A little encouragement with Kerberos for NFS

Fri, 07 Jul 2006 17:06:24 -0700 

I have been struggling for about two days now and could use a little 
encouragement.  I wish to have NFS use Kerberos but am as of yet unable 
to get it working.  But I think I am close.  Here is what I have--

ns3.an3e.org:  KDC and NSF server, Linux ns3.an3e.org 2.6.17-1.2139_FC5
# exportfs -v -> /var/lib/music  gss/krb5p(ro,wdelay,root_squash)

ns2.an3e.org: NSF Client, Linux ns2.an3e.org 2.6.16-1.2122_FC5


kadmin:  listprincs
K/[EMAIL PROTECTED]
admin/[EMAIL PROTECTED]
[EMAIL PROTECTED]
host/[EMAIL PROTECTED]
kadmin/[EMAIL PROTECTED]
kadmin/[EMAIL PROTECTED]
kadmin/[EMAIL PROTECTED]
kadmin/[EMAIL PROTECTED]
krbtgt/[EMAIL PROTECTED]
nfs/[EMAIL PROTECTED]
nfs/[EMAIL PROTECTED]
nfs/[EMAIL PROTECTED]
root/[EMAIL PROTECTED]

[EMAIL PROTECTED] ~]# klist -e -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- 
--------------------------------------------------------------------------
   8 nfs/[EMAIL PROTECTED] (DES cbc mode with CRC-32)
   5 root/[EMAIL PROTECTED] (DES cbc mode with CRC-32)
   5 host/[EMAIL PROTECTED] (DES cbc mode with CRC-32)


[EMAIL PROTECTED] ~]#  klist -e -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- 
--------------------------------------------------------------------------
   7 nfs/[EMAIL PROTECTED] (DES cbc mode with CRC-32)

[EMAIL PROTECTED] ~]# more /etc/sysconfig/nfs
SECURE_NFS=yes

[EMAIL PROTECTED] ~]# authconfig --enablekrb5 --update


This above from all sorts of pages offered by Google.
So here is what I get---

[EMAIL PROTECTED] ~]# mount -t nfs4 -o ro,sec=krb5p ns3.an3e.org:/var/lib/music 
/mnt/ns3/music
mount: cannot mount block device ns3.an3e.org:/var/lib/music read-only
|--ns2:/var/log/messages---------------
|Jul  7 16:50:26 ns2 rpc.gssd[2911]: WARNING: Failed to create krb5 
context for user with uid 0 with any |credentials cache for server 
ns3.an3e.org

|--ns3:/var/log/krb5kdc.log-----------
|Jul 07 15:06:18 ns3.an3e.org krb5kdc[1802](info): TGS_REQ (7 etypes {18 
17 16 23 1 3 2}) 64.165.113.66: |VALIDATE VALID TICKET: authtime 
1152309967,  host/[EMAIL PROTECTED] for krbtgt/[EMAIL PROTECTED], 
KDC |can't fulfill requested option



I could sure use a kind word heading into the weekend.
Thanks!
Andrew
________________________________________________
Kerberos mailing list           [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos

Reply via email to