From: "William A. (Andy) Adamson" Subject: Re: can not start NFSv4 with Kerberos 5 Date: Tue, 3 Apr 2007 09:18:33 -0400 Message-ID: <89c397150704030618iee707a8v24b1cbeb0dd72502@mail.gmail.com> References: <1175595021.3798.19.camel@localhost.localdomain> <89c397150704030446id0db9b1h30e20cfba0f5182a@mail.gmail.com> <1175602407.4063.51.camel@localhost.localdomain> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1678051304==" Cc: nfs@lists.sourceforge.net To: Phillip Return-path: Received: from sc8-sf-mx1-b.sourceforge.net ([10.3.1.91] helo=mail.sourceforge.net) by sc8-sf-list2-new.sourceforge.net with esmtp (Exim 4.43) id 1HYiuD-0006G6-2b for nfs@lists.sourceforge.net; Tue, 03 Apr 2007 06:18:37 -0700 Received: from ug-out-1314.google.com ([66.249.92.173]) by mail.sourceforge.net with esmtp (Exim 4.44) id 1HYiuD-0004zq-22 for nfs@lists.sourceforge.net; Tue, 03 Apr 2007 06:18:39 -0700 Received: by ug-out-1314.google.com with SMTP id z38so294306ugc for ; Tue, 03 Apr 2007 06:18:35 -0700 (PDT) In-Reply-To: <1175602407.4063.51.camel@localhost.localdomain> List-Id: "Discussion of NFS under Linux development, interoperability, and testing." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: nfs-bounces@lists.sourceforge.net Errors-To: nfs-bounces@lists.sourceforge.net --===============1678051304== Content-Type: multipart/alternative; boundary="----=_Part_7941_5303196.1175606313817" ------=_Part_7941_5303196.1175606313817 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline On 4/3/07, Phillip wrote: > > Andy, > > Thanks for you kindly reply. > > As your comment: > nfs/@ > and I google the following: > host/hostname@NT-DNS-REALM-NAME > > hostname is the host DNS name, for example, foobar.microsoft.com. > NT-DNS-REALM-NAME is the uppercase name of the Windows 2000 domain; for > example, RESKIT.COM. hostname is the dns name of your host. the realm name is the name of your kerberos domain. I have two questions: > 1. What does the above term "host" mean? Hostname of NFS server, or > service(nfs)? this is kerberos speak. a kerberos service name has a "service" component (host, root, nfs, ldap, web, or whatever you want) followed by a "/" and then the dns hostname. NFSv4 requires that the NFSv4 server Kerberos service name is of the form nfs/@ the "host" service name is used by many other servers, but not by NFSv4. the NFSv4 client keytab name is unspecified. so, if you want you can place a keytab on the client to be used for NFSv4 - but it is not required. 2. If I set the IP address in the above "" field, is it OK? > How could I set the DNS name since I could not operate on the DNS > server? dns name required. see http://www.citi.umich.edu/projects/nfsv4/linux/krb5-setup.html for kerberos setup instructions and http://www.citi.umich.edu/projects/nfsv4/linux/ "Instructions" section for other v4 set-up instructions. -->Andy Call me a piggy, but this is just where I am: I'm here for real. > > Regards, > Phillip > > > > On Tue, 2007-04-03 at 07:46 -0400, William A. (Andy) Adamson wrote: > > > > > > On 4/3/07, Phillip wrote: > > Hi folks, > > > > Currently we plan to use NFSV4 with Kerberos: > > KDC: Windows 2K AD > > > > NFSv4 server: CentOS 4.4 with 2.6.20 kernel > > # cat /etc/exports > > /XFS/NFS4 gss/krb5 > > (rw,fsid=0,insecure,no_root_squash,no_subtree_check,sync) > > > > Client: CentOS 4.4 > > > > When I use Ktpass to create keytab: > > > > C:> Ktpass princ administrator/PLASMON.SIT@PLASMON.SIT mapuser > > administrator -pass admin out unixmachine.keytab > > C:> Ktpass princ root/PLAMONS.SIT@PLASMON.SIT mapuser root - > > pass admin > > out unixmachine_1.keytab > > > > > > and copy this output keytabs to NFSv4 server, and then export > > them with > > kinit well. > > > > However, when I attempt to start NFS service, the rpcsvcgssd > > failed. > > > > Then I try to execute these below commands > > > > [root@nfsv4 kevin]# rpc.svcgssd -fvvv > > ERROR: GSS-API: error in gss_import_name(): An invalid name > > was supplied > > - Hostname cannot be canonicalized > > unable to obtain root (machine) credentials > > do you have a keytab entry for nfs/@ > > in /etc/krb5.keytab? > > > > as the error message on the server said: you need a keytab of the > > form > > > > nfs/@ > > > > the root/@ or > > administrator/@ won/t work. > > > > -->Andy > > > > > > [root@nfsv4 kevin]# rpc.gssd -fvvv > > Using keytab file '/etc/krb5.keytab' > > Processing keytab entry for principal > > 'administrator/PLASMON.SIT@PLASMON.SIT' > > We will NOT use this entry > > (administrator/PLASMON.SIT@PLASMON.SIT) > > Processing keytab entry for principal > > 'root/PLASMON.SIT@PLASMON.SIT' > > We will NOT use this entry (root/PLASMON.SIT@PLASMON.SIT) > > ERROR: No usable keytab entries found in keytab > > '/etc/krb5.keytab' > > Do you have a valid keytab entry for > > nfs/@ in > > keytab file /etc/krb5.keytab ? > > Continuing without (machine) credentials - nfs4 mounts with > > Kerberos > > will fail > > processing client list > > > > > > Did I take mistakes in creating keytab? > > > > > > Please help me fix this issue. > > Thanks in advance. > > > > Regards, > > Phillip > > > > > > > > > > > ------------------------------------------------------------------------- > > Take Surveys. Earn Cash. Influence the Future of IT > > Join SourceForge.net's Techsay panel and you'll get the chance > > to share your > > opinions on IT & business topics through brief surveys-and > > earn cash > > http://www.techsay.com/default.php? > > page=join.php&p=sourceforge&CID=DEVDEV > > _______________________________________________ > > NFS maillist - NFS@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/nfs > > > > > > ------=_Part_7941_5303196.1175606313817 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline

On 4/3/07, Phillip <phuang@plasmon.cn> wrote:
Andy,

Thanks for you kindly reply.

