[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

NFSv4 Kerberized


On my Ubuntu workstation client I've been able to kerberize NFSv4 mounts.

Basically It is needed to create princ and keytab for nfs/yourclient.intern.
The princ for the nfs server is already existent as nfs/tjener.intern, but adding
the keytab is needed. Keytab can go to default krb5.keytab, since  nfs
runs as root. No need to add kerberos autentication of the autofs service,
like stated somewhere in internet (autofsclient principal and keytab).

Important is the "ktadd -e des" options for all nfs/xxx.intern since nfsv4
works only with des, and the allow_weak_crypto = true in krb5.conf.

Then modify ldap options "automountInformation: -fstype=nfs4,sec=krb5,rw tjener.intern:/&"

The rest is rebooting two or three times (no idea why, both tjener
and client), and checking the mount options with "mount" command.

At this stage I guess that it is possible to remove the sys option
in/etc/exports on tjener. ( Not tried yet, for sake of compatibility
with other client images).



P.S: Next would be to use authentication without TGT and avoiding
the keytab for client and server.

Sysadmin SPSE-Tenero
Ufficio:   +41 91 735 62 48 
Cellulare: +41 79 629 20 63

Reply to: