Request guidance on NFSv4.1 server using KRB5 with AD and without winbind
Hello All,
I've been tasked with getting an NFSv4.1 server stood up within our infrastructure on EL6. We'd like to use krb5p if possible, and currently have Windows Server 2008r2 domain controllers acting as our KDC. We have Samba configured on the all our EL6 boxes and use that for things like GSSAPI SSH.
One requirement that's been stated, which I can't find any good examples of, is that we cannot use winbind.
I've created (via net ads keytab add nfs) nfs/fqdn@DOMAIN and host/fqdn@DOMAIN principals on the test server and client.
Here are my exports:
/srv *(rw,fsid=0,insecure,no_subtree_check,sync)
/srv/nfshomes gss/krb5(rw,insecure,no_subtree_check,sync)
/srv/nfsgroups gss/krb5(rw,insecure,no_subtree_check,sync)
And here's what I get when I try to mount:
# mount -v testserver:/srv/nfsgroups /mnt/nfstest -o minorversion=1 -o nolock -o nfsvers=4
mount: no type was given - I'll assume nfs because of the colon
mount.nfs: timeout set for Fri Mar 1 16:59:42 2013
mount.nfs: trying text-based options 'minorversion=1,nolock,nfsvers=4,addr=10.64.29.15,clientaddr=10.64.28.167'
mount.nfs: mount(2): Protocol not supported
mount.nfs: Protocol not supported
Here are the encryption types in the nfs/fqdn and host/fqdn keys in the keytabs:
(des-cbc-crc)
(des-cbc-md5)
(arcfour-hmac)
(aes128-cts-hmac-sha1-96)
(aes256-cts-hmac-sha1-96)
Does anyone have any advice on where I should go from here?
Thanks!
Responses
Hello Kodiak,
did you already have a look at https://access.redhat.com/knowledge/solutions/281143 ?
If the details from that document do not help further,
- running the involved daemons with debugging options (configured in /etc/sysconfig/nfs)
- checking the principals in the keytab
- and sniffing the network traffic
could be steps to further debug this. If we need further debugging then I would recommend to open a case with the Red Hat support.
cheers, Christian
Hi Kodiak,
thanks for the update.
The kbase carries 'unverified', I was involved in creation on debugging all of the clientside pieces here - yet we did not follow this up at that time in emulating also the Windows AD serverside completely.
I did see you comment on the kbase. Thanks also for following up on this as a customer case, a testpackage including the patch should be possible.
cheers, Christian
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
