[Freeipa-users] FreeIPA 3.3 and Solaris 10 Client Integration:
Traiano Welcome
traiano at gmail.com
Thu Sep 25 15:35:54 UTC 2014
Hi Martin
On Wed, Sep 24, 2014 at 2:18 PM, Martin Kosek <mkosek at redhat.com> wrote:
> On 09/24/2014 01:06 PM, Traiano Welcome wrote:
> > Hi List
> >
> > I'm currently running IPA 3.3 on Centos 7, and successfully
> authenticating
> > Linux clients (Centos 6.5).
> >
> > I'd like to setup Solaris 10 as an IPA client, but this seems
> > problematic. I am following this guide:
> >
> >
> http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html#Configuring_an_IPA_Client_on_Solaris_10
> >
> > I have the following setup:
> >
> > Solaris client:
> >
> > - Solaris 10u11 (SunOS 5.10 Generic_147148-26 i86pc i386 i86pc)
> >
> > IdM Server:
> >
> > - Linux kwtpocipa001.orion.local 3.10.0-123.el7.x86_64 #1 SMP Mon Jun 30
> > 12:09:22 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
> >
> >
> >
> > Going through the steps in the guide: at step 3 ("Create the
> cn=proxyagent
> > account"), ldapadd fails with the following error:
> >
> >
> >
> > "ldapadd: invalid format (line 6) entry:
> > "cn=proxyagent,ou=profile,dc=orion,dc=local""
> >
> > ---
> >
> > [root at kwtpocipa001 ~]# ldapadd -h 172.16.107.102 -p 389 -D "cn=directory
> > manager" -w Cr4ckM0nk3y
> > dn: cn=proxyagent,ou=profile,dc=orion,dc=local
> > objectClass: top
> > objectClass: person
> > sn: proxyagent
> > cn: proxyagent
> > userPassword::
> > e1NTSEF9Mm53KytGeU81Z1dka1FLNUZlaDdXOHJkK093TEppY2NjRmt6Wnc9PQ=
> >
> > ldapadd: invalid format (line 6) entry:
> > "cn=proxyagent,ou=profile,dc=orion,dc=local"
> > ---
> >
> > I've made the assumption that the extra ":" is a typo in the
> documentation
> > and removed it, so the command runs successfully as follows:
> >
> >
> > ---
> > [root at kwtpocipa001 ~]# ldapadd -h 172.16.107.102 -p 389 -D "cn=directory
> > manager" -w Cr4ckM0nk3y
> >
> > dn: cn=proxyagent,ou=profile,dc=orion,dc=local
> > objectClass: top
> > objectClass: person
> > sn: proxyagent
> > cn: proxyagent
> > userPassword:
> > e1NTSEF9Mm53KytGeU81Z1dka1FLNUZlaDdXOHJkK093TEppY2NjRmt6Wnc9PQ=
> > adding new entry "cn=proxyagent,ou=profile,dc=orion,dc=local"
> > ---
> >
> >
> > At step 9 (Configure NFS ), I get an error, seems to indicate the
> > "des-cbc-crc" encryption type is unsupported:
> >
> > ---
> > [root at kwtpocipa001 ~]# ipa-getkeytab -s kwtpocipa001.orion.local -p
> > nfs/kwtpocipasol10u11.orion.local -k /tmp/kwtpocipasol10u11.keytab -e
> > des-cbc-crc
> > Operation failed! All enctypes provided are unsupported
> > [root at kwtpocipa001 ~]#
> > ---
> >
> > (Question: How would I add support for des-cbc-crc encryption in
> > freeipa?). I've now worked around this by not specifying any encryption
> > type:
> >
> > ---
> > [root at kwtpocipa001 ~]# ipa-getkeytab -s kwtpocipa001.orion.local -p
> > nfs/kwtpocipasol10u11.orion.local -k /tmp/kwtpocipasol10u11.keytab
> > Keytab successfully retrieved and stored in:
> /tmp/kwtpocipasol10u11.keytab
> > [root at kwtpocipa001 ~]#
> > ---
> >