As your comment:
nfs/<your.host>@<YOUR.REALM>
and I google the following:
host/hostname@NT-DNS-REALM-NAME

hostname is the host DNS name, for example, foobar.microsoft.com.
NT-DNS-REALM-NAME is the uppercase name of the Windows 2000 domain; for
example, RESKIT.COM.

hostname is the dns name of your host. the realm name is the name of your kerberos domain. 

I have two questions:
1. What does the above term "host" mean? Hostname of NFS server, or
service(nfs)?

this is kerberos speak.

a kerberos service name has a "service" component (host, root, nfs, ldap, web, or whatever you want) followed by a "/" and then the dns hostname.

NFSv4 requires that the NFSv4 server Kerberos service name is of the form

nfs/<dnshostname>@<KERBEROS.REALM>

the "host" service name is used by many other servers, but not by NFSv4.

the NFSv4 client keytab name is unspecified. so, if you want you can place a keytab on the client
to be used for NFSv4 - but it is not required.
 

2. If I set the IP address in the above "<your.host>" field, is it OK?
How could I set the DNS name since I could not operate on the DNS
server?


dns name required.

see
http://www.citi.umich.edu/projects/nfsv4/linux/krb5-setup.html for kerberos setup instructions

and
http://www.citi.umich.edu/projects/nfsv4/linux/    "Instructions" section for other v4 set-up instructions.

-->Andy


Call me a piggy, but this is just where I am: I'm here for real.

Regards,
Phillip



On Tue, 2007-04-03 at 07:46 -0400, William A. (Andy) Adamson wrote:
>
>
> On 4/3/07, Phillip < phuang@plasmon.cn> wrote:
>         Hi folks,
>
>         Currently we plan to use NFSV4 with Kerberos:
>         KDC: Windows 2K AD
>
>         NFSv4 server: CentOS 4.4 with 2.6.20 kernel
>         # cat /etc/exports
>         /XFS/NFS4       gss/krb5
>         (rw,fsid=0,insecure,no_root_squash,no_subtree_check,sync)
>
>         Client: CentOS 4.4
>
>         When I use Ktpass to create keytab:
>
>         C:> Ktpass princ administrator/PLASMON.SIT@PLASMON.SIT mapuser
>         administrator -pass admin out unixmachine.keytab
>         C:> Ktpass princ root/PLAMONS.SIT@PLASMON.SIT mapuser root -
>         pass admin
>         out unixmachine_1.keytab
>
>
>         and copy this output keytabs to NFSv4 server, and then export
>         them with
>         kinit well.
>
>         However, when I attempt to start NFS service, the rpcsvcgssd
>         failed.
>
>         Then I try to execute these below commands
>
>         [root@nfsv4 kevin]# rpc.svcgssd -fvvv
>         ERROR: GSS-API: error in gss_import_name(): An invalid name
>         was supplied
>         - Hostname cannot be canonicalized
>         unable to obtain root (machine) credentials
>         do you have a keytab entry for nfs/<your.host>@<YOUR.REALM >
>         in /etc/krb5.keytab?
>
> as the error message on the server said: you need a keytab of the
> form
>
> nfs/<your.host>@<YOUR.REALM>
>
> the root/< your.host>@<YOUR.REALM> or
> administrator/<your.host>@<YOUR.REALM> won/t work.
>
> -->Andy
>
>
>         [root@nfsv4 kevin]# rpc.gssd -fvvv
>         Using keytab file '/etc/krb5.keytab'
>         Processing keytab entry for principal
>         'administrator/PLASMON.SIT@PLASMON.SIT'
>         We will NOT use this entry
>         (administrator/PLASMON.SIT@PLASMON.SIT)
>         Processing keytab entry for principal
>         ' root/PLASMON.SIT@PLASMON.SIT'
>         We will NOT use this entry (root/PLASMON.SIT@PLASMON.SIT)
>         ERROR: No usable keytab entries found in keytab
>         '/etc/krb5.keytab'
>         Do you have a valid keytab entry for
>         nfs/<your.host>@<YOUR.REALM> in
>         keytab file /etc/krb5.keytab ?
>         Continuing without (machine) credentials - nfs4 mounts with
>         Kerberos
>         will fail
>         processing client list
>
>
>         Did I take mistakes in creating keytab?
>
>
>         Please help me fix this issue.
>         Thanks in advance.
>
>         Regards,
>         Phillip
>
>
>
>
>         -------------------------------------------------------------------------
>         Take Surveys. Earn Cash. Influence the Future of IT
>         Join SourceForge.net's Techsay panel and you'll get the chance
>         to share your
>         opinions on IT & business topics through brief surveys-and
>         earn cash
>         http://www.techsay.com/default.php?
>         page=join.php&p=sourceforge&CID=DEVDEV
>         _______________________________________________
>         NFS maillist  -  NFS@lists.sourceforge.net
>         https://lists.sourceforge.net/lists/listinfo/nfs
>
>


------=_Part_7941_5303196.1175606313817-- --===============1678051304== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV --===============1678051304== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ NFS maillist - NFS@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nfs --===============1678051304==--