tag:blogger.com,1999:blog-1479824033506250875.post9150336336994895153..comments2022-04-04T02:04:07.405-07:00Comments on What I Know About Linux That You May Not Know: How to configure nfsv4 with kerberos in RHEL?Sadique Puthenhttp://www.blogger.com/profile/15174000939443129488noreply@blogger.comBlogger8125tag:blogger.com,1999:blog-1479824033506250875.post-71937723298275095222017-08-27T23:38:15.841-07:002017-08-27T23:38:15.841-07:00Nice blog. Thanks for sharing the information.Nice blog. Thanks for sharing the information.Anonymoushttps://www.blogger.com/profile/05346389602575390472noreply@blogger.comtag:blogger.com,1999:blog-1479824033506250875.post-36950367122727288072013-08-01T22:56:48.904-07:002013-08-01T22:56:48.904-07:00Can both the nfsserver and client see the user wit...Can both the nfsserver and client see the user with the same uid/gid (getent passwd user) and the files are owned by the uid/guid on the nfs server?Sadique Puthenhttps://www.blogger.com/profile/15174000939443129488noreply@blogger.comtag:blogger.com,1999:blog-1479824033506250875.post-3060423788976351572013-08-01T13:52:39.497-07:002013-08-01T13:52:39.497-07:00Hi,
I have bee trying to configure a nfs server ...Hi,<br /><br /> I have bee trying to configure a nfs server with ldap and kerbros, I am almost completed it. But while mounting the filesystem in a kerborized nfs client the users and groups always nobody and nogroup, so I can't write anything in the nfs filesystem. I am sure the idmapd is working fine. Could you please help on this.PRAJITHhttps://www.blogger.com/profile/13436678798512017787noreply@blogger.comtag:blogger.com,1999:blog-1479824033506250875.post-48665162150126362522009-04-24T02:05:00.000-07:002009-04-24T02:05:00.000-07:00I am shooting in the dark since I don't know how S...I am shooting in the dark since I don't know how Sun Grid Engine or Platform LSF works and what are their requirements!<br /><br />For root to access an nfs export secured via kerberos is a valid credentials' cache. If the root can do "kinit user" and get a ticket using use password, he can access the nfs share.<br /><br />If the application can understand a variable from where to read the kerberos cache, you can create the cache and pass the patch to the cache as the value of the variable. See my last comment!Sadique Puthenhttps://www.blogger.com/profile/15174000939443129488noreply@blogger.comtag:blogger.com,1999:blog-1479824033506250875.post-1638928124336429402009-04-24T00:41:00.000-07:002009-04-24T00:41:00.000-07:00Thanks for the tutorial, but I do have a simple qu...Thanks for the tutorial, but I do have a simple question and I've yet to find a good solution to it.<br /><br />In a secure setup with NFS4 and kerberos user root can't 'su -' to a user and thus cannot access it's home directory. This is all good and well but what would the solution be to export a filesystem with applications (say for example Sun Grid Engine or Platform LSF) that need to be run as root? In a default setup, root is squashed away if kerberos security is used in the mount mount options.<br /><br />How can you selectively permit the (system) root account of a single (or several) system(s) to a NFS4 export with krb5 security enabled? I've read much of the CITI documentation but I've yet to find a good howto / faq on it that has actually been implemented. (I believe Fedora Core with the latest nfs-utils should be able to use umich_ldap in idmapd.conf but documentation and examples are still lacking)<br /><br />Any ideas?<br /><br />Regards,<br /><br />JeroenUnknownhttps://www.blogger.com/profile/11636228526481806854noreply@blogger.comtag:blogger.com,1999:blog-1479824033506250875.post-83554580547042810722009-04-18T03:02:00.000-07:002009-04-18T03:02:00.000-07:00Weiyi,
Not sure how much useful the below is goin...Weiyi,<br /><br />Not sure how much useful the below is going to be,<br /><br />- Extract the a user's password to keytab. I am taking kerberos4 as an example username.<br /><br /># kadmin <br />Authenticating as principal root/admin@PNQ.REDHAT.COM with password.<br />Password for root/admin@PNQ.REDHAT.COM: <br />kadmin: ktadd kerberos4<br />Entry for principal kerberos4 with kvno 2, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab.<br />Entry for principal kerberos4 with kvno 2, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5.keytab.<br />Entry for principal kerberos4 with kvno 2, encryption type DES with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab.<br />Entry for principal kerberos4 with kvno 2, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5.keytab.<br />kadmin: <br /><br /># klist -k<br />Keytab name: FILE:/etc/krb5.keytab<br />KVNO Principal<br />---- --------------------------------------------------------------------------<br /> 2 kerberos4@PNQ.REDHAT.COM<br /> 2 kerberos4@PNQ.REDHAT.COM<br /> 2 kerberos4@PNQ.REDHAT.COM<br /> 2 kerberos4@PNQ.REDHAT.COM<br /><br />- Then export the nfs service principle and the above ticket to a file.<br /><br /># kinit -k -c /tmp/krb5cc_uid -S nfs/fqdn@REALM kerberos4@REALM<br /><br />Eg /tmp/service in my system is as below,<br /><br />[root@dhcp7-136 ~]# klist /tmp/krb5cc_uid<br />Ticket cache: FILE:/tmp/krb5cc_uid<br />Default principal: kerberos4@PNQ.REDHAT.COM<br /><br />Valid starting Expires Service principal<br />04/18/09 15:21:50 04/19/09 15:21:50 nfs/dhcp6-224.pnq.redhat.com@PNQ.REDHAT.COM<br /> renew until 04/18/09 15:21:50<br /><br />- Pass the below in an environment variable to the *deamon* before starting that, may be as below. Or start the service with the privileges of that username.<br /><br />export KRB5CCNAME=/tmp/krb5cc_uid<br /><br />- Setup a cron job which should run 5 minutes befrore the ticket expires. ie, Once in a day to run the above command. ie,<br /><br /># kinit -k -c /tmp/krb5cc_uid -S nfs/fqdn@REALM kerberos4@REALM<br /><br />I dont' kjnow how well this would work for kerberos, but I am using a configuration like this in /etc/init.d/nscd so that it would authenticate via nss_ldap agianst AD using the tickets. Good Luck!Sadique Puthenhttps://www.blogger.com/profile/15174000939443129488noreply@blogger.comtag:blogger.com,1999:blog-1479824033506250875.post-16046832369257286032009-04-17T13:57:00.000-07:002009-04-17T13:57:00.000-07:00Thanks for this tutorial. How do you overcome the ...Thanks for this tutorial. How do you overcome the kerberos ticket expiration problem? Without kerberos ticket auto-renew, a daemon can not be left running with NFS v4 access...Weiyihttps://www.blogger.com/profile/06269747902037591058noreply@blogger.comtag:blogger.com,1999:blog-1479824033506250875.post-41903103335227525782009-04-03T05:02:00.000-07:002009-04-03T05:02:00.000-07:00This tutorial is a huge help. Thanks for writing ...This tutorial is a huge help. Thanks for writing it out in one page. It helped me a lot.Anonymoushttps://www.blogger.com/profile/07922290752291881106noreply@blogger.com