> > Testing that I can see nfs mounts on the centos IPA server from the
> solaris
> > machine:
> >
> > ---
> > bash-3.2# showmount -e kwtpocipa001.orion.local
> > export list for kwtpocipa001.orion.local:
> > /data/centos-repo 172.16.0.0/24
> > bash-3.2#
> > ----
> >
> >
> > Checking we can kinit:
> >
> > ---
> > bash-3.2#
> > bash-3.2# kinit admin
> > Password for admin at ORION.LOCAL:
> > bash-3.2#
> > bash-3.2#
> > bash-3.2# klist
> > Ticket cache: FILE:/tmp/krb5cc_0
> > Default principal: admin at ORION.LOCAL
> > Valid starting Expires Service principal
> > 09/24/14 11:20:36 09/24/14 12:20:36 krbtgt/ORION.LOCAL at ORION.LOCAL
> > renew until 10/01/14 11:20:36
> > bash-3.2#
> > bash-3.2#
> > bash-3.2#
> > bash-3.2# uname -a
> > SunOS kwtpocipasol10u11 5.10 Generic_147148-26 i86pc i386 i86pc
> > bash-3.2#
> > ---
> >
> > Testing I can mount the remote FS (without Kerberos auth). This is
> > successful (when not using kerberos5 authentication):
> >
> > ---
> > bash-3.2# mount -F nfs 172.16.107.102:/data/centos-repo /remote/
> > bash-3.2# mount |grep remote
> > /remote on 172.16.107.102:/data/centos-repo
> > remote/read/write/setuid/devices/rstchown/xattr/dev=4f0000a on Wed Sep 24
> > 13:45:32 2014
> > bash-3.2#
> > ---
> >
> > Testing with KRB5:
> >
> > ---
> > bash-3.2# mount -F nfs -o sec=krb5 172.16.107.102:/data/centos-repo
> /remote/
> > nfs mount: mount: /remote: Permission denied
> > bash-3.2#
> > ---
> >
> > Looking at the krbkdc logs on the IPA master server, I get the following
> > error:
> >
> > ---
> > Sep 24 13:48:17 kwtpocipa001.orion.local krb5kdc[2371](info): AS_REQ (6
> > etypes {18 17 16 23 3 1}) 172.16.107.107: NEEDED_PREAUTH:
> > host/kwtpocipasol10u11.orion.local at ORION.LOCAL for
> > krbtgt/ORION.LOCAL at ORION.LOCAL, Additional pre-authentication required
> > Sep 24 13:48:17 kwtpocipa001.orion.local krb5kdc[2373](info): DISPATCH:
> > repeated (retransmitted?) request from 172.16.107.107, resending previous
> > response
> > Sep 24 13:48:17 kwtpocipa001.orion.local krb5kdc[2374](info): DISPATCH:
> > repeated (retransmitted?) request from 172.16.107.107, resending previous
> > response
> > .
> > .
> > .
> > Sep 24 13:48:18 kwtpocipa001.orion.local krb5kdc[2373](info): AS_REQ (6
> > etypes {18 17 16 23 3 1}) 172.16.107.107: CLIENT_NOT_FOUND:
> > root/kwtpocipasol10u11.orion.local at ORION.LOCAL for
> > krbtgt/ORION.LOCAL at ORION.LOCAL, Client not found in Kerberos database
> >
> > ---
> >
> > So it seems the host is not correctly registered.
> >
> > NOTE: Via the interface ,I can see the solaris client is
> > not properly enrolled (" Kerberos Key Not Present"), however the
> > documentation doesn't seem to indicate clearly how this should be done
> for
> > a Solaris client. I have regenerated the certificate though, so it shows
> > "valid certificate present".
> >
> > My question is: Is the process described in this guide still
> > correct/functional for integrating Solaris 10 clients?
> > If so, is there some way I could debug further to pinpoint why the
> solaris
> > client is not being registered in the Kerberos DB?
