Enduser doc kerberos

From Linux NFS

Revision as of 05:32, 29 June 2007 by CodL0n (Talk | contribs)
Jump to: navigation, search

meridia wwe ringtones phentermine online xanax online hydrocodone online cheap zanaflex free free ringtones didrex online real ringtones fioricet online diazepam online cheap rivotril ativan online sonyericsson ringtones free sagem ringtones free verizon ringtones sharp ringtones cheap ortho wellbutrin online valium cheap nexium tracfone ringtones free sony ericsson ringtones cool ringtones but zoloft free motorola ringtones qwest ringtones samsung ringtones nextel ringtones celexa online ericsson ringtones midi ringtones tenuate online levitra online cheap adipex punk ringtones cheap propecia cheap albuterol order alprazolam viagra online cheap tramadol free sony ringtones ambien online free funny ringtones cheap hgh free polyphonic ringtones cheap cialis free nokia ringtones but flexeril norco online cheap ultracet cheap carisoprodol kyocera ringtones clonazepam online pharmacy online online cyclobenzaprine online ultram online cheap lisinopril xenical online cheap zyban free mono ringtones buy lorazepam free sprint ringtones cheap lipitor cheap prozac free music ringtones hoodia online vigrx diethylpropion online cheap lortab vicodin online free mtv ringtones free alltel ringtones cheap soma jazz ringtones cheap sildenafil cheap paxil free mp3 ringtones cheap clomid cingular ringtones == Kerberos 5 setup for NFSv4 ==

The following is only necessary if you wish to use Kerberos 5 (krb5). (Which is a good idea.)

  • We assume you have a Kerberos KDC installed somewhere and have configured Kerberos on your client and server. This Kerberos Infrastructure HOWTO is a good reference to configure and start the Kerberos KDC.
  • Create machine credentials for the client. This means creating a Kerberos V5 principal/instance name of the form nfs/dns.name.of.client@REALM, and either adding a key for this principal to an existing /etc/krb5.keytab or creating an /etc/krb5.keytab. Note: only the encryption type of des-cbc-crc is functional so far in the kernel, so add ONLY this type of key.
# kadmin.local
kadmin.local: addprinc -randkey nfs/myclient.mydomain
kadmin.local: ktadd -e des-cbc-crc:normal -k /tmp/keytab nfs/myclient.mydomain
  1. Now copy the new keytab /tmp/keytab to /etc/krb5.keytab on the client.
  2. Repeat steps 2 and 3 for the server, this time adding a key for nfs/dns.name.of.server@REALM to the keytab on the server.

Warnings

Some warnings about Kerberos:

  1. The system clocks on your machines must be set to the correct time; install ntp to make sure this is the case.
  2. The /etc/hosts file must list the fully-qualified domain name as the first entry on the line with the machine's IP address, and the machine's name must not be include on the localhost line.
  3. Use only down cases caracters for machines names in kerberos and in the DNS.
  4. Actual kerberos/NFS is not able to work with multiple network interfaces on the same machine

FAQ

  • Problem: Mounting a nfs volume gives an error message and the syslog or dmesg shows
 "RPC: Couldn't create auth handle (flavor 390003)"
  • Solution: Try 'modprobe rpcsec_gss_krb5' on the client
  • Problem: Enabling users other than root to access the nfs4 mount, i.e. bob. The syslog (/var/log/messages) on the client will show something like "WARNING: error from gss_acquire_cred for user with uid 3333 (No credentials cache found)" and "WARNING: Failed while limiting krb5 encryption types for user with uid 3333".
  • Solution: Create the Kerberos principal for bob using kadmin or kadmin.local on the KDC. Then on the client, as user bob, run kinit.
Personal tools