A little encouragement with Kerberos for NFS - Kerberos

This is a discussion on A little encouragement with Kerberos for NFS - Kerberos ; I have been struggling for about two days now and could use a little encouragement. I wish to have NFS use Kerberos but am as of yet unable to get it working. But I think I am close. Here is ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: A little encouragement with Kerberos for NFS

  1. A little encouragement with Kerberos for NFS

    I have been struggling for about two days now and could use a little
    encouragement. I wish to have NFS use Kerberos but am as of yet unable
    to get it working. But I think I am close. Here is what I have--

    ns3.an3e.org: KDC and NSF server, Linux ns3.an3e.org 2.6.17-1.2139_FC5
    # exportfs -v -> /var/lib/music gss/krb5p(ro,wdelay,root_squash)

    ns2.an3e.org: NSF Client, Linux ns2.an3e.org 2.6.16-1.2122_FC5


    kadmin: listprincs
    K/M@AN3E.ORG
    admin/admin@AN3E.ORG
    ayoung@AN3E.ORG
    host/ns2.an3e.org@AN3E.ORG
    kadmin/admin@AN3E.ORG
    kadmin/changepw@AN3E.ORG
    kadmin/history@AN3E.ORG
    kadmin/ns3.an3e.org@AN3E.ORG
    krbtgt/AN3E.ORG@AN3E.ORG
    nfs/ns1.an3e.org@AN3E.ORG
    nfs/ns2.an3e.org@AN3E.ORG
    nfs/ns3.an3e.org@AN3E.ORG
    root/ns2.an3e.org@AN3E.ORG

    [root@ns2 ~]# klist -e -k
    Keytab name: FILE:/etc/krb5.keytab
    KVNO Principal
    ----
    --------------------------------------------------------------------------
    8 nfs/ns2.an3e.org@AN3E.ORG (DES cbc mode with CRC-32)
    5 root/ns2.an3e.org@AN3E.ORG (DES cbc mode with CRC-32)
    5 host/ns2.an3e.org@AN3E.ORG (DES cbc mode with CRC-32)


    [root@ns3 ~]# klist -e -k
    Keytab name: FILE:/etc/krb5.keytab
    KVNO Principal
    ----
    --------------------------------------------------------------------------
    7 nfs/ns3.an3e.org@AN3E.ORG (DES cbc mode with CRC-32)

    [root@ns3 ~]# more /etc/sysconfig/nfs
    SECURE_NFS=yes

    [root@ns3 ~]# authconfig --enablekrb5 --update


    This above from all sorts of pages offered by Google.
    So here is what I get---

    [root@ns2 ~]# mount -t nfs4 -o ro,sec=krb5p ns3.an3e.org:/var/lib/music
    /mnt/ns3/music
    mount: cannot mount block device ns3.an3e.org:/var/lib/music read-only
    |--ns2:/var/log/messages---------------
    |Jul 7 16:50:26 ns2 rpc.gssd[2911]: WARNING: Failed to create krb5
    context for user with uid 0 with any |credentials cache for server
    ns3.an3e.org

    |--ns3:/var/log/krb5kdc.log-----------
    |Jul 07 15:06:18 ns3.an3e.org krb5kdc[1802](info): TGS_REQ (7 etypes {18
    17 16 23 1 3 2}) 64.165.113.66: |VALIDATE VALID TICKET: authtime
    1152309967, host/ns2.an3e.org@AN3E.ORG for krbtgt/AN3E.ORG@AN3E.ORG,
    KDC |can't fulfill requested option



    I could sure use a kind word heading into the weekend.
    Thanks!
    Andrew
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: A little encouragement with Kerberos for NFS


    > |--ns3:/var/log/krb5kdc.log-----------
    > |Jul 07 15:06:18 ns3.an3e.org krb5kdc[1802](info): TGS_REQ (7 etypes {18
    > 17 16 23 1 3 2}) 64.165.113.66: |VALIDATE VALID TICKET: authtime
    > 1152309967, host/ns2.an3e.org@AN3E.ORG for krbtgt/AN3E.ORG@AN3E.ORG,
    > KDC |can't fulfill requested option


    This would normally means the supplied TGT is postdated and marked
    INVALID, and the client is requesting validation to "activate" the
    postdated ticket. Perhaps the TGT has not yet passed its starttime, or is
    not in fact invalid. Of course, this begs the question of how it could
    happen to begin with. Have you checked the clocks on all the machines in
    question?

    --
    Richard Silverman
    res@qoxp.net


+ Reply to Thread