[Freeipa-users] insecure IPA'd NFS
Steven Jones
Steven.Jones at vuw.ac.nz
Thu May 10 21:40:33 UTC 2012
Hi,
Pretty sure I followed the RH 6.3beta doc exactly...it all worked until I found that non-IPA'd clients could also connect....so if I put sys: back it should be fine....so its the kerberos bit or export options.
I have raised a case with RH support for help and also the IPA NFS will need updating if something is missing....thanks.
regards
Steven Jones
Technical Specialist - Linux RHCE
Victoria University, Wellington, NZ
0064 4 463 6272
________________________________________
From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Chris Evich [cevich at redhat.com]
Sent: Friday, 11 May 2012 1:37 a.m.
To: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] insecure IPA'd NFS
On 05/09/2012 08:47 PM, Steven Jones wrote:
> Removed the sys: and now no IPA'd client can mount.....oh joy....
Hehe, this is typical (and frustrating) for fresh NFS+Kerberos setups.
it's very easy to miss a little detail and not get much back as to why
it's not working. I'd suggest going through the setup step-by-step
again to see what's missing.
Does both client and server have valid nfs/<fqdn>@DOMAIN keys in
/etc/krb5.keytab?
Is /etc/krb5.keytab accessible (i.e. no SELinux problems)?
Is port 2049 open on firewall?
What's the state of rpc.svcgssd process on server and rpc.gssd process
on client?
Can you manually mount the export on the server?
What shows in krb5kdc.log when trying to manually mount on client?
If none of those localize the problem area further, you can go down the
road of bumping the rpc debug levels on both sides to see where the
issue is.
Hope that helps.
_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
More information about the Freeipa-users
mailing list