Kerberos and NFS V4 Configuration - Kerberos

This is a discussion on Kerberos and NFS V4 Configuration - Kerberos ; Here is one we would like to figure out how to resolve or work around. The KDC is running on AIX Major Release 3. Kerberos is used to access data on NFS V3 and NFS v4 file systems. Exported filesystems ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Kerberos and NFS V4 Configuration

  1. Kerberos and NFS V4 Configuration

    Here is one we would like to figure out how to resolve or work around.

    The KDC is running on AIX Major Release 3.

    Kerberos is used to access data on NFS V3 and NFS v4 file
    systems.

    Exported filesystems are also on AIX 3.

    AIX specific Process Group Authentication maps NFS V4 encryption
    keys and Kerberos keys together.

    Other AIX systems allow access to NFS V3, NFS V4 unencrypted,
    and NFS V4 encrypted data.

    In setting up RedHat RHEL WS 4.3 to access Kerberos controlled data
    from the AIX KDC, NFS V3 and NFS V4 unencrypted mounts become
    accessible.

    When trying to mount over NFS V4 with encryption, the mount options are:

    rw,hard,intr,proto=tcp,port=xxxx,sec=krb5,noauto 0 0
    Note that the xxxx represents the correct port number.

    When trying to mount a file system from the KDC on RHEL WS 3.4, the
    following error appears:

    mount: block device hostname:/filesystem is write-protected,
    mounting read-only
    mount: cannot mount block device hostname:/filesystem read-only
    Note that hostname and filesystem represent other correct but
    sensitive information.

    I'm wondering if this is stumbling over that AIX specific Process
    Authentication Group issue between Kerberos encryption and NFS V4
    encryption. Is there a way to overcome this? Hopefully just on the
    client. If changes have to also be made on KDC, it will be a tough
    road.

    Thanks.

    ----
    Not all who wander are lost.

    | ---- ___o | chuck.keagle@boeing.com
    Chuck Keagle | ------- \ <, | Work: (425) 865-1488
    Enterprise Servers: HPC | ----- ( )/ ( ) | Cell: (425) 417-3434
    http://card.web.boeing.com/Webcard.cfm?id=73990
    <>

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: Kerberos and NFS V4 Configuration

    This is probably best discussed on nfsv4@linux-nfs.org
    (http://linux-nfs.org/cgi-bin/mailman/listinfo/nfsv4)

    Enabling verbose output from rpcgssd (-vvv) on the linux client might
    give a hint to the problem.

    K.C.

    On 10/12/06, Keagle, Chuck wrote:
    > Here is one we would like to figure out how to resolve or work around.
    >
    > The KDC is running on AIX Major Release 3.
    >
    > Kerberos is used to access data on NFS V3 and NFS v4 file
    > systems.
    >
    > Exported filesystems are also on AIX 3.
    >
    > AIX specific Process Group Authentication maps NFS V4 encryption
    > keys and Kerberos keys together.
    >
    > Other AIX systems allow access to NFS V3, NFS V4 unencrypted,
    > and NFS V4 encrypted data.
    >
    > In setting up RedHat RHEL WS 4.3 to access Kerberos controlled data
    > from the AIX KDC, NFS V3 and NFS V4 unencrypted mounts become
    > accessible.
    >
    > When trying to mount over NFS V4 with encryption, the mount options are:
    >
    > rw,hard,intr,proto=tcp,port=xxxx,sec=krb5,noauto 0 0
    > Note that the xxxx represents the correct port number.
    >
    > When trying to mount a file system from the KDC on RHEL WS 3.4, the
    > following error appears:
    >
    > mount: block device hostname:/filesystem is write-protected,
    > mounting read-only
    > mount: cannot mount block device hostname:/filesystem read-only
    > Note that hostname and filesystem represent other correct but
    > sensitive information.
    >
    > I'm wondering if this is stumbling over that AIX specific Process
    > Authentication Group issue between Kerberos encryption and NFS V4
    > encryption. Is there a way to overcome this? Hopefully just on the
    > client. If changes have to also be made on KDC, it will be a tough
    > road.
    >
    > Thanks.
    >
    > ----
    > Not all who wander are lost.
    >
    > | ---- ___o | chuck.keagle@boeing.com
    > Chuck Keagle | ------- \ <, | Work: (425) 865-1488
    > Enterprise Servers: HPC | ----- ( )/ ( ) | Cell: (425) 417-3434
    > http://card.web.boeing.com/Webcard.cfm?id=73990
    > <>
    >
    >
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >
    >
    >

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread