Kerberos and NFS V4 Configuration

Kevin Coffman kwc at citi.umich.edu
Thu Oct 12 13:39:08 EDT 2006 

This is probably best discussed on nfsv4 at linux-nfs.org
(http://linux-nfs.org/cgi-bin/mailman/listinfo/nfsv4)

Enabling verbose output from rpcgssd (-vvv) on the linux client might
give a hint to the problem.

K.C.

On 10/12/06, Keagle, Chuck <chuck.keagle at boeing.com> wrote:
> Here is one we would like to figure out how to resolve or work around.
>
>         The KDC is running on AIX Major Release 3.
>
>         Kerberos is used to access data on NFS V3 and NFS v4 file
> systems.
>
>         Exported filesystems are also on AIX 3.
>
>         AIX specific Process Group Authentication maps NFS V4 encryption
> keys and Kerberos keys together.
>
>         Other AIX systems allow access to NFS V3, NFS V4 unencrypted,
> and NFS V4 encrypted data.
>
> In setting up RedHat  RHEL WS 4.3 to access Kerberos controlled data
> from the AIX KDC, NFS V3 and NFS V4 unencrypted mounts become
> accessible.
>
> When trying to mount over NFS V4 with encryption, the mount options are:
>
>         rw,hard,intr,proto=tcp,port=xxxx,sec=krb5,noauto 0 0
>         Note that the xxxx represents the correct port number.
>
> When trying to mount a file system from the KDC on RHEL WS 3.4, the
> following error appears:
>
>         mount: block device hostname:/filesystem is write-protected,
> mounting read-only
>         mount: cannot mount block device hostname:/filesystem read-only
>         Note that hostname and filesystem represent other correct but
> sensitive information.
>
> I'm wondering if this is stumbling over that AIX specific Process
> Authentication Group issue between Kerberos encryption and NFS V4
> encryption.  Is there a way to overcome this?  Hopefully just on the
> client.  If changes have to also be made on KDC, it will be a tough
> road.
>
> Thanks.
>
> ----
> Not all who wander are lost.
>
>                           |     ----  ___o  |  chuck.keagle at boeing.com
> Chuck Keagle              |  -------  \ <,  |  Work:  (425) 865-1488
> Enterprise Servers:  HPC  |  ----- ( )/ ( ) |  Cell:  (425) 417-3434
> http://card.web.boeing.com/Webcard.cfm?id=73990
>  <<Keagle, Chuck.vcf>>
>
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman-mit-edu.ezproxyberklee.flo.org/mailman/listinfo/kerberos
>
>
>

More information about the Kerberos mailing list