Do you want to start the idmapd daemon? It is only needed for NFSv4. NEED_IDMAPD=yes # Do you want to start the gssd daemon? It is required for Kerberos mounts. NEED_GSSD=yes $ sudo cat /etc/default/nfs-kernel-server # Number of servers to start up RPCNFSDCOUNT=8 # Runtime priority of server (see nice(1)) RPCNFSDPRIORITY=0 # Options for rpc.mountd. # If you have a port-based firewall, you might want to set up # a fixed port here using the --port option. For more information, # see rpc.mountd(8) or http://wiki.debian.org/?SecuringNFS RPCMOUNTDOPTS= # Do you want to start the svcgssd daemon? It is only required for Kerberos # exports. Valid alternatives are "yes" and "no"; the default is "no". NEED_SVCGSSD=yes # Options for rpc.svcgssd. RPCSVCGSSDOPTS= #RPCSVCGSSDOPTS="-vvv -rrr" $ sudo mount -t nfs4 -vvvv -o sec=krb5,proto=tcp server.iredale.net:/nfs4 /mnt/lapin-bleu/nfs4/ mount: fstab path: "/etc/fstab" mount: lock path: "/etc/mtab~" mount: temp path: "/etc/mtab.tmp" mount: spec: "server.iredale.net:/nfs4" mount: node: "/mnt/lapin-bleu/nfs4/" mount: types: "nfs4" mount: opts: "sec=krb5,proto=tcp" mount: external mount: argv[0] = "/sbin/mount.nfs4" mount: external mount: argv[1] = "server.iredale.net:/nfs4" mount: external mount: argv[2] = "/mnt/server/nfs4/" mount: external mount: argv[3] = "-v" mount: external mount: argv[4] = "-o" mount: external mount: argv[5] = "rw,sec=krb5,proto=tcp" mount.nfs4: pinging: prog 100003 vers 4 prot tcp port 2049 mount.nfs4: access denied by server while mounting server.iredale.net:/nfs4 $sudo tail /var/log/daemon.log client rpc.gssd[7419]: handling krb5 upcall client rpc.gssd[7419]: Full hostname for 'server.iredale.net' is 'server.iredale.net' client rpc.gssd[7419]: Full hostname for 'client.iredale.net' is 'client.iredale.net' client rpc.gssd[7419]: Key table entry not found while getting keytab entry for 'root/client.iredale.net@IREDALE.NET' client rpc.gssd[7419]: Success getting keytab entry for 'nfs/client.iredale.net@IREDALE.NET' client rpc.gssd[7419]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_IREDALE.NET' are good until 1217311275 client rpc.gssd[7419]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_IREDALE.NET' are good until 1217311275 client rpc.gssd[7419]: using FILE:/tmp/krb5cc_machine_IREDALE.NET as credentials cache for machine creds client rpc.gssd[7419]: using environment variable to select krb5 ccache FILE:/tmp/krb5cc_machine_IREDALE.NET client rpc.gssd[7419]: creating context using fsuid 0 (save_uid 0) client rpc.gssd[7419]: creating tcp client for server server.iredale.net client rpc.gssd[7419]: creating context with server nfs@server.iredale.net client rpc.gssd[7419]: in authgss_create_default() client rpc.gssd[7419]: in authgss_create() client rpc.gssd[7419]: authgss_create: name is 0x2169df0 client rpc.gssd[7419]: authgss_create: gd->name is 0x2169c70 client rpc.gssd[7419]: in authgss_refresh() client rpc.gssd[7419]: struct rpc_gss_sec: client rpc.gssd[7419]: mechanism_OID: { 1 2 134 72 134 247 18 1 2 2 } client rpc.gssd[7419]: qop: 0 client rpc.gssd[7419]: service: 1 client rpc.gssd[7419]: cred: 0x2169d30 client rpc.gssd[7419]: req_flags: 00000002 client rpc.gssd[7419]: in authgss_marshal() client rpc.gssd[7419]: xdr_rpc_gss_buf: encode success ((nil):0) client rpc.gssd[7419]: xdr_rpc_gss_cred: encode success (v 1, proc 1, seq 0, svc 1, ctx (nil):0) client rpc.gssd[7419]: in authgss_wrap() client rpc.gssd[7419]: xdr_rpc_gss_buf: encode success (0x217e880:521) client rpc.gssd[7419]: xdr_rpc_gss_init_args: encode success (token 0x217e880:521) client rpc.gssd[7419]: in authgss_validate() client rpc.gssd[7419]: in authgss_unwrap() client rpc.gssd[7419]: xdr_rpc_gss_buf: decode success ((nil):0) client rpc.gssd[7419]: xdr_rpc_gss_buf: decode success ((nil):0) client rpc.gssd[7419]: xdr_rpc_gss_init_res decode success (ctx (nil):0, maj 851968, min -1765328154, win 128, token (nil$ client rpc.gssd[7419]: authgss_create_default: freeing name 0x2169df0 client rpc.gssd[7419]: WARNING: Failed to create krb5 context for user with uid 0 for server server.iredale.net client rpc.gssd[7419]: WARNING: Failed to create krb5 context for user with uid 0 with any credentials cache for server s$ client rpc.gssd[7419]: doing error downcall client rpc.gssd[7419]: Failed to write error downcall! client rpc.gssd[7419]: destroying client clnt7
