LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 12-06-2008, 01:27 PM   #1
rdibley
LQ Newbie
 
Registered: Feb 2006
Posts: 4

Rep: Reputation: 0
NFSv4 with Kerberos 5 Authentication Troubleshooting


Iíve been trying to set up NFSv4 with Kerberos 5 authentication for a quite a while now, but Iím missing something because I canít get it to work. I have searched the web and looked through various tutorials on the subject, but I canít figure out what my mistake is. Iím all out of ideas. Iím sure I am missing something simple, I am hoping that somebody out there will be able to spot my mistake. The server is running Debian Lenny (testing), and the client is running Ubuntu (Intrepid). The server name is fred and the client is named barney. I am running this on a LAN with a domain name of .home.

First, I have tried various tutorials, but I eventually followed this one since it was an example for Debian, and because it was the most straight forward:

http://www.freesoftwaremagazine.com/...on_the_network
http://www.freesoftwaremagazine.com/...s/securing_nfs

I have installed the ntpd package on both machines, and have verified that their clocks are within 1 second of each other.

I have verified that the DNS lookup is working:
Code:
fred:/etc# host fred
fred.home has address 10.1.1.2
fred:/etc# host 10.1.1.2
2.1.1.10.in-addr.arpa domain name pointer fred.home.
fred:/etc# host barney
barney.home has address 10.1.1.4
fred:/etc# host 10.1.1.4
4.1.1.10.in-addr.arpa domain name pointer barney.home.
fred:/etc# hostname --fqdn
fred.home

root@barney:/etc/default# host fred
fred.home has address 10.1.1.2
root@barney:/etc/default# host 10.1.1.2
2.1.1.10.in-addr.arpa domain name pointer fred.home.
root@barney:/etc/default# host barney
barney.home has address 10.1.1.4
root@barney:/etc/default# host 10.1.1.4
4.1.1.10.in-addr.arpa domain name pointer barney.home.
root@barney:/etc/default# hostname --fqdn
barney.home
So, each host is able to do both a forward and reverse DNS lookup to find itself and the other computer. The first discrepancy is that the tutorial says to ping localhost from the server. According to the tutorial, ďping localhostĒ should return:

Code:
64 bytes from host.example.com (127.0.0.1): icmp_seq=1...
In my case, I would get:

Code:
fred:/etc# ping localhost
PING localhost (127.0.0.1) 56(84) bytes of data.
64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.063 ms
In the tutorial example, the ping result lists the machine name in the response. In my case, I see ďlocalhostĒ instead. I donít know if this is significant or not.

Server setup:
Installed packages:
krb5-admin-server
krb5-config
krb5-kdc
krb5-user
Created the Kerberos realm:
Code:
kdb5_util create Ės
Created the ACL file: /etc/krb5kdc/kadm5.acl
Code:
*/admin *
chmod 644 kadm5.acl
Set the flag in /etc/default/krb5-admin-server
Code:
RUN_KADMIND=true
Restarted the Kerberos server:
Code:
/etc/init.d/krb5-kdc restart
/etc/init.d/krb5-admin-server restart
Created principal:
Code:
kadmin.local
addprinc root/admin@HOME
Created the /etc/krb5.conf file:
Code:
[libdefaults]
        default_realm = HOME
        kdc_timesync = 1
        forwardable = true
        proxiable = true

[realms]
        HOME = {
                kdc = fred.home
                admin_server = fred.home
        }

[domain_realm]
        .home = HOME
        home = HOME

[login]
        krb4_convert = false
        krb4_get_tickets = false

[logging]
        default = FILE:/var/log/krb5libs.log
        kdc = FILE:/var/log/krb5kdc.log
        admin_server = FILE:/var/log/kadmin.log
Created the principal on the server:
Code:
kadmin
addprinc Ėrandkey nfs/fred.home@HOME
xst nfs/fred.home@HOME
I then confirmed that /etc/krb5.keytab was created

