<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
On 04/12/2013 03:35 PM, Natxo Asenjo wrote:
<blockquote
cite="mid:CAHBEJzXbW9sZ+JxO8w-v1X1fikBPYXboL_tM_63344hjEp8suQ@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>hi,<br>
<br>
</div>
apparently what I am trying to do is not very
usual because I do not get any answer on the
omnios (opensolaris derivative) mailing list.<br>
<br>
</div>
I have successfully joined a host to the ipa
domain, I can log in the omnios host as an ipa
user, getent works, kerberos works (thanks to
Johan Petersson in this thread: <a
moz-do-not-send="true"
href="https://www.redhat.com/archives/freeipa-users/2013-January/msg00021.html">https://www.redhat.com/archives/freeipa-users/2013-January/msg00021.html</a>)
<br>
<br>
</div>
But when configuring nfs with krb5(i/p) security I
get an error:<br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
I am completely unaware how zfs works but...<br>
<blockquote
cite="mid:CAHBEJzXbW9sZ+JxO8w-v1X1fikBPYXboL_tM_63344hjEp8suQ@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div>
<div>
<div>
<div>
<div><br>
# zfs set sharenfs=sec=krb5 rpool/export/home<br>
cannot set property for 'rpool/export/home':
'sharenfs' cannot be set to invalid options<br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
That looks like a syntax error. <br>
It seems like krb5 is an invalid option. May be something needs to
be restarted after you changed the config file?<br>
<br>
<br>
<blockquote
cite="mid:CAHBEJzXbW9sZ+JxO8w-v1X1fikBPYXboL_tM_63344hjEp8suQ@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div>
<div>
<div>
<div>
<div>
<br>
# share -F nfs -o sec=krb5 -d "homedirs"
/export/home/
<div class="im">Could not share: /export/home:
invalid security type</div>
<br>
</div>
The omnios host has a keytab with both host and nfs
principals:<br>
<br>
# klist -k -e
<div class="im"><br>
Keytab name: <a class="moz-txt-link-freetext" href="FILE:/etc/krb5/krb5.keytab">FILE:/etc/krb5/krb5.keytab</a><br>
KVNO Principal<br>
----
--------------------------------------------------------------------------<br>
</div>
1 <a class="moz-txt-link-abbreviated" href="mailto:nfs/testomnios.ipa.asenjo.nx@IPA.ASENJO.NX">nfs/testomnios.ipa.asenjo.nx@IPA.ASENJO.NX</a>
(AES-256 CTS mode with 96-bit SHA-1 HMAC) <br>
1 <a class="moz-txt-link-abbreviated" href="mailto:nfs/testomnios.ipa.asenjo.nx@IPA.ASENJO.NX">nfs/testomnios.ipa.asenjo.nx@IPA.ASENJO.NX</a>
(AES-128 CTS mode with 96-bit SHA-1 HMAC) <br>
1 <a class="moz-txt-link-abbreviated" href="mailto:nfs/testomnios.ipa.asenjo.nx@IPA.ASENJO.NX">nfs/testomnios.ipa.asenjo.nx@IPA.ASENJO.NX</a>
(Triple DES cbc mode with HMAC/sha1) <br>
1 <a class="moz-txt-link-abbreviated" href="mailto:nfs/testomnios.ipa.asenjo.nx@IPA.ASENJO.NX">nfs/testomnios.ipa.asenjo.nx@IPA.ASENJO.NX</a>
(ArcFour with HMAC/md5) <br>
2 <a class="moz-txt-link-abbreviated" href="mailto:host/testomnios.ipa.asenjo.nx@IPA.ASENJO.NX">host/testomnios.ipa.asenjo.nx@IPA.ASENJO.NX</a>
(AES-256 CTS mode with 96-bit SHA-1 HMAC) <br>
2 <a class="moz-txt-link-abbreviated" href="mailto:host/testomnios.ipa.asenjo.nx@IPA.ASENJO.NX">host/testomnios.ipa.asenjo.nx@IPA.ASENJO.NX</a>
(AES-128 CTS mode with 96-bit SHA-1 HMAC) <br>
2 <a class="moz-txt-link-abbreviated" href="mailto:host/testomnios.ipa.asenjo.nx@IPA.ASENJO.NX">host/testomnios.ipa.asenjo.nx@IPA.ASENJO.NX</a>
(Triple DES cbc mode with HMAC/sha1) <br>
2 <a class="moz-txt-link-abbreviated" href="mailto:host/testomnios.ipa.asenjo.nx@IPA.ASENJO.NX">host/testomnios.ipa.asenjo.nx@IPA.ASENJO.NX</a>
(ArcFour with HMAC/md5)<br>
<br>
</div>
I can kinit with both principals:<br>
<br>
root@testomnios:~# kinit -k<br>
root@testomnios:~# klist <br>
Ticket cache: <a class="moz-txt-link-freetext" href="FILE:/tmp/krb5cc_0">FILE:/tmp/krb5cc_0</a><br>
Default principal:
<a class="moz-txt-link-abbreviated" href="mailto:host/testomnios.ipa.asenjo.nx@IPA.ASENJO.NX">host/testomnios.ipa.asenjo.nx@IPA.ASENJO.NX</a><br>
<br>
Valid starting Expires
Service principal<br>
04/12/13 11:56:07 04/13/13 11:56:07
<a class="moz-txt-link-abbreviated" href="mailto:krbtgt/IPA.ASENJO.NX@IPA.ASENJO.NX">krbtgt/IPA.ASENJO.NX@IPA.ASENJO.NX</a><br>
renew until 04/19/13 11:56:07<br>
root@testomnios:~# kinit -k nfs/testomnios.ipa.asenjo.nx<br>
root@testomnios:~# klist<br>
Ticket cache: <a class="moz-txt-link-freetext" href="FILE:/tmp/krb5cc_0">FILE:/tmp/krb5cc_0</a><br>
Default principal:
<a class="moz-txt-link-abbreviated" href="mailto:nfs/testomnios.ipa.asenjo.nx@IPA.ASENJO.NX">nfs/testomnios.ipa.asenjo.nx@IPA.ASENJO.NX</a><br>
<br>
Valid starting Expires
Service principal<br>
04/12/13 11:56:28 04/13/13 11:56:28
<a class="moz-txt-link-abbreviated" href="mailto:krbtgt/IPA.ASENJO.NX@IPA.ASENJO.NX">krbtgt/IPA.ASENJO.NX@IPA.ASENJO.NX</a><br>
renew until 04/19/13 11:56:28<br>
<br>
</div>
so the keytab is correct<br>
<br>
</div>
I have edited /etc/nfssec.conf and removed the comments for
the krb5 lines.<br>
<br>
</div>
According to all my google-fu it should work, but it does not.
Any tips greatly appreciated.<br>
. <br>
</div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>--<br>
Groeten,<br>
natxo</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Freeipa-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a>
</pre>
</body>
</html>