[OmniOS-discuss] nfs server with kerberos
Natxo Asenjo
natxo.asenjo at gmail.com
Fri Apr 12 06:21:33 EDT 2013
hi,
is nfs with sec=krb5 (krb5i/krb5p, whatever), supposed to work with omnios?
I have been banging my head for a few evenings trying to get this to work,
but unfortunately to no avail. It is probably because of me ;-)
So I have this omnios vm that I have setup to use a ldap server with
ldapclient init, and that works great. I can see all the users in ldap.
Then I edited /etc/nfssec.conf and uncommented all the krb5 lines at the
end.
Then I created a host and nfs service principal, exported the keytabs and
merged them into one principal:
root at testomnios:~# klist -k -e
Keytab name: FILE:/etc/krb5/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
1 nfs/testomnios.ipa.asenjo.nx at IPA.ASENJO.NX (AES-256 CTS mode with
96-bit SHA-1 HMAC)
1 nfs/testomnios.ipa.asenjo.nx at IPA.ASENJO.NX (AES-128 CTS mode with
96-bit SHA-1 HMAC)
1 nfs/testomnios.ipa.asenjo.nx at IPA.ASENJO.NX (Triple DES cbc mode with
HMAC/sha1)
1 nfs/testomnios.ipa.asenjo.nx at IPA.ASENJO.NX (ArcFour with HMAC/md5)
2 host/testomnios.ipa.asenjo.nx at IPA.ASENJO.NX (AES-256 CTS mode with
96-bit SHA-1 HMAC)
2 host/testomnios.ipa.asenjo.nx at IPA.ASENJO.NX (AES-128 CTS mode with
96-bit SHA-1 HMAC)
2 host/testomnios.ipa.asenjo.nx at IPA.ASENJO.NX (Triple DES cbc mode with
HMAC/sha1)
2 host/testomnios.ipa.asenjo.nx at IPA.ASENJO.NX (ArcFour with HMAC/md5)
I can kinit with the keytab to both principals
root at testomnios:~# kinit -k
root at testomnios:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: host/testomnios.ipa.asenjo.nx at IPA.ASENJO.NX
Valid starting Expires Service principal
04/12/13 11:56:07 04/13/13 11:56:07 krbtgt/IPA.ASENJO.NX at IPA.ASENJO.NX
renew until 04/19/13 11:56:07
root at testomnios:~# kinit -k nfs/testomnios.ipa.asenjo.nx
root at testomnios:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: nfs/testomnios.ipa.asenjo.nx at IPA.ASENJO.NX
Valid starting Expires Service principal
04/12/13 11:56:28 04/13/13 11:56:28 krbtgt/IPA.ASENJO.NX at IPA.ASENJO.NX
renew until 04/19/13 11:56:28
But on the moment of truth, when I need to share the dataset:
root at testomnios:~# share -F nfs -o sec=krb5 -d "homedirs" /export/home/
Could not share: /export/home: invalid security type
# zfs set sharenfs=sec=krb5 rpool/export/home
cannot set property for 'rpool/export/home': 'sharenfs' cannot be set to
invalid options
But without sec=krb5 (krb5i,krb5p, all 3, whatever), it works a treat
root at testomnios:~# zfs set sharenfs=rw=@192.168 rpool/export/home
root at testomnios:~# zfs get sharenfs
NAME PROPERTY VALUE SOURCE
rpool sharenfs off default
rpool/ROOT sharenfs off default
rpool/ROOT/omnios sharenfs off default
rpool/ROOT/omnios at install sharenfs - -
rpool/ROOT/omniosvar sharenfs off default
rpool/dump sharenfs - -
rpool/export sharenfs off default
rpool/export/home sharenfs rw=@192.168 local
Any insights greatly appreciated.
TIA,
Natxo
--
Groeten,
natxo
On Mon, Apr 1, 2013 at 11:10 PM, Natxo Asenjo <natxo.asenjo at gmail.com>wrote:
> hi,
>
> in a test lab I have joined a omnios vm to a ipa (kerberos/ldap) domain.
>
> this is the omnios version:
>
> # uname -a
> SunOS testomnios 5.11 omnios-df542ea i86pc i386 i86pc Solaris
>
> Kerberos authentication works and I can use ldap to search users, getent
> passwd etc works fine.
>
> I have created an nfs service principal name for the host and added them
> to the systems' keytab:
>
> # klist -k
> Keytab name: FILE:/etc/krb5/krb5.keytab
> KVNO Principal
> ----
> --------------------------------------------------------------------------
> 1 nfs/testomnios.ipa.asenjo.nx at IPA.ASENJO.NX
> 1 nfs/testomnios.ipa.asenjo.nx at IPA.ASENJO.NX
> 1 nfs/testomnios.ipa.asenjo.nx at IPA.ASENJO.NX
> 1 nfs/testomnios.ipa.asenjo.nx at IPA.ASENJO.NX
> 2 host/testomnios.ipa.asenjo.nx at IPA.ASENJO.NX
> 2 host/testomnios.ipa.asenjo.nx at IPA.ASENJO.NX
> 2 host/testomnios.ipa.asenjo.nx at IPA.ASENJO.NX
> 2 host/testomnios.ipa.asenjo.nx at IPA.ASENJO.NX
>
> I have followed the docs here:
> http://docs.oracle.com/cd/E23824_01/html/821-1456/setup-97.html
>
> the file /etc/nfssec.conf looks like this:
>
> # default security mode is defined at the end. It should be one of
> # the flavor numbers defined above it.
> #
> none 0 - - - # AUTH_NONE
> sys 1 - - - # AUTH_SYS
> dh 3 - - - # AUTH_DH
> #
> # Uncomment the following lines to use Kerberos V5 with NFS
> #
> krb5 390003 kerberos_v5 default - #
> RPCSEC_GSS
> krb5i 390004 kerberos_v5 default integrity #
> RPCSEC_GSS
> krb5p 390005 kerberos_v5 default privacy #
> RPCSEC_GSS
>
> default 1 - - - # default
> is AUTH_SYS
>
> and finally I try sharing the homedirs but I get this error:
>
> # share -F nfs -o sec=krb5:krb5i:krb5p /export/home
> Could not share: /export/home: invalid security type
>
> # svcs -l nfs/server
> fmri svc:/network/nfs/server:default
> name NFS server
> enabled true
> state online
> next_state none
> state_time Mon Apr 1 23:06:09 2013
> logfile /var/svc/log/network-nfs-server:default.log
> restarter svc:/system/svc/restarter:default
> contract_id 96
> dependency require_any/error svc:/milestone/network (online)
> dependency require_all/error svc:/network/nfs/nlockmgr (online)
> dependency optional_all/error svc:/network/nfs/mapid (online)
> dependency require_all/restart svc:/network/rpc/bind (online)
> dependency optional_all/none svc:/network/rpc/keyserv (online)
> dependency optional_all/none svc:/network/rpc/gss (online)
> dependency optional_all/none svc:/network/shares/group (multiple)
> dependency optional_all/none svc:/system/filesystem/reparse (online)
> dependency require_all/error svc:/system/filesystem/local (online)
>
> How can troubleshoot this? I'm learning a lot about solaris, but still a
> newbie.
>
> TIA,
> --
> Groeten,
> natxo
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omniosce.org/ml-archive/attachments/20130412/11d14ae5/attachment-0001.html>
More information about the OmniOS-discuss
mailing list