LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (http://www.linuxquestions.org/questions/linux-networking-3/)
-   -   NFSv4 with Kerberos 5 Authentication Troubleshooting (http://www.linuxquestions.org/questions/linux-networking-3/nfsv4-with-kerberos-5-authentication-troubleshooting-688779/)

rdibley 12-06-2008 02:27 PM

NFSv4 with Kerberos 5 Authentication Troubleshooting
 
I’ve been trying to set up NFSv4 with Kerberos 5 authentication for a quite a while now, but I’m missing something because I can’t get it to work. I have searched the web and looked through various tutorials on the subject, but I can’t figure out what my mistake is. I’m all out of ideas. I’m sure I am missing something simple, I am hoping that somebody out there will be able to spot my mistake. The server is running Debian Lenny (testing), and the client is running Ubuntu (Intrepid). The server name is fred and the client is named barney. I am running this on a LAN with a domain name of .home.

First, I have tried various tutorials, but I eventually followed this one since it was an example for Debian, and because it was the most straight forward:

http://www.freesoftwaremagazine.com/...on_the_network
http://www.freesoftwaremagazine.com/...s/securing_nfs

I have installed the ntpd package on both machines, and have verified that their clocks are within 1 second of each other.

I have verified that the DNS lookup is working:
Code:

fred:/etc# host fred
fred.home has address 10.1.1.2
fred:/etc# host 10.1.1.2
2.1.1.10.in-addr.arpa domain name pointer fred.home.
fred:/etc# host barney
barney.home has address 10.1.1.4
fred:/etc# host 10.1.1.4
4.1.1.10.in-addr.arpa domain name pointer barney.home.
fred:/etc# hostname --fqdn
fred.home

root@barney:/etc/default# host fred
fred.home has address 10.1.1.2
root@barney:/etc/default# host 10.1.1.2
2.1.1.10.in-addr.arpa domain name pointer fred.home.
root@barney:/etc/default# host barney
barney.home has address 10.1.1.4
root@barney:/etc/default# host 10.1.1.4
4.1.1.10.in-addr.arpa domain name pointer barney.home.
root@barney:/etc/default# hostname --fqdn
barney.home

So, each host is able to do both a forward and reverse DNS lookup to find itself and the other computer. The first discrepancy is that the tutorial says to ping localhost from the server. According to the tutorial, “ping localhost” should return:

Code:

64 bytes from host.example.com (127.0.0.1): icmp_seq=1...
In my case, I would get:

Code:

fred:/etc# ping localhost
PING localhost (127.0.0.1) 56(84) bytes of data.
64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.063 ms

In the tutorial example, the ping result lists the machine name in the response. In my case, I see “localhost” instead. I don’t know if this is significant or not.

Server setup:
Installed packages:
krb5-admin-server
krb5-config
krb5-kdc
krb5-user
Created the Kerberos realm:
Code:

kdb5_util create –s
Created the ACL file: /etc/krb5kdc/kadm5.acl
Code:

*/admin *
chmod 644 kadm5.acl

Set the flag in /etc/default/krb5-admin-server
Code:

RUN_KADMIND=true
Restarted the Kerberos server:
Code:

/etc/init.d/krb5-kdc restart
/etc/init.d/krb5-admin-server restart

Created principal:
Code:

kadmin.local
addprinc root/admin@HOME

Created the /etc/krb5.conf file:
Code:

[libdefaults]
        default_realm = HOME
        kdc_timesync = 1
        forwardable = true
        proxiable = true

[realms]
        HOME = {
                kdc = fred.home
                admin_server = fred.home
        }

[domain_realm]
        .home = HOME
        home = HOME

[login]
        krb4_convert = false
        krb4_get_tickets = false

[logging]
        default = FILE:/var/log/krb5libs.log
        kdc = FILE:/var/log/krb5kdc.log
        admin_server = FILE:/var/log/kadmin.log

Created the principal on the server:
Code:

kadmin
addprinc –randkey nfs/fred.home@HOME
xst nfs/fred.home@HOME

I then confirmed that /etc/krb5.keytab was created

Installed NFS packages on the server:
nfs-kernel-server
nfs-common
Set the NFS default settings in /etc/default/nfs-kernel-server
Code:

NEED_SVCGSSD=yes
Set the NFS default settings in /etc/default/nfs-common
Code:

NEED_IDMAPD=yes
NEED_GSSD=yes

Edited the /etc/exports file:
Code:

/MountDir      gss/krb5i(rw,sync,subtree_check)
Restarted NFS server:
Code:

/etc/init.d/nfs-kernel-server restart
/etc/init.d/nfs-common restart

Made sure rpc.svcgssd is running on the server:
Code:

fred:/etc# ps -e | grep rpc.svcgssd
18382 ?        00:00:00 rpc.svcgssd

Client Setup:

Installed packages:
krb5-config
krb5-user
Used the same /etc/krb5.conf file as with the server (I’m not sure if this is something I really need to do, but I was grasping at anything here)

Created the principal on the client:
Code:

kadmin
addprinc –randkey nfs/barney.home@HOME
xst nfs/barney.home@HOME

I then confirmed that /etc/krb5.keytab was created

Installed the NFS package on the client:
nfs-common
Set the NFS default settings in /etc/default/nfs-common
Code:

NEED_IDMAPD=yes
NEED_GSSD=yes

Restarted NFS:
Code:

/etc/init.d/nfs-common restart
Made sure rpc.gssd is running on the client:
Code:

root@barney:/etc/init.d# ps -e | grep rpc.gssd
13983 ?        00:00:00 rpc.gssd

Added to the /etc/fstab:
Code:

                fred:/MountDir        /MountDir      nfs    rw,sec=krb5i,nfsvers=3  0      0
Testing it out:

I then tried to mount the share from the client:
Code:

root@barney:/etc# mount /MountDir
mount.nfs: access denied by server while mounting fred:/MountDir

I saw the following message in the /var/log/syslog:

Code:

Nov 22 16:13:21 fred mountd[15558]: mount request from unknown host 10.1.1.4 for /MountDir (/MountDir)
Those are the only messages I have ever seen. It is not very descriptive, and I haven’t found anything online that has given me any idea of what it means, nor do I know where to go to troubleshoot any further.

The only question that comes to mind is why on the syslog, the host is referred to by IP address instead of by name. Is it possible that the KDC is not doing a reverse DNS lookup of the hostname, and failing to authenticate because of that? How would I check that? Or is it something else entirely?

Maybe a last detail that might help is that I have no problem mounting the NFS share without Kerberos.

I would really appreciate any ideas or help.

Thanks!

crosmuller 08-18-2009 05:40 AM

Hi, did you ever find a solution for this? I have the same problem

praveen_143 10-29-2009 10:40 AM

Quote:

Originally Posted by rdibley (Post 3366560)

Added to the /etc/fstab:
Code:

                fred:/MountDir        /MountDir      nfs    rw,sec=krb5i,nfsvers=3  0      0
[/indent]
Testing it out:

I then tried to mount the share from the client:
Code:

root@barney:/etc# mount /MountDir
mount.nfs: access denied by server while mounting fred:/MountDir

I saw the following message in the /var/log/syslog:

Code:

Nov 22 16:13:21 fred mountd[15558]: mount request from unknown host 10.1.1.4 for /MountDir (/MountDir)

Hi

One question i want to ask is that in your fstab entry, why is it mounting it as only nfsv3. Isn't it supposed to be nfsv4 like this:

Code:

                fred:/MountDir        /MountDir      nfs4    rw,sec=krb5i 0      0


All times are GMT -5. The time now is 06:37 PM.