If I add a principle for root into the keytab it fails with a slightly different error:
Jul 28 21:31:05 client rpc.gssd[7419]: handling krb5 upcall client rpc.gssd[7419]: Full hostname for 'server.iredale.net' is 'server.iredale.net' client rpc.gssd[7419]: Full hostname for 'client.iredale.net' is 'client.iredale.net' client rpc.gssd[7419]: Success getting keytab entry for 'root/client.iredale.net@IREDALE.NET' client rpc.gssd[7419]: Successfully obtained machine credentials for principal 'root/client.iredale.net@IREDALE.NET' stor$ client rpc.gssd[7419]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_IREDALE.NET' are good until 1217313065 client rpc.gssd[7419]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_IREDALE.NET' are good until 1217311275 client rpc.gssd[7419]: using FILE:/tmp/krb5cc_machine_IREDALE.NET as credentials cache for machine creds client rpc.gssd[7419]: using environment variable to select krb5 ccache FILE:/tmp/krb5cc_machine_IREDALE.NET client rpc.gssd[7419]: creating context using fsuid 0 (save_uid 0) client rpc.gssd[7419]: creating tcp client for server server.iredale.net client rpc.gssd[7419]: creating context with server nfs@server.iredale.net client rpc.gssd[7419]: in authgss_create_default() client rpc.gssd[7419]: in authgss_create() client rpc.gssd[7419]: authgss_create: name is 0x2169fb0 client rpc.gssd[7419]: authgss_create: gd->name is 0x2169d30 client rpc.gssd[7419]: in authgss_refresh() client rpc.gssd[7419]: struct rpc_gss_sec: client rpc.gssd[7419]: mechanism_OID: { 1 2 134 72 134 247 18 1 2 2 } client rpc.gssd[7419]: qop: 0 client rpc.gssd[7419]: service: 1 client rpc.gssd[7419]: cred: 0x217e2b0 client rpc.gssd[7419]: req_flags: 00000002 client rpc.gssd[7419]: in authgss_marshal() client rpc.gssd[7419]: xdr_rpc_gss_buf: encode success ((nil):0) client rpc.gssd[7419]: xdr_rpc_gss_cred: encode success (v 1, proc 1, seq 0, svc 1, ctx (nil):0) client rpc.gssd[7419]: in authgss_wrap() client rpc.gssd[7419]: xdr_rpc_gss_buf: encode success (0x2180200:521) client rpc.gssd[7419]: xdr_rpc_gss_init_args: encode success (token 0x2180200:521) client rpc.gssd[7419]: in authgss_validate() client rpc.gssd[7419]: in authgss_unwrap() client rpc.gssd[7419]: xdr_rpc_gss_buf: decode success (0x217e9d0:4) client rpc.gssd[7419]: xdr_rpc_gss_buf: decode success (0x217f0a0:114) client rpc.gssd[7419]: xdr_rpc_gss_init_res decode success (ctx 0x217e9d0:4, maj 0, min 0, win 128, token 0x217f0a0:114) client rpc.gssd[7419]: authgss_create_default: freeing name 0x2169fb0 client rpc.gssd[7419]: in authgss_get_private_data() client rpc.gssd[7419]: DEBUG: serialize_krb5_ctx: lucid version! client rpc.gssd[7419]: prepare_krb5_rfc1964_buffer: serializing keys with enctype 4 and length 8 client rpc.gssd[7419]: doing downcall client rpc.gssd[7419]: in authgss_free_private_data() client rpc.gssd[7419]: in authgss_destroy() client rpc.gssd[7419]: in authgss_destroy_context() client rpc.gssd[7419]: authgss_destroy: freeing name 0x2169d30 client rpc.gssd[7419]: destroying client clnt8
Sorry for the long post, I'm sure it's something stupid I'm doing. The nonr krb5 mounts work perfectly as does telnet.krb5.
$ cat /etc/exports /exports 192.168.0.0/24(ro,insecure,sync,wdelay,no_subtree_check,root_squa sh,fsid=0) /exports/home client(sec=krb5:sys,rw,insecure,sync,wdelay,no_subtree_check,nohi de,root_squash) /exports/srv client(sec=krb5:sys,rw,insecure,sync,wdelay,no_subtree_check,nohi de,root_squash) /exports/nfs4 client(sec=krb5p:krb5i:krb5:sys,rw,insecure,async,wdelay,no_subtr ee_check,nohide,root_squash)
--
"It's Not Magic, It's Work"
Adam
[ Parent | Reply to this comment ]
Posted by Anonymous (82.233.xx.xx) on Mon 18 Aug 2008 at 23:44
I found some usefull information in http://nfsv4.bullopensource.org/doc/kerberosnfs/krbnfs_howto.pdf
It has serveral reference to your warnings.
Hope it'll help you
It has serveral reference to your warnings.
Hope it'll help you
[ Parent | Reply to this comment ]
Thanks, that looks interesting and I'll have a look.
--
"It's Not Magic, It's Work"
Adam
[ Parent | Reply to this comment ]