[Linux-cluster] nfs4 kerberos

Daniel R. Gore danielgore at yaktech.com
Thu Apr 7 00:23:37 UTC 2011 

Ian,

Thanks for the info.  

My cluster is only a two node cluster.  I have NFSv4 with Kerberos
working on both node separately.  I went and created a virtual IP on
each node with the same IP to accommodate the floating IP.  I associated
the virtual IP with a new DNS name (fserv) and ensured forward and
reverse look-up works.  I create Kerberos host and nfs principals for
fserv and added the associated keys to /etc/krb5.keytab on each node.

Unfortunately, it still does not work and I am sure one of the reasons
is because the "uname -n" comes up as the node name and not fserv.

I also suspect that the nfs service that gets started through Redhat's
HA service does not use the /etc/exports file on the nodes.

How did you manage to change the nodes name when the nfs server was
started?  What worries me about that is then other services will like
fail.

Any guidance is appreciated.

Thanks.

Dan

On Wed, 2011-04-06 at 16:14 -0700, Ian Hayes wrote:
> I've done some work on clustering NFSv4 using Kerberos at a previous
> job.... I probably did this completely wrong, but I did get it
> working. The big gotcha that I had was that all cluster members need
> the same keytab for the NFS service. I also had to have the active
> node change its hostname to match the keytab before it started up NFS.
> There are the usual NFS4 specific stuff you need to do
> like /etc/exports and building the pseudo filesystem. I did a few bind
> mounts to get everything under the pseudo-fs. Obviously I'm assuming
> that you have NFS4 working on a single-node environment and therefore
> know what to do to get that working (ie, keytabs for the clients).
> 
> The cluster I had built was hosting NFS4 and Samba, with a shared GFS
> filesystem on an iSCSI backend. It ran pretty decent for secondhand
> test equipment. I was actually able to benchmark the GFS performance
> while I tuned the GFS with a little script that wrote out randomly
> sized files.
> 
> I did some extensive build documentation of how to build a Kerberized
> NFS4 cluster, but I doubt my old employer would be willing to release
> them. But like Henry Jones, Sr., I wrote them down so I wouldn't have
> to remember them.
> 
> On Wed, Apr 6, 2011 at 3:42 PM, Daniel R. Gore
> <danielgore at yaktech.com> wrote:
>         I am trying to get Kerberos authenticated high available NFS
>         service
>         running.  I have looked at the cookbook, but it does not cover
>         this.
>         
>         Any ideas?
>         
>         Thank you
>         
>         Dan
>         
>         
>         --
>         This message has been scanned for viruses and
>         dangerous content by MailScanner, and is
>         believed to be clean.
>         
>         --
>         Linux-cluster mailing list
>         Linux-cluster at redhat.com
>         https://www.redhat.com/mailman/listinfo/linux-cluster
> 
> 
> -- 
> This message has been scanned for viruses and 
> dangerous content by MailScanner, and is 
> believed to be clean. 
> --
> Linux-cluster mailing list
> Linux-cluster at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-cluster



-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the Linux-cluster mailing list