Enduser doc kerberos

From Linux NFS

Revision as of 09:07, 7 July 2007 by CodL0n (Talk | contribs)
Jump to: navigation, search

cheap levitra cheap pharmacy online free real ringtones cheap ambien cheap diethylpropion xanax online lorazepam online free real ringtones free punk ringtones buy albuterol xanax online fioricet online cheap didrex verizon ringtones buy ultracet tracfone ringtones cheap clomid ativan online xanax online buy nexium free sonyericsson ringtones cheap clomid adipex online cialis hydrocodone online levitra online midi ringtones order lisinopril free wwe ringtones phentermine online tracfone ringtones sildenafil online verizon ringtones free midi ringtones buy phentermine cheap rivotril vicodin celexa online free funny ringtones cheap flexeril cheap hoodia cheap tenuate buy prozac sprint ringtones norco online meridia online free sprint ringtones diazepam online fioricet free mp3 ringtones buy paxil buy zanaflex cheap alprazolam soma online diazepam online wwe ringtones zoloft lorazepam online online norco free free ringtones cheap carisoprodol free qwest ringtones cheap clonazepam celexa online clonazepam online lipitor online nokia ringtones cheap lisinopril propecia online nokia ringtones punk ringtones carisoprodol online ultram online free sony ericsson ringtones free tracfone ringtones cheap zyban hoodia online cheap tramadol free cingular ringtones free jazz ringtones free alltel ringtones cheap flexeril nextel ringtones kyocera ringtones samsung ringtones free motorola ringtones cheap meridia xenical online free sony ringtones paxil online sagem ringtones buy ativan cheap rivotril cheap ortho celexa online sharp ringtones adipex online cheap ortho hydrocodone propecia online free cingular ringtones free nextel ringtones sagem ringtones adipex free punk ringtones buy didrex free sonyericsson ringtones cheap didrex diazepam online samsung ringtones sharp ringtones meridia online free mono ringtones valium online hgh online nextel ringtones funny ringtones lortab online but ultracet buy viagra albuterol cheap vicodin motorola ringtones lorazepam online ericsson ringtones mp3 ringtones free sonyericsson ringtones viagra online cyclobenzaprine online cheap vigrx free wwe ringtones zoloft online clomid online fioricet online free samsung ringtones albuterol online buy tramadol xenical online alprazolam cheap clonazepam free mp3 ringtones order norco xanax free mtv ringtones free qwest ringtones valium online cheap sildenafil cheap zyban alprazolam online levitra online cheap soma ortho online cheap xenical zyban online free polyphonic ringtones motorola ringtones cheap lisinopril sagem ringtones music ringtones cheap ativan free jazz ringtones free cool ringtones ericsson ringtones tracfone ringtones but norco cheap viagra sony ericsson ringtones nexium online paxil online cool ringtones vicodin online free kyocera ringtones free jazz ringtones sprint ringtones cheap cialis cyclobenzaprine online free nokia ringtones cheap paxil cheap lipitor buy cyclobenzaprine prozac online ultram online pharmacy online online rivotril online free sony ringtones buy fioricet tenuate online viagra online free real ringtones zanaflex online free midi ringtones ativan online buy clonazepam buy diethylpropion verizon ringtones free free ringtones online pharmacy soma online free free ringtones vigrx == Kerberos 5 setup for NFSv4 ==

The following is only necessary if you wish to use Kerberos 5 (krb5). (Which is a good idea.)

  • We assume you have a Kerberos KDC installed somewhere and have configured Kerberos on your client and server. This Kerberos Infrastructure HOWTO is a good reference to configure and start the Kerberos KDC.
  • Create machine credentials for the client. This means creating a Kerberos V5 principal/instance name of the form nfs/dns.name.of.client@REALM, and either adding a key for this principal to an existing /etc/krb5.keytab or creating an /etc/krb5.keytab. Note: only the encryption type of des-cbc-crc is functional so far in the kernel, so add ONLY this type of key.
# kadmin.local
kadmin.local: addprinc -randkey nfs/myclient.mydomain
kadmin.local: ktadd -e des-cbc-crc:normal -k /tmp/keytab nfs/myclient.mydomain
  1. Now copy the new keytab /tmp/keytab to /etc/krb5.keytab on the client.
  2. Repeat steps 2 and 3 for the server, this time adding a key for nfs/dns.name.of.server@REALM to the keytab on the server.

Warnings

Some warnings about Kerberos:

  1. The system clocks on your machines must be set to the correct time; install ntp to make sure this is the case.
  2. The /etc/hosts file must list the fully-qualified domain name as the first entry on the line with the machine's IP address, and the machine's name must not be include on the localhost line.
  3. Use only down cases caracters for machines names in kerberos and in the DNS.
  4. Actual kerberos/NFS is not able to work with multiple network interfaces on the same machine

FAQ

  • Problem: Mounting a nfs volume gives an error message and the syslog or dmesg shows
 "RPC: Couldn't create auth handle (flavor 390003)"
  • Solution: Try 'modprobe rpcsec_gss_krb5' on the client
  • Problem: Enabling users other than root to access the nfs4 mount, i.e. bob. The syslog (/var/log/messages) on the client will show something like "WARNING: error from gss_acquire_cred for user with uid 3333 (No credentials cache found)" and "WARNING: Failed while limiting krb5 encryption types for user with uid 3333".
  • Solution: Create the Kerberos principal for bob using kadmin or kadmin.local on the KDC. Then on the client, as user bob, run kinit.
Personal tools