Identity Management (IPA) and NFSv4 question

Latest response

Hey all.

 

I'm running identity mangement (IPA) server on rhel 6.2.

I've been trying to setup a kerberos integrated NFS server on rhel 5.7 with the clients running rhel 6.2.

I've been following the identity management beta steps for RHEL 5.8 for setting up the server, most important part is specifying crypto type to des-cbc-crc and to allow a lower crypto in /etc/krb5.conf. I get the keytab setup but am unable to mount a share. Anyone know if i'm barking up the wrong tree and this is impossible?

 

Regards

Johnny

Responses

Its too late, but in case you are still looking for suggestions..

 

If the keytabs are created with -e des-cbc-crc option, it should work well. Make sure you have,

* All client/server keytabs created with des-cbc-crc encryption type,

* All rhel6 machines has 'allow_weak_crypto = true'  under libdefaults section in krb5.conf.

* All rhel5 clients(and server) require 'nfs/`hostname`@REALM key present in the keytab

* latest rhel6 nfs-clients does not require nfs/hostname key, it'll use the default system (host/hostname@REALM) key from the keytab file.

* enabled SECURE_NFS= yes on all clients and server ( rpc.gssd is running on all clients, rpcsvcgssd running on server)

* Make sure the keys (from keytab) works, use kinit -k <nfs/hostname@REALM> to verify the keys.

 

 

* In case of any issues, add RPCGSSDARGS="-vvv" (on client) and RPCSVCGSSDARGS="-vvv" (on server), watch /var/log/message (on boht end) during mount operation, that'd give you enough information to troubleshoot further.

 

 

 

Hope this helps.