> >
> > Many thanks in advance!
> > Traiano
>
> Hello Traiano,
>
> This part of the documentation is wrong, as reported by ldapadd,
> userpassword
> is not correct.
>
> If you specify the entry with clear text password, it would work. I.e.:
>
> dn: cn=proxyagent,ou=profile,dc=orion,dc=local
> objectClass: top
> objectClass: person
> sn: proxyagent
> cn: proxyagent
> userPassword: agentpassword
>
> Note that Solaris related documentation is (unfortunately) known to be off:
> https://fedorahosted.org/freeipa/ticket/3731
>
> Also please note that the guide you are referring to is also pretty old
> (from
> Fedora 18 times) and not updated. There is a related thread:
>
> https://www.redhat.com/archives/freeipa-users/2014-September/msg00357.html
>
Indeed. There are some minor errata as well like the use of the "-t" flag
with Solaris' version of the mount command:
bash-3.2# mount -t nfs -o sec=krb5 172.16.107.102:/data/centos-repo /remote/
mount: illegal option -- t
"-F" works.
I've adjusted the steps I've used to include the changes you mentioned in
https://fedorahosted.org/freeipa/ticket/3731, attached is a step by step
listing of the process with my output up to step 9, where mounting NFS
fails.
Hopefully by a process of iteration I can document the updated process for
configuring Solaris 10 clients.
Here is what I'm seeing at step 9 (referencing the old Fedora 18 docs with
adjusted steps)L
h) Mount the NFS share. [FAILS]
---
bash-3.2# mount -F nfs -o sec=krb5 172.16.107.102:/data/centos-repo /remote/
nfs mount: mount: /remote: Permission denied
bash-3.2#
---
/var/log/krbkdc.Log entries:
---
krb5kdc: Cannot determine realm for numeric host address - unable to find
realm of host
Sep 25 18:18:20 kwtpocipa001.orion.local krb5kdc[2373](info): TGS_REQ (6
etypes {18 17 16 23 3 1}) 172.16.107.107: LOOKING_UP_SERVER: authtime 0,
admin at ORION.LOCAL for <unknown server>, Server not found in Kerberos
database
Sep 25 18:18:20 kwtpocipa001.orion.local krb5kdc[2373](info): TGS_REQ (6
etypes {18 17 16 23 3 1}) 172.16.107.107: LOOKING_UP_SERVER: authtime 0,
admin at ORION.LOCAL for <unknown server>, Server not found in Kerberos
database
krb5kdc: Cannot determine realm for numeric host address - unable to find
realm of host
Sep 25 18:18:20 kwtpocipa001.orion.local krb5kdc[2373](info): TGS_REQ (6
etypes {18 17 16 23 3 1}) 172.16.107.107: LOOKING_UP_SERVER: authtime 0,
admin at ORION.LOCAL for <unknown server>, Server not found in Kerberos
database
Sep 25 18:18:20 kwtpocipa001.orion.local krb5kdc[2373](info): TGS_REQ (6
etypes {18 17 16 23 3 1}) 172.16.107.107: LOOKING_UP_SERVER: authtime 0,
admin at ORION.LOCAL for <unknown server>, Server not found in Kerberos
database
krb5kdc: Cannot determine realm for numeric host address - unable to find
realm of host
Sep 25 18:18:20 kwtpocipa001.orion.local krb5kdc[2373](info): TGS_REQ (6
etypes {18 17 16 23 3 1}) 172.16.107.107: LOOKING_UP_SERVER: authtime 0,
admin at ORION.LOCAL for <unknown server>, Server not found in Kerberos
database
Sep 25 18:18:20 kwtpocipa001.orion.local krb5kdc[2373](info): TGS_REQ (6
etypes {18 17 16 23 3 1}) 172.16.107.107: LOOKING_UP_SERVER: authtime 0,
admin at ORION.LOCAL for <unknown server>, Server not found in Kerberos
database
---
However DNS forward and reverse records DO seem to resolve:
---
[root at kwtpocipa001 ~]# host 172.16.107.107
107.107.16.172.in-addr.arpa domain name pointer
kwtpocipasol10u11.orion.local.
