NFS4 and Kerberos: A-records for same IP inflate the need for service principals
Hi all,
the last days I found a little time to have a look into the issue of
using NFSv4 (and perhaps Kerberos) to mount the home directories.
I first configured NFS4 to export the home directories. After that I
tried kerberos authentication. However, I observed that it works only
in some cases, in most of the attempts to mount the share a missing
principal of the form nfs/XXX@INTERN was reported, where XXX is one of
the hostnames (and not tjener.intern) reported by this command:
root@tjener:~# host 10.0.2.2
2.2.0.10.in-addr.arpa domain name pointer tjener.intern.
2.2.0.10.in-addr.arpa domain name pointer kerberos.intern.
2.2.0.10.in-addr.arpa domain name pointer ldap.intern.
2.2.0.10.in-addr.arpa domain name pointer domain.intern.
2.2.0.10.in-addr.arpa domain name pointer postoffice.intern.
2.2.0.10.in-addr.arpa domain name pointer syslog.intern.
If I understand things correctly, mounting the share with
mount -t nfs4 -o sec=krb5 tjener.intern:/ /skole/tjener/
converts tjener.intern into an IP adress and that address back to the
(full qualified) hostname. So only if by chance tjener.intern is used
for the lookup, the (existing) nfs/tjener.intern@INTERN principal is
used and things work as they should. If another hostname is used,
things fail because there is no corresponding service principal.
I tried to find the reason for these corresponding A-records, they
have been changed in commit 71704.
(<URL:http://svn.debian.org/wsvn/debian-edu/trunk/src/debian-edu-config/ldap-bootstrap/?rev=71704&sc=1>)
I am not an expert regarding that stuff and I don't know if there are
other ways to achieve the desired. However, it looks as with the
current setup we need service principals for all host aliases.
Best regards,
Andi
Reply to: