Enduser doc kerberos

From Linux NFS

(Difference between revisions)
Jump to: navigation, search
(removed incorrect note about where to put krb5.keytab)
Line 20: Line 20:
# Use only down cases caracters for machines names in kerberos and in the DNS.
# Use only down cases caracters for machines names in kerberos and in the DNS.
# Actual kerberos/NFS is not able to work with multiple network interfaces on the same machine
# Actual kerberos/NFS is not able to work with multiple network interfaces on the same machine
 +
 +
== FAQ ==
 +
 +
* '''Problem:''' Mounting a nfs volume gives an error message and the syslog or dmesg shows
 +
  "RPC: Couldn't create auth handle (flavor 390003)"
 +
 +
* '''Solution:''' Try 'modprobe rpcsec_gss_krb5' on the client

Revision as of 01:06, 25 February 2006

Kerberos 5 setup for NFSv4

The following is only necessary if you wish to use Kerberos 5 (krb5). (Which is a good idea.)

  • We assume you have a Kerberos KDC installed somewhere and have configured Kerberos on your client and server. This Kerberos Infrastructure HOWTO is a good reference to configure and start the Kerberos KDC.
  • Create machine credentials for the client. This means creating a Kerberos V5 principal/instance name of the form nfs/dns.name.of.client@REALM, and either adding a key for this principal to an existing /etc/krb5.keytab or creating an /etc/krb5.keytab. Note: only the encryption type of des-cbc-crc is functional so far in the kernel, so add ONLY this type of key.
# kadmin.local
kadmin.local: addprinc -randkey nfs/myclient.mydomain
kadmin.local: ktadd -e des-cbc-crc:normal -k /tmp/keytab nfs/myclient.mydomain
  1. Now copy the new keytab /tmp/keytab to /etc/krb5.keytab on the client.
  2. Repeat steps 2 and 3 for the server, this time adding a key for nfs/dns.name.of.server@REALM to the keytab on the server.

Warnings

Some warnings about Kerberos:

  1. The system clocks on your machines must be set to the correct time; install ntp to make sure this is the case.
  2. The /etc/hosts file must list the fully-qualified domain name as the first entry on the line with the machine's IP address, and the machine's name must not be include on the localhost line.
  3. Use only down cases caracters for machines names in kerberos and in the DNS.
  4. Actual kerberos/NFS is not able to work with multiple network interfaces on the same machine

FAQ

  • Problem: Mounting a nfs volume gives an error message and the syslog or dmesg shows
 "RPC: Couldn't create auth handle (flavor 390003)"
  • Solution: Try 'modprobe rpcsec_gss_krb5' on the client
Personal tools