[root at kwtpocipa001 ~]# host kwtpocipasol10u11.orion.local
kwtpocipasol10u11.orion.local has address 172.16.107.107
---
And we can kinit and get a ticket:
---
bash-3.2# kinit admin at ORION.LOCAL
Password for admin at ORION.LOCAL:
bash-3.2#
bash-3.2#
bash-3.2# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin at ORION.LOCAL
Valid starting Expires Service principal
09/25/14 18:31:49 09/25/14 19:31:49 krbtgt/ORION.LOCAL at ORION.LOCAL
renew until 10/02/14 18:31:49
bash-3.2#
---
Regards,
Traiano
>
> Martin
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140925/70d834fc/attachment.htm>
-------------- next part --------------
1. Initialise:
ldapclient -v init -a profileName=default kwtpocipa001.orion.local
---
bash-3.2# ldapclient -v init -a profileName=default kwtpocipa001.orion.local
Parsing profileName=default
Arguments parsed:
profileName: default
defaultServerList: kwtpocipa001.orion.local
Handling init option
About to configure machine by downloading a profile
Proxy DN: NULL
Proxy password: NULL
Authentication method: 0
No proxyDN/proxyPassword required
Shadow Update is not enabled, no adminDN/adminPassword is required.
About to modify this machines configuration by writing the files
Stopping network services
sendmail not running
nscd not running
autofs not running
Stopping ldap
stop: sleep 100000 microseconds
stop: network/ldap/client:default... success
nisd not running
nis(yp) not running
Removing existing restore directory
file_backup: stat(/etc/nsswitch.conf)=0
file_backup: (/etc/nsswitch.conf -> /var/ldap/restore/nsswitch.conf)
file_backup: stat(/etc/defaultdomain)=0
file_backup: (/etc/defaultdomain -> /var/ldap/restore/defaultdomain)
file_backup: stat(/var/nis/NIS_COLD_START)=-1
file_backup: No /var/nis/NIS_COLD_START file.
file_backup: nis domain is "orion.local"
file_backup: stat(/var/yp/binding/orion.local)=-1
file_backup: No /var/yp/binding/orion.local directory.
file_backup: stat(/var/ldap/ldap_client_file)=0
file_backup: (/var/ldap/ldap_client_file -> /var/ldap/restore/ldap_client_file)
file_backup: (/var/ldap/ldap_client_cred -> /var/ldap/restore/ldap_client_cred)
Starting network services
start: /usr/bin/domainname orion.local... success
start: sleep 100000 microseconds
start: network/ldap/client:default... success
restart: sleep 100000 microseconds
restart: milestone/name-services:default... success
System successfully configured
---
2.Create a Solaris profile in the FreeIPA Directory Server
Optional:
---
ldapmodify -h 172.16.107.102 -p 389 -D "cn=directory manager" -w Cr4ckM0nk3y -f modprofile.ldif
LDIF as follows:
