From: Trond Myklebust Subject: Re: problem mounting using NFSv4 when using -o sec=krb5 option Date: Fri, 18 Mar 2005 09:10:32 -0500 Message-ID: <1111155032.28843.15.camel@lade.trondhjem.org> References: <20050318074358.12947.qmail@web51604.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain Cc: Suresh Jayaram , Kevin Coffman , nfs@lists.sourceforge.net Received: from sc8-sf-mx2-b.sourceforge.net ([10.3.1.12] helo=sc8-sf-mx2.sourceforge.net) by sc8-sf-list2.sourceforge.net with esmtp (Exim 4.30) id 1DCIHl-0000ph-Hw for nfs@lists.sourceforge.net; Fri, 18 Mar 2005 06:17:09 -0800 Received: from pat.uio.no ([129.240.130.16] ident=7411) by sc8-sf-mx2.sourceforge.net with esmtp (TLSv1:AES256-SHA:256) (Exim 4.41) id 1DCIHk-00060g-O7 for nfs@lists.sourceforge.net; Fri, 18 Mar 2005 06:17:09 -0800 To: mehta kiran In-Reply-To: <20050318074358.12947.qmail@web51604.mail.yahoo.com> Sender: nfs-admin@lists.sourceforge.net Errors-To: nfs-admin@lists.sourceforge.net List-Unsubscribe: , List-Id: Discussion of NFS under Linux development, interoperability, and testing. List-Post: List-Help: List-Subscribe: , List-Archive: to den 17.03.2005 Klokka 23:43 (-0800) skreiv mehta kiran: > On machine runnnig KDC: > 1.create database using kbd5_util create -s. > 2.using "kadmin.local" interface > addprinc root/admin > ktadd -e des-cbc-crc:normal -k /tmp/keytab > root/admin > > addprinc nfs/vcslinux5.vxindia.veritas.com > ktadd -e des-cbc-crc:normal -k /tmp/keytab > nfs/vcslinux5.vxindia.veritas.com > > addprinc nfs/vcslinux6.vxindia.veritas.com > ktadd -e des-cbc-crc:normal -k /tmp/keytab > nfs/vcslinux6.vxindia.veritas.com > 3.At the end do cp /tmp/keytab /etc/krb5.keytab. > 4.Output of klist -k /etc/krb5.keytab > > 2 root/admin@VXINDIA.VERITAS.COM > 2 > nfs/vcslinux6.vxindia.veritas.com@VXINDIA.VERITAS.COM > 2 > nfs/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM > No. All you want to do is On machine runnnig KDC: 1.create database using kbd5_util create -s. 2.using "kadmin.local" interface addprinc root/admin addprinc nfs/vcslinux5.vxindia.veritas.com ktadd -e des-cbc-crc:normal -k /tmp/keytab.vclinux5 nfs/vcslinux5.vxindia.veritas.com addprinc nfs/vcslinux6.vxindia.veritas.com ktadd -e des-cbc-crc:normal -k /tmp/keytab.vcslinux6 nfs/vcslinux6.vxindia.veritas.com Then copy /tmp/keytab.vclinux5 to /etc/krb5.keytab on vclinux5, copy /tmp/keytab.vclinux6 to /etc/krb5.keytab on vclinux6,... Then just delete /tmp/keytab.vclinux* scp -p /tmp/keytab.vclinux5 vclinux5:/etc/krb5.keytab scp -p /tmp/keytab.vclinux6 vclinux6:/etc/krb5.keytab rm /tmp/keytab.vclinux5 /tmp/keytab.vclinux6 IOW: - Since the KDC is the trusted server that authenticates your credentials, you _must_ be using keytabs generated by the KDC on each client. - The server does not need to have a copy of the keytab. - The clients do no need to have a copy of any keytab entry other than their own. Your /etc/krb.conf really needs to be a /etc/krb5.conf, but otherwise, the entries in your mail looked OK. Cheers, Trond -- Trond Myklebust ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ NFS maillist - NFS@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nfs