[Freeipa-users] bit OT: trouble getting nfsv4 with kerberos with ipa and opensolaris

Sigbjorn Lie sigbjorn at nixtra.com
Fri Apr 12 21:30:18 UTC 2013 

Your syntax seem correct but you need to quote the value.

Natxo Asenjo <natxo.asenjo at gmail.com> wrote:

>hi,
>
>apparently what I am trying to do is not very usual because I do not
>get
>any answer on the omnios (opensolaris derivative) mailing list.
>
>I have successfully joined a host to the ipa domain, I can log in the
>omnios host as an ipa user, getent works, kerberos works (thanks to
>Johan
>Petersson in this thread:
>https://www.redhat.com/archives/freeipa-users/2013-January/msg00021.html)
>
>But when configuring nfs with krb5(i/p) security I get an error:
>
># zfs set sharenfs=sec=krb5 rpool/export/home
>cannot set property for 'rpool/export/home': 'sharenfs' cannot be set
>to
>invalid options
>
># share -F nfs -o sec=krb5 -d "homedirs" /export/home/
>Could not share: /export/home: invalid security type
>
>The omnios host has a keytab with both host and nfs principals:
>
># klist -k -e
>
>Keytab name: FILE:/etc/krb5/krb5.keytab
>KVNO Principal
>----
>--------------------------------------------------------------------------
>   1 nfs/testomnios.ipa.asenjo.nx at IPA.ASENJO.NX (AES-256 CTS mode with
>96-bit SHA-1 HMAC)
>   1 nfs/testomnios.ipa.asenjo.nx at IPA.ASENJO.NX (AES-128 CTS mode with
>96-bit SHA-1 HMAC)
> 1 nfs/testomnios.ipa.asenjo.nx at IPA.ASENJO.NX (Triple DES cbc mode with
>HMAC/sha1)
>   1 nfs/testomnios.ipa.asenjo.nx at IPA.ASENJO.NX (ArcFour with HMAC/md5)
>   2 host/testomnios.ipa.asenjo.nx at IPA.ASENJO.NX (AES-256 CTS mode with
>96-bit SHA-1 HMAC)
>   2 host/testomnios.ipa.asenjo.nx at IPA.ASENJO.NX (AES-128 CTS mode with
>96-bit SHA-1 HMAC)
>2 host/testomnios.ipa.asenjo.nx at IPA.ASENJO.NX (Triple DES cbc mode with
>HMAC/sha1)
>  2 host/testomnios.ipa.asenjo.nx at IPA.ASENJO.NX (ArcFour with HMAC/md5)
>
>I can kinit with both principals:
>
>root at testomnios:~# kinit -k
>root at testomnios:~# klist
>Ticket cache: FILE:/tmp/krb5cc_0
>Default principal: host/testomnios.ipa.asenjo.nx at IPA.ASENJO.NX
>
>Valid starting                Expires                Service principal
>04/12/13 11:56:07  04/13/13 11:56:07 
>krbtgt/IPA.ASENJO.NX at IPA.ASENJO.NX
>        renew until 04/19/13 11:56:07
>root at testomnios:~# kinit -k nfs/testomnios.ipa.asenjo.nx
>root at testomnios:~# klist
>Ticket cache: FILE:/tmp/krb5cc_0
>Default principal: nfs/testomnios.ipa.asenjo.nx at IPA.ASENJO.NX
>
>Valid starting                Expires                Service principal
>04/12/13 11:56:28  04/13/13 11:56:28 
>krbtgt/IPA.ASENJO.NX at IPA.ASENJO.NX
>        renew until 04/19/13 11:56:28
>
>so the keytab is correct
>
>I have edited /etc/nfssec.conf and removed the comments for the krb5
>lines.
>
>According to all my google-fu it should work, but it does not. Any tips
>greatly appreciated.
>.
>--
>Groeten,
>natxo
>
>
>------------------------------------------------------------------------
>
>_______________________________________________
>Freeipa-users mailing list
>Freeipa-users at redhat.com
>https://www.redhat.com/mailman/listinfo/freeipa-users

-- 
Sent from my Android phone with K-9 Mail. Please excuse my brevity.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130412/f623d5f4/attachment.htm>

More information about the Freeipa-users mailing list