dn: cn=default,ou=profile,dc=orion,dc=local
changetype: modify
replace: defaultServerList
defaultServerList: kwtpocipa001.orion.local
---
3. Create the cn=proxyagent account in the FreeIPA Directory Server instance.
Example output:
---
dn: fqdn=kwtpocipasol10u11.orion.local,cn=computers,cn=accounts,dc=orion,dc=lo
cal
userCertificate:: MIIEGzCCAwOgAwIBAgIBEjANBgkqhkiG9w0BAQsFADA2MRQwEgYDVQQKEwt
PUklPTi5MT0NBTDEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE0MDkyNDEwNTE
0NloXDTE2MDkyNDEwNTE0NlowPjEUMBIGA1UEChMLT1JJT04uTE9DQUwxJjAkBgNVBAMTHWt3dHB
vY2lwYXNvbDEwdTExLm9yaW9uLmxvY2FsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQE
AmkQnGWP0ZkqKGWe6ooE1C8A+UzE120PJQTYkCLgE86Ospe4HY0LcwBwBnBF5j2ubS3sbywtkT7/
//LVxo8xcrzGCTBEQ3MDVuSqIl8oFw299jHTkjOrVURJqyJQc3Cl6ygrhMNRRtNNn4Kit1Y6hnae
bWidO2TRSnRCy80vcyk+9iAB0Y4mGCHHPOFvYtOaySp3nLGH1szveIufEcwQKl03vttJq2wyqy1U
EUrPapXbT6E+0Pu+ZtmVYLl1s5RNeU4PIMQ3Yst0jD8PwSLznlXVwwPpBUWdC3VEXghp9CgFmCDX
IpDJHVLYYTxmKOn4VfRoE898Hb3+jsda+lU7rhwIDAQABo4IBKjCCASYwHwYDVR0jBBgwFoAU1bo
kQI+yxnZjtPRdV/AGQjUBKbgwPQYIKwYBBQUHAQEEMTAvMC0GCCsGAQUFBzABhiFodHRwOi8vaXB
hLWNhLm9yaW9uLmxvY2FsL2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQU
FBwMBBggrBgEFBQcDAjB2BgNVHR8EbzBtMGugM6Axhi9odHRwOi8vaXBhLWNhLm9yaW9uLmxvY2F
sL2lwYS9jcmwvTWFzdGVyQ1JMLmJpbqI0pDIwMDEOMAwGA1UEChMFaXBhY2ExHjAcBgNVBAMTFUN
lcnRpZmljYXRlIEF1dGhvcml0eTAdBgNVHQ4EFgQUvq4Xd4bruqJo1h06/27WLXbf4oIwDQYJKoZ
IhvcNAQELBQADggEBAGvESNiGJ5wYum075bHvLFkAglWsnbDwK0CQDYqM9/LAbSPHZAbZL20fn4z
3Xt4bOqBNJXSIX5tmSFBS73Yx9mK+Fb5GOZ71YffK+xaXyRsnqKtDktqi/KJp5ugOeZOc11rg+rB
+/sn0wNbGsm/b0h9xy0prUZKyNWgDMq0OBkOu25m4OrorVVxqDoi6FqGA0KQ2W+8EbBBF404zo0E
xG0U4dZ/aCudnO8SZC0VobxjE9ZLqu7pAUaVdiTEcPJEzM4X4v9J5aLvT0QRdwrNiL+yyMQlA9Il
AAtRWcHHKhuyGrVDKUjdfx+FNvWxtGt6zzrzG2oTMoXAKkxHvnK0XScc=
cn: kwtpocipasol10u11.orion.local
objectClass: ipaobject
objectClass: nshost
objectClass: ipahost
objectClass: pkiuser
objectClass: ipaservice
objectClass: krbprincipalaux
objectClass: krbprincipal
objectClass: ieee802device
objectClass: ipasshhost
objectClass: top
objectClass: ipaSshGroupOfPubKeys
fqdn: kwtpocipasol10u11.orion.local
managedBy: fqdn=kwtpocipasol10u11.orion.local,cn=computers,cn=accounts,dc=orion,dc=local
krbPrincipalName: host/kwtpocipasol10u11.orion.local at ORION.LOCAL
serverHostName: kwtpocipasol10u11
ipaUniqueID: b9911b94-434a-11e4-9966-0050569c5510
---
4. Add the host to the IPA server and request a keytab for the host:
ipa host-add kwtpocipasol10u11.orion.local
[root at kwtpocipa001 ~]# ipa-getkeytab -s kwtpocipa001.orion.local -p host/kwtpocipasol10u11.orion.local -k /tmp/kwtpocipasol10u11.orion.local.keytab
Keytab successfully retrieved and stored in: /tmp/kwtpocipasol10u11.orion.local.keytab
5. On the FreeIPA server, use the certutil command to create cert8.db and key3.db databases.
Example output:
---
[root at kwtpocipa001 ~]# certutil -N -d .
