[Freeipa-users] bit OT: trouble getting nfsv4 with kerberos with ipa and opensolaris

Natxo Asenjo natxo.asenjo at gmail.com
Fri Apr 12 19:35:49 UTC 2013 

hi,

apparently what I am trying to do is not very usual because I do not get
any answer on the omnios (opensolaris derivative) mailing list.

I have successfully joined a host to the ipa domain, I can log in the
omnios host as an ipa user, getent works, kerberos works (thanks to Johan
Petersson in this thread:
https://www.redhat.com/archives/freeipa-users/2013-January/msg00021.html)

But when configuring nfs with krb5(i/p) security I get an error:

# zfs set sharenfs=sec=krb5 rpool/export/home
cannot set property for 'rpool/export/home': 'sharenfs' cannot be set to
invalid options

# share -F nfs -o sec=krb5 -d "homedirs" /export/home/
Could not share: /export/home: invalid security type

The omnios host has a keytab with both host and nfs principals:

# klist -k -e

Keytab name: FILE:/etc/krb5/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
   1 nfs/testomnios.ipa.asenjo.nx at IPA.ASENJO.NX (AES-256 CTS mode with
96-bit SHA-1 HMAC)
   1 nfs/testomnios.ipa.asenjo.nx at IPA.ASENJO.NX (AES-128 CTS mode with
96-bit SHA-1 HMAC)
   1 nfs/testomnios.ipa.asenjo.nx at IPA.ASENJO.NX (Triple DES cbc mode with
HMAC/sha1)
   1 nfs/testomnios.ipa.asenjo.nx at IPA.ASENJO.NX (ArcFour with HMAC/md5)
   2 host/testomnios.ipa.asenjo.nx at IPA.ASENJO.NX (AES-256 CTS mode with
96-bit SHA-1 HMAC)
   2 host/testomnios.ipa.asenjo.nx at IPA.ASENJO.NX (AES-128 CTS mode with
96-bit SHA-1 HMAC)
   2 host/testomnios.ipa.asenjo.nx at IPA.ASENJO.NX (Triple DES cbc mode with
HMAC/sha1)
   2 host/testomnios.ipa.asenjo.nx at IPA.ASENJO.NX (ArcFour with HMAC/md5)

I can kinit with both principals:

root at testomnios:~# kinit -k
root at testomnios:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: host/testomnios.ipa.asenjo.nx at IPA.ASENJO.NX

Valid starting                Expires                Service principal
04/12/13 11:56:07  04/13/13 11:56:07  krbtgt/IPA.ASENJO.NX at IPA.ASENJO.NX
        renew until 04/19/13 11:56:07
root at testomnios:~# kinit -k nfs/testomnios.ipa.asenjo.nx
root at testomnios:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: nfs/testomnios.ipa.asenjo.nx at IPA.ASENJO.NX

Valid starting                Expires                Service principal
04/12/13 11:56:28  04/13/13 11:56:28  krbtgt/IPA.ASENJO.NX at IPA.ASENJO.NX
        renew until 04/19/13 11:56:28

so the keytab is correct

I have edited /etc/nfssec.conf and removed the comments for the krb5 lines.

According to all my google-fu it should work, but it does not. Any tips
greatly appreciated.
.
--
Groeten,
natxo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130412/34f41adf/attachment.htm>

More information about the Freeipa-users mailing list