Execute kadmin command on the client console. Add the principal to the keytab file as follows for NFS :
Raw
[root@client ~]# kadmin Authenticating as principal root/admin@EXAMPLE.COM with password. Password for root/admin@EXAMPLE.COM: kadmin: ktadd -e des-cbc-crc:normal nfs/client.example.com
Configuring kerberos for NFSv4 (Assuming that NFSv4 has been installed on the server), on the kerberos (i.e NFSv4) server :
3.1 Create the necessary entries in /etc/exports. First, create an NFSv4 mount point. I would suggest /export. Next bind the real path to the NFSv4 mount point. In this example, we want to export the /data directory. We create /export/data for NFSv4 and mount /data there.
Raw
[root@server /]# mkdir -m 1777 /export [root@server /]# mkdir /export/data [root@server /]# mount -n --bind /data /export/data
3.2 Add the following lines in the /etc/exports file :
Raw
/export gss/krb5(sync,rw,fsid=0,insecure,no_subtree_check,anonuid=65534,anongid=65534) /export/data gss/krb5(sync,rw,nohide,insecure,no_subtree_check,anonuid=65534,anongid=65534)
3.3 Modify /etc/idmapd.conf and it\\\’ll look like :
Raw
[root@server /]# cat /etc/idmapd.conf [General] Verbosity = 0 Pipefs-Directory = /var/lib/nfs/rpc_pipefs Domain = example.com [Mapping] Nobody-User = nfsnobody Nobody-Group = nfsnobody [Translation] Method = nsswitch
3.4 Make the value of SECURE_NFS to yes in /etc/sysconfig/nfs. To enable secure NFS, you must add the following line to /etc/sysconfig/nfs :
Raw
SECURE_NFS=yes
After the restart the NFS servers, the environment is able to work properly using Kerberos authentication and RPCSEC_GSS.
Testing :
On client machine issue the following command to mount the exporting directory of the server :
Raw
# mount -t nfs4 -o sec=krb5 server.example.com:/ /mnt/my_nfs_mount_point
Now create the files inside the /data directory on the server and view the files inside /mnt directory on the client machine.
Note : NFS daemons looks like on the server :
Raw
[root@server /]# service nfs status rpc.svcgssd (pid 8974) is running... rpc.mountd (pid 8994) is running... nfsd (pid 8991 8990 8989 8988 8987 8986 8985 8984) is running... rpc.rquotad (pid 8979) is running...
根源
By default NFS clients and servers use the AUTH_SYS protocol to authenticate users.
AUTH_SYS is defined in RPC v2 (http://www.ietf.org/rfc/rfc1831.txt) to allocate a 4 bit value to group memberships, hence the 16 groups limitation.
But since v4, NFS can use a different authentication protocol such as RPCSEC_GSS which supports more groups.
診斷步驟
The following considerations can help to debug problems with the above setup.
Are hosts properly resolved via DNS or /etc/hosts?
Are the expected principals in the keytab? This can be verified with klist -ke.
Are the required services running on client and server?
Have the services been restarted?
Are the required modules loaded? In some cases rpcsec_gss_krb5 was not loaded automatically on RHEL5.
Is showmount -e <server> from the client showing the exports?
It might be useful to configure rpc.gssd for more verbosity, set RPCGSSDARGS=-vvv in /etc/sysconfig/nfs and restart the service.
For nfs debugging execute echo 32767 > /proc/sys/sunrpc/nfs_debug.