[Freeipa-users] IPA and NFS

yi zhang yzhang at redhat.com
Tue Feb 7 15:46:03 UTC 2012 

On 02/07/2012 06:33 AM, Ondrej Valousek wrote:
> Enable debugging on rpc.gssd and prc.svcgssd daemons and paste the output
note from my previous troubleshooting
1. the configuration file for nfs mount is: /etc/sysconfig/nfs
2. make the following changes to /etc/sysconfig/nfs file
   (1) uncomment  the line: SECURE_NFS="yes"
   (2) add debug flag for rpc gss : RPCGSSDARGS="vvv"

in short: you file /etc/sysconfig/nfs should have the following block:

# Set to turn on Secure NFS mounts.
SECURE_NFS="yes"
# Optional arguments passed to rpc.gssd. See rpc.gssd(8)
RPCGSSDARGS="vvv"
# Optional arguments passed to rpc.svcgssd. See rpc.svcgssd(8)
RPCSVCGSSDARGS="vvv"

3. at end, if you are using rhel5.7 you should specify the nfs version 
when you do mount, mounting command should something like:
mount -t nfs4 -o sec=krb5 ipaserver:/ /mylocalmount point

--- 2 things you might want to pay attention here --
(1) for -o sec=xxx : "xxx" here is depends on your nfs server 
configuration, specifically your /etc/export file, if you have krb5p, 
then you should use -o sec=krb5p
(2) when krb5 protocol is used, regardless what directory you have in 
/etc/export file, you always (and only) use "/" , not your actual 
directory name

Good luck!

Yi Zhang
>
> Ondrej
>
> On 02/07/2012 01:11 PM, Westerlund Johnny wrote:
>> Hey all.
>>
>> I've been trying to setup kerberized NFS with IPA running on RHEL6.2 and NFS running on RHEL5.7.
>> The documentation states that if you are using an older kernel (like the one in RHEL5) you need to use allow_weak_crypto = yes in your krb5.conf and make sure you specify -e des-cbc-crc
>> when exporting your keytab from the IPA server. However things are not working out.
>>
>> I do manage to export a des-cbc-crc key but when trying to mount the NFS share from an IPA client on rhel 6.2 it doesnt work.
>> I have put the allow_weak_crypto = yes in the libdefaults section of my krb5.conf on all machines in the domain. And i've tried changing my password after that. But it still doesnt work.
>> I'm unsure what to expect but if i do a klist -e i dont see any des-cbc-crc key in my keytab as the user i logged in as.
>>
>> If i move the NFS server to a RHEL 6.2 the mount from the RHEL6.2 client works just fine but then i'm unable to mount the share from the RHEL5.7 client.
>> If i do a kinituser at MYREALM.BLA  and check the klist -e i dont have any des-cbc keys. I only get the AES ones.
>>
>> I did find this thread about running rhel5/rhel6 clients but with an AD kerberos domain so it's not the same problem. but they do get some of the same symptoms.
>> http://www.spinics.net/lists/linux-nfs/msg22188.html
>>
>> There they specify default_tgs_enctypes and default_tkt_enctypes to get it working.
>>
>> Anyone here know's whats wrong or what i'm doing wrong?
>>
>> Regards
>> Johnny
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> ------------------------------------------------------------------------
> Proud winners of the prestigious Irish Software Exporter Award 2011 
> from Irish Exporters Association (IEA). Please, refer to our web site 
> for more details regarding the award.
> ------------------------------------------------------------------------
> The information contained in this e-mail and in any attachments is 
> confidential and is designated solely for the attention of the 
> intended recipient(s). If you are not an intended recipient, you must 
> not use, disclose, copy, distribute or retain this e-mail or any part 
> thereof. If you have received this e-mail in error, please notify the 
> sender by return e-mail and delete all copies of this e-mail from your 
> computer system(s). Please direct any additional queries to: 
> communications at s3group.com. Thank You. Silicon and Software Systems 
> Limited. Registered in Ireland no. 378073. Registered Office: South 
> County Business Park, Leopardstown, Dublin 18
> ------------------------------------------------------------------------
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| Yi Zhang                          |
| QA @ Mountain View, Calinfornia   |
| Cell: 408-509-6375                |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120207/d01a758c/attachment.htm>

More information about the Freeipa-users mailing list