Installed NFS packages on the server:
nfs-kernel-server
nfs-common
Set the NFS default settings in /etc/default/nfs-kernel-server
Code:
NEED_SVCGSSD=yes
Set the NFS default settings in /etc/default/nfs-common
Code:
NEED_IDMAPD=yes
NEED_GSSD=yes
Edited the /etc/exports file:
Code:
/MountDir      gss/krb5i(rw,sync,subtree_check)
Restarted NFS server:
Code:
/etc/init.d/nfs-kernel-server restart
/etc/init.d/nfs-common restart
Made sure rpc.svcgssd is running on the server:
Code:
fred:/etc# ps -e | grep rpc.svcgssd
18382 ?        00:00:00 rpc.svcgssd
Client Setup:

Installed packages:
krb5-config
krb5-user
Used the same /etc/krb5.conf file as with the server (Iím not sure if this is something I really need to do, but I was grasping at anything here)

Created the principal on the client:
Code:
kadmin
addprinc Ėrandkey nfs/barney.home@HOME
xst nfs/barney.home@HOME
I then confirmed that /etc/krb5.keytab was created

Installed the NFS package on the client:
nfs-common
Set the NFS default settings in /etc/default/nfs-common
Code:
NEED_IDMAPD=yes
NEED_GSSD=yes
Restarted NFS:
Code:
/etc/init.d/nfs-common restart
Made sure rpc.gssd is running on the client:
Code:
root@barney:/etc/init.d# ps -e | grep rpc.gssd
13983 ?        00:00:00 rpc.gssd
Added to the /etc/fstab:
Code:
		fred:/MountDir        /MountDir      nfs     rw,sec=krb5i,nfsvers=3  0       0
Testing it out:

I then tried to mount the share from the client:
Code:
root@barney:/etc# mount /MountDir
mount.nfs: access denied by server while mounting fred:/MountDir
I saw the following message in the /var/log/syslog:

Code:
Nov 22 16:13:21 fred mountd[15558]: mount request from unknown host 10.1.1.4 for /MountDir (/MountDir)
Those are the only messages I have ever seen. It is not very descriptive, and I havenít found anything online that has given me any idea of what it means, nor do I know where to go to troubleshoot any further.

The only question that comes to mind is why on the syslog, the host is referred to by IP address instead of by name. Is it possible that the KDC is not doing a reverse DNS lookup of the hostname, and failing to authenticate because of that? How would I check that? Or is it something else entirely?

Maybe a last detail that might help is that I have no problem mounting the NFS share without Kerberos.

I would really appreciate any ideas or help.

Thanks!

Last edited by rdibley; 12-06-2008 at 01:34 PM.
 
Old 08-18-2009, 04:40 AM   #2
crosmuller
LQ Newbie
 
Registered: Aug 2009
Posts: 1

Rep: Reputation: 0
Hi, did you ever find a solution for this? I have the same problem
 
Old 10-29-2009, 09:40 AM   #3
praveen_143
LQ Newbie
 
Registered: Oct 2004
Location: London, UK
Distribution: Red hat Linux, Debian
Posts: 4

Rep: Reputation: 0
Quote:
Originally Posted by rdibley View Post

Added to the /etc/fstab:
Code:
		fred:/MountDir        /MountDir      nfs     rw,sec=krb5i,nfsvers=3  0       0
[/indent]
Testing it out:

I then tried to mount the share from the client:
Code:
root@barney:/etc# mount /MountDir
mount.nfs: access denied by server while mounting fred:/MountDir
I saw the following message in the /var/log/syslog:

Code:
Nov 22 16:13:21 fred mountd[15558]: mount request from unknown host 10.1.1.4 for /MountDir (/MountDir)
Hi

One question i want to ask is that in your fstab entry, why is it mounting it as only nfsv3. Isn't it supposed to be nfsv4 like this:

Code:
		fred:/MountDir        /MountDir      nfs4     rw,sec=krb5i 0       0
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
nfsv4 not working with mit kerberos v5 linux 2 coglioni Linux - Newbie 7 06-22-2009 12:06 AM
LXer: Implement NFSv4: Domains and Authentication LXer Syndicated Linux News 0 11-20-2006 04:54 AM
Kerberos Authentication Comatose51 Linux - Security 2 08-30-2005 06:44 AM
Kerberos Authentication cwinter00 Linux - Security 1 06-16-2005 12:56 PM
Authentication via Kerberos grubjo Linux - Security 0 07-30-2004 11:48 AM


All times are GMT -5. The time now is 01:14 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration