Hi,
Is there any guide to install/test nfs sec=krb5?
test env:
krb5 server : windows active directory
linux: rocky linux 9.1, already 'realm join' with sssd.
1) from redhat
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/configuring_and_using_network_file_services/securing-nfs_configuring-and-using-network-file-services
Procedure
Create the nfs/hostname.domain@REALM principal on the NFS server side.
Create the host/hostname.domain@REALM principal on both the server and the client side.
Add the corresponding keys to keytabs for the client and server.
but we need more detail.
2, from isilon
http://doc.isilon.com/ECS/3.3/AdminGuide/ecs_t_file_access_confgure_kerberos.html
http://doc.isilon.com/ECS/3.7/AdminGuide/GUID-2018CF69-5F1E-4F3A-BA90-3659F85DE415.html
more detail than redhat.
but the following fail.
Test registration by running.
kinit -k host/<fqdn>@NFS-REALM.LOCAL
host/<fqdn> will is already created when 'realm join'?
host/<fqdn> is created here again, so there is some trouble?
'kinit -k nfs/<fqdn>@NFS-REALM.LOCAL' works as the document.
any guide please, thanks a lot.
Best Regards
Wang Yugui ([email protected])
2023/01/22
Hi,
> Is there any guide to install/test nfs sec=krb5?
A better document:
https://www.delltechnologies.com/asset/en-us/products/storage/industry-market/h17769_integrating_onefs_with_kerberos_wp.pdf
3.1.2 Configurations for Kerberized NFS with AD
we just directly add nfs/ SPN in 'Figure 5 Check SPNs in AD'.
and we no longer need ''ktpass.exe -mapUse' in another document:
http://doc.isilon.com/ECS/3.3/AdminGuide/ecs_t_file_access_confgure_kerberos.html
http://doc.isilon.com/ECS/3.7/AdminGuide/GUID-2018CF69-5F1E-4F3A-BA90-3659F85DE415.html
and then 'mount.nfs4 -o sec=krb5' works in rocky linux 9.1.
Best Regards
Wang Yugui ([email protected])
2023/01/23
> test env:
> krb5 server : windows active directory
> linux: rocky linux 9.1, already 'realm join' with sssd.
>
> 1) from redhat
> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/configuring_and_using_network_file_services/securing-nfs_configuring-and-using-network-file-services
> Procedure
> Create the nfs/hostname.domain@REALM principal on the NFS server side.
> Create the host/hostname.domain@REALM principal on both the server and the client side.
> Add the corresponding keys to keytabs for the client and server.
>
> but we need more detail.
>
>
> 2, from isilon
> http://doc.isilon.com/ECS/3.3/AdminGuide/ecs_t_file_access_confgure_kerberos.html
> http://doc.isilon.com/ECS/3.7/AdminGuide/GUID-2018CF69-5F1E-4F3A-BA90-3659F85DE415.html
> more detail than redhat.
>
> but the following fail.
> Test registration by running.
> kinit -k host/<fqdn>@NFS-REALM.LOCAL
>
> host/<fqdn> will is already created when 'realm join'?
> host/<fqdn> is created here again, so there is some trouble?
>
> 'kinit -k nfs/<fqdn>@NFS-REALM.LOCAL' works as the document.
>
>
> any guide please, thanks a lot.
>
> Best Regards
> Wang Yugui ([email protected])
> 2023/01/22
>
Hi,
> Hi,
>
> > Is there any guide to install/test nfs sec=krb5?
>
> A better document:
> https://www.delltechnologies.com/asset/en-us/products/storage/industry-market/h17769_integrating_onefs_with_kerberos_wp.pdf
> 3.1.2 Configurations for Kerberized NFS with AD
>
> we just directly add nfs/ SPN in 'Figure 5 Check SPNs in AD'.
> and we no longer need ''ktpass.exe -mapUse' in another document:
> http://doc.isilon.com/ECS/3.3/AdminGuide/ecs_t_file_access_confgure_kerberos.html
> http://doc.isilon.com/ECS/3.7/AdminGuide/GUID-2018CF69-5F1E-4F3A-BA90-3659F85DE415.html
>
> and then 'mount.nfs4 -o sec=krb5' works in rocky linux 9.1.
I test more case with different nfs server / nfs client version.