Enter a password which will be used to encrypt your keys.
The password should be at least 8 characters long,
and should contain at least one non-alphabetic character.
Enter new password:
Re-enter password:
[root at kwtpocipa001 ~]#
---
NOTE: The password is left blank in the dialogue above.
SCP the cert files to the solaris client:
---
scp cert8.db root at kwtpocipasol10u11.orion.local:/var/ldap/
scp key3.db root at kwtpocipasol10u11.orion.local:/var/ldap/
---
5. Remove the ldap option from all entries in /etc/nsswitch.conf except for
the passwd, group, shadow, netgroup, and sudoers entries.
---
bash-3.2# grep "ldap" /etc/nsswitch.conf| grep -v "^#"
passwd: files ldap
group: files ldap
shadow: files ldap
sudoers: files ldap
netgroup: ldap
---
6. Configure and enable NTP and synchronize the time between the client and the FreeIPA server.
Example output:
--
[root at kwtpocipa001 ~]# ntpdate 172.16.100.13
25 Sep 15:50:51 ntpdate[13751]: the NTP socket is in use, exiting
[root at kwtpocipa001 ~]#
[root at kwtpocipa001 ~]# date
Thu Sep 25 15:50:56 AST 2014
[root at kwtpocipa001 ~]#
.
.
.
bash-3.2# ntpdate 172.16.100.13
25 Sep 15:50:35 ntpdate[989]: step time server 172.16.100.13 offset 0.843696
sec
bash-3.2# date
Thu Sep 25 15:50:42 AST 2014
---
7. Configure the Kerberos client. The Kerberos configuration includes specifying the realm and domain details and default ticket attributes
bash-3.2# cat /etc/krb5/krb5.conf
---
[libdefaults]
default_realm = ORION.LOCAL
verify_ap_req_nofail = false
[realms]
ORION.LOCAL = {
kdc = kwtpocipa001.orion.local
admin_server = kwtpocipa001.orion.local
}
[domain_realm]
orion.local = ORION.LOCAL
.orion.local = ORION.LOCAL
[logging]
default = FILE:/var/krb5/kdc.log
kdc = FILE:/var/krb5/kdc.log
[appdefaults]
kinit = {
renewable = true
forwardable= true
}
---
8. Configure PAM to use Kerberos authentication. For example:
bash-3.2# grep -v "^#" /etc/pam.conf
---
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.3
login auth sufficient pam_krb5.so.1 try_first_pass debug
login auth required pam_unix_cred.so.1
login auth required pam_unix_auth.so.1
login auth required pam_dial_auth.so.1
krlogin auth required pam_unix_cred.so.1
krlogin auth required pam_krb5.so.1 debug
ktelnet auth required pam_unix_cred.so.1
ktelnet auth required pam_krb5.so.1 debug
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
login auth sufficient pam_krb5.so.1 try_first_pass debug
other auth required pam_unix_cred.so.1
other auth sufficient pam_krb5.so.1 debug
other auth required pam_unix_auth.so.1
passwd auth required pam_passwd_auth.so.1
cron account required pam_unix_account.so.1
other account requisite pam_roles.so.1
other account required pam_unix_account.so.1
other account required pam_krb5.so.1 debug
other session required pam_unix_session.so.1
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1 force_check
other password sufficient pam_krb5.so.1 debug
other password required pam_authtok_store.so.1
---
9. Configure NFS to work with the Kerberos domain
a) ipa service-add nfs/kwtpocipasol10u11.orion.local
b) Verify that the pkcs11_softtoken_extra.so provider has been installed and enabled for AES256 support:
solarishost $ cryptoadm list
If pkcs11_softtoken_extra.so is missing, use the "-e" option with
ipa-getkeytab
to limit the encryption type to aes128, or install and enable the provider. See the Solaris documentation for details.
