Ubuntu Server - 10.04.03 - NFS export with Kerberos (MIT) - NFS Won't Start
Ok, I give, NFS/Kerberos has left me a broken, broken man.
I've got an Ubuntu 10.04 server, running openldap, and kdc-ldap. Everything is working fine, kinit, workstation logons, etc... other than I'm trying to get NFS to use Kerberos. Here's the gist of the error I'm getting, this is from syslog when nfs-kernel is trying to start, but it pretty much says the same in other logs. Quote:
Quote:
The /etc/exports: (have tried krb5i, and p as well) Quote:
Quote:
I've been buried in the internet for days looks for a solution. I've tried allowing the weak encryption types, and also totally disallowing them. My guess at the moment is that is probably the issue. Most things say old des is required, but I've also seen a few references saying it may not be. If nothing else, if someone knows a way to uber debug SVCGSS, or even strace it in its appropriate security context, pls let me know? I can see in the docs what it -should- be looking for the keytab, but I swear it's there already. |
Found the issue
So this turned out to be an issue with the servername vs. FQDN. The SPN & keytab format I used was all FQDN. However, typing 'hostname -f' produced just the server name.
This is goverened from the /etc/hosts file, the second local entry is just the servername. Quote:
Quote:
|
Also, just for reference, here are some great articles I found on this topic.
NFSv4Howto on Ubutu Single Sign On on Ubutu Good Related Question on NFS4 with Krb Legacy Article, well done though FYI, that last link on the legacy article, it shows how to force the crusty des encryption type. Though, from what I've found here, you can totally disable it at the KDC, keytabs, etc... and NFS/krb still works great. |
All times are GMT -5. The time now is 07:04 AM. |