SPN host/
'realm join' auto create
SPN nfs/
setspn.exe -S nfs/T3610 T3610; setspn.exe -S nfs/T3610.e16-tech.com T3610
'kinit -k nfs/[email protected]' no need to work
'kinit -k host/[email protected]' no need to work.
el9: rocky linux 9.1
el8: oracle linux 8.6
el7: centos 7.9
nfs-server/el9 nfs-client OK/el7, *1/el8, OK/el9
nfs-server/el8 nfs-client OK/el7, *1/el8, *1/*2/el9
nfs-server/el7 nfs-client OK/el7, OK/el8, *1/*2/el9
*1 Permission denied
*2 Invalid argument # when kernel 5.15 in nfs-server, kerenl 6.1 in nfs-client
nfs-utils version: 1.3.0/el7, 2.3.3/el8, 2.5.4/el9
kernel: same 5.15.y/6.1.y on el9/el8/el7
Best Regards
Wang Yugui ([email protected])
2023/01/23
> Best Regards
> Wang Yugui ([email protected])
> 2023/01/23
>
> > test env:
> > krb5 server : windows active directory
> > linux: rocky linux 9.1, already 'realm join' with sssd.
> >
> > 1) from redhat
> > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/configuring_and_using_network_file_services/securing-nfs_configuring-and-using-network-file-services
> > Procedure
> > Create the nfs/hostname.domain@REALM principal on the NFS server side.
> > Create the host/hostname.domain@REALM principal on both the server and the client side.
> > Add the corresponding keys to keytabs for the client and server.
> >
> > but we need more detail.
> >
> >
> > 2, from isilon
> > http://doc.isilon.com/ECS/3.3/AdminGuide/ecs_t_file_access_confgure_kerberos.html
> > http://doc.isilon.com/ECS/3.7/AdminGuide/GUID-2018CF69-5F1E-4F3A-BA90-3659F85DE415.html
> > more detail than redhat.
> >
> > but the following fail.
> > Test registration by running.
> > kinit -k host/<fqdn>@NFS-REALM.LOCAL
> >
> > host/<fqdn> will is already created when 'realm join'?
> > host/<fqdn> is created here again, so there is some trouble?
> >
> > 'kinit -k nfs/<fqdn>@NFS-REALM.LOCAL' works as the document.
> >
> >
> > any guide please, thanks a lot.
> >
> > Best Regards
> > Wang Yugui ([email protected])
> > 2023/01/22
> >
>
Hi,
> Hi,
>
> > Hi,
> >
> > > Is there any guide to install/test nfs sec=krb5?
> >
> > A better document:
> > https://www.delltechnologies.com/asset/en-us/products/storage/industry-market/h17769_integrating_onefs_with_kerberos_wp.pdf
> > 3.1.2 Configurations for Kerberized NFS with AD
> >
> > we just directly add nfs/ SPN in 'Figure 5 Check SPNs in AD'.
> > and we no longer need ''ktpass.exe -mapUse' in another document:
> > http://doc.isilon.com/ECS/3.3/AdminGuide/ecs_t_file_access_confgure_kerberos.html
> > http://doc.isilon.com/ECS/3.7/AdminGuide/GUID-2018CF69-5F1E-4F3A-BA90-3659F85DE415.html
> >
> > and then 'mount.nfs4 -o sec=krb5' works in rocky linux 9.1.
>
> I test more case with different nfs server / nfs client version.
>
> SPN host/
> 'realm join' auto create
> SPN nfs/
> setspn.exe -S nfs/T3610 T3610; setspn.exe -S nfs/T3610.e16-tech.com T3610
>
> 'kinit -k nfs/[email protected]' no need to work
> 'kinit -k host/[email protected]' no need to work.
>
> el9: rocky linux 9.1
> el8: oracle linux 8.6
> el7: centos 7.9
>
> nfs-server/el9 nfs-client OK/el7, *1/el8, OK/el9
> nfs-server/el8 nfs-client OK/el7, *1/el8, *1/*2/el9
> nfs-server/el7 nfs-client OK/el7, OK/el8, *1/*2/el9
> *1 Permission denied
sssd-ad/winbind-ad do not need rDNS.
but for nfs sec=krb5, we need rDNS to work.
here there is not only cables that connect to the switch, but also some cables
that directly connect to another server.
> *2 Invalid argument # when kernel 5.15 in nfs-server, kerenl 6.1 in nfs-client
rpc-gssd.service maybe NOT running.
we need 'systemctl enable --now nfs-client.target'
#vendor preset: disabled@el9, enabled@el7/el8
Now sec=krb5 works well here.
Best Regards
Wang Yugui ([email protected])
2023/01/23
>
> nfs-utils version: 1.3.0/el7, 2.3.3/el8, 2.5.4/el9
> kernel: same 5.15.y/6.1.y on el9/el8/el7
>
> Best Regards
> Wang Yugui ([email protected])
> 2023/01/23