b) ipa-getkeytab -s kwtpocipasol10u11.orion.local -p nfs/kwtpocipasol10u11.orion.local -k /tmp/krb5.keytab -e aes128
(alternatively: ipa-getkeytab -s kwtpocipasol10u11.orion.local -p nfs/kwtpocipasol10u11.orion.local -k /tmp/krb5.keytab -e des-cbc-crc" if this is supported)
[lame workaround for when none of the encryption types seem to be supported]:
ipa-getkeytab -s `hostname` -p nfs/kwtpocipasol10u11.orion.local -k /tmp/kwtpocipasol10u11.orion.local.keytab
Checking what encryption types are supported on the client side:
---
bash-3.2# cryptoadm list
User-level providers:
Provider: /usr/lib/security/$ISA/pkcs11_kernel.so
Provider: /usr/lib/security/$ISA/pkcs11_softtoken_extra.so
Kernel software providers:
des
aes256
arcfour2048
blowfish448
sha1
sha2
md5
rsa
swrand
Kernel hardware providers:
bash-3.2#
---
c) scp cert8.db and key3.db to the client
d) On the FreeIPA client, use the ktutil command to import the contents into the main host keytab
--
bash-3.2# ktutil
ktutil: read_kt /tmp/kwtpocipasol10u11.orion.local.keytab
ktutil: write_kt /etc/krb5/krb5.keytab
ktutil: q
--
e) Verify that the NFS service Keytab was created:
---
Keytab name: FILE:/etc/krb5/krb5.keytab
KVNO Timestamp Principal
---- -----------------
---------------------------------------------------------
1 09/25/14 17:58:55 host/kwtpocipasol10u11.orion.local at ORION.LOCAL (AES-256
CTS mode with 96-bit SHA-1 HMAC)
1 09/25/14 17:58:55 host/kwtpocipasol10u11.orion.local at ORION.LOCAL (AES-128
CTS mode with 96-bit SHA-1 HMAC)
1 09/25/14 17:58:55 host/kwtpocipasol10u11.orion.local at ORION.LOCAL (Triple
DES cbc mode with HMAC/sha1)
1 09/25/14 17:58:55 host/kwtpocipasol10u11.orion.local at ORION.LOCAL (ArcFour
with HMAC/md5)
1 09/25/14 17:58:55 host/kwtpocipasol10u11.orion.local at ORION.LOCAL
(unsupported encryption type 25)
1 09/25/14 17:58:55 host/kwtpocipasol10u11.orion.local at ORION.LOCAL
(unsupported encryption type 26)
1 09/25/14 18:16:24 host/kwtpocipasol10u11.orion.local at ORION.LOCAL (AES-256
CTS mode with 96-bit SHA-1 HMAC)
1 09/25/14 18:16:24 host/kwtpocipasol10u11.orion.local at ORION.LOCAL (AES-128
CTS mode with 96-bit SHA-1 HMAC)
1 09/25/14 18:16:24 host/kwtpocipasol10u11.orion.local at ORION.LOCAL (Triple
DES cbc mode with HMAC/sha1)
1 09/25/14 18:16:24 host/kwtpocipasol10u11.orion.local at ORION.LOCAL (ArcFour
with HMAC/md5)
1 09/25/14 18:16:24 host/kwtpocipasol10u11.orion.local at ORION.LOCAL
(unsupported encryption type 25)
1 09/25/14 18:16:24 host/kwtpocipasol10u11.orion.local at ORION.LOCAL
(unsupported encryption type 26)
4 09/25/14 18:16:24 nfs/kwtpocipasol10u11.orion.local at ORION.LOCAL (AES-256
CTS mode with 96-bit SHA-1 HMAC)
4 09/25/14 18:16:24 nfs/kwtpocipasol10u11.orion.local at ORION.LOCAL (AES-128
CTS mode with 96-bit SHA-1 HMAC)
4 09/25/14 18:16:24 nfs/kwtpocipasol10u11.orion.local at ORION.LOCAL (Triple
DES cbc mode with HMAC/sha1)
4 09/25/14 18:16:24 nfs/kwtpocipasol10u11.orion.local at ORION.LOCAL (ArcFour
with HMAC/md5)
4 09/25/14 18:16:24 nfs/kwtpocipasol10u11.orion.local at ORION.LOCAL
(unsupported encryption type 25)
4 09/25/14 18:16:24 nfs/kwtpocipasol10u11.orion.local at ORION.LOCAL
(unsupported encryption type 26)
---
f) Verify that the NFS server is accessible:
---
bash-3.2#
bash-3.2# showmount -e kwtpocipa001.orion.local
export list for kwtpocipa001.orion.local:
/data/centos-repo 172.16.0.0/16
bash-3.2#
---
g) Make sure that this line is uncommented in the /etc/nfssec.conf file
krb5 390003 kerberos_v5 default - # RPCSEC_GSS
--
bash-3.2# grep krb5 /etc/nfssec.conf
krb5 390003 kerberos_v5 default - # RPCSEC_GSS
--
h) Mount the NFS share. [FAILS]
---
bash-3.2# mount -F nfs -o sec=krb5 172.16.107.102:/data/centos-repo /remote/
nfs mount: mount: /remote: Permission denied
bash-3.2#
---
/var/log/krbkdc.Log entries:
---
krb5kdc: Cannot determine realm for numeric host address - unable to find
realm of host
Sep 25 18:18:20 kwtpocipa001.orion.local krb5kdc[2373](info): TGS_REQ (6
etypes {18 17 16 23 3 1}) 172.16.107.107: LOOKING_UP_SERVER: authtime 0,
admin at ORION.LOCAL for <unknown server>, Server not found in Kerberos database
Sep 25 18:18:20 kwtpocipa001.orion.local krb5kdc[2373](info): TGS_REQ (6
etypes {18 17 16 23 3 1}) 172.16.107.107: LOOKING_UP_SERVER: authtime 0,
admin at ORION.LOCAL for <unknown server>, Server not found in Kerberos database
krb5kdc: Cannot determine realm for numeric host address - unable to find
realm of host
Sep 25 18:18:20 kwtpocipa001.orion.local krb5kdc[2373](info): TGS_REQ (6
etypes {18 17 16 23 3 1}) 172.16.107.107: LOOKING_UP_SERVER: authtime 0,
admin at ORION.LOCAL for <unknown server>, Server not found in Kerberos database
Sep 25 18:18:20 kwtpocipa001.orion.local krb5kdc[2373](info): TGS_REQ (6
etypes {18 17 16 23 3 1}) 172.16.107.107: LOOKING_UP_SERVER: authtime 0,
admin at ORION.LOCAL for <unknown server>, Server not found in Kerberos database
krb5kdc: Cannot determine realm for numeric host address - unable to find
realm of host
Sep 25 18:18:20 kwtpocipa001.orion.local krb5kdc[2373](info): TGS_REQ (6
etypes {18 17 16 23 3 1}) 172.16.107.107: LOOKING_UP_SERVER: authtime 0,
admin at ORION.LOCAL for <unknown server>, Server not found in Kerberos database
Sep 25 18:18:20 kwtpocipa001.orion.local krb5kdc[2373](info): TGS_REQ (6
etypes {18 17 16 23 3 1}) 172.16.107.107: LOOKING_UP_SERVER: authtime 0,
admin at ORION.LOCAL for <unknown server>, Server not found in Kerberos database
---
However DNS forward and reverse records DO seem to resolve:
---
[root at kwtpocipa001 ~]# host 172.16.107.107
107.107.16.172.in-addr.arpa domain name pointer kwtpocipasol10u11.orion.local.
[root at kwtpocipa001 ~]# host kwtpocipasol10u11.orion.local
kwtpocipasol10u11.orion.local has address 172.16.107.107
[root at kwtpocipa001 ~]#
---
More information about the Freeipa-users
mailing list