[31717] in Kerberos


home	help	back	first	fref	pref	prev	next	nref	lref	last	post
kerberos/nfs problems: unmatched host

daemon@ATHENA.MIT.EDU (Chantal Rosmuller)
Mon Nov 23 02:05:47 2009

From: Chantal Rosmuller <chantal@antenna.nl>
To: kerberos <kerberos@mit.edu>
Date: Mon, 23 Nov 2009 08:04:49 +0100
MIME-Version: 1.0
Content-Disposition: inline
Message-Id: <200911230804.49793.chantal@antenna.nl>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu



Hi list,

I can't get kerberos and NFS wotking on my Centos 5.4 testervers.

This is the error I get: Nov 22 11:14:54 nfsserver mountd[3155]: refused mount 
request from 172.16.153.128 for /export/data (/export/data): unmatched host

Does it have something to do with DNS?

here's what I did:

SETUP

nfsserver.domein.nl 172.16.153.129 (vmware guest)
nfsclient.domein.nl 172.16.153.128 (vmware guest)
realm : DOMEIN.NL

SERVER


* get time right with ntpd

* disable firewall

* install packages  

yum install krb5-libs krb5-server  krb5-workstation

* edit /etc/hosts

172.16.153.129 nfsserver.domein.nl
127.0.0.1		nfsserver localhost.localdomain localhost
::1		localhost6.localdomain6 localhost6
172.16.153.128 nfsclient.domein.nl

* edit /etc/krb5.conf

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = DOMEIN.NL
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes

[realms]
 DOMEIN.NL = {
  kdc = nfsserver.domein.nl:88
  admin_server = nfsserver.domein.nl:749
  default_domain = domein.nl
 }

[domain_realm]
 .domein.nl = DOMEIN.NL
 domein.nl = DOMEIN.NL

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

* edit /var/kerberos/krb5kdc/kdc.conf

[kdcdefaults]
 v4_mode = nopreauth
 kdc_tcp_ports = 88

[realms]
 DOMEIN.NL = {
  #master_key_type = des3-hmac-sha1
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-
sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-
crc:afs3
 }

* edit /var/kerberos/krb5kdc/kadm5.acl

*/admin@DOMEIN.NL	*

* start services

/sbin/service krb5kdc start
/sbin/service kadmin start
/sbin/service krb524 start

* create database:

/usr/kerberos/sbin/kdb5_util create -s

* addroot principal

addprinc root/admin

* add host principal

addprinc host/nfsserver.domein.nl

* add nfs principal

addprinc nfs/nfsserver.domein.nl

* add client host and nfs principal

addprinc host/nfsclient.domein.nl
addprinc nfs/nfsclient.domein.nl

* add keys

ktadd host/nfsserver.domein.nl
ktadd -e des-cbc-crc:normal nfs/nfsserver.domein.nl

* edit /etc/sysconfig/nfs

SECURE_NFS="yes"

* edit /etc/idmap.conf

Domain = domein.nl

* edit /etc/exports

/export      gss/krb5(sync,rw,fsid=0)

* restart nfs

/sbin/service nfs restart

CLIENT

* get time right with ntpd

* disable firewall

* install packages  

yum install krb5-libs pam_krb5  krb5-workstation

* edit /etc/hosts

172.16.153.128 nfsclient.domein.nl
127.0.0.1		nfsclient nfsclient localhost.localdomain localhost
::1		localhost6.localdomain6 localhost6
172.16.153.129 nfsserver.domein.nl

* copy /etc/krb5.conf from nfsserver

* login with kadmin

* add keys 
* add keys

ktadd host/nfsclient.domein.nl
ktadd -e des-cbc-crc:normal nfs/nfsserver.domein.nl
ktadd -e des-cbc-crc:normal nfs/nfsclient.domein.nl

* mount

[root@nfsclient ~]# mount -t nfs -o sec=krb5 nfsserver.domein.nl:/ /mnt
mount: nfsserver.domein.nl:/ failed, reason given by server: Permission denied

SERVER

* tail /var/log/messages

Nov 22 11:40:42 nfsserver mountd[3155]: refused mount request from 
172.16.153.128 for / (/): unmatched host

* More logging:

[root@nfsserver ~]# rpc.gssd -fvvv
Using keytab file '/etc/krb5.keytab'
Processing keytab entry for principal 'host/nfsserver.domein.nl@DOMEIN.NL'
We will NOT use this entry (host/nfsserver.domein.nl@DOMEIN.NL)
Processing keytab entry for principal 'host/nfsserver.domein.nl@DOMEIN.NL'
We will NOT use this entry (host/nfsserver.domein.nl@DOMEIN.NL)
Processing keytab entry for principal 'host/nfsserver.domein.nl@DOMEIN.NL'
We will NOT use this entry (host/nfsserver.domein.nl@DOMEIN.NL)
Processing keytab entry for principal 'host/nfsserver.domein.nl@DOMEIN.NL'
We will NOT use this entry (host/nfsserver.domein.nl@DOMEIN.NL)
Processing keytab entry for principal 'nfs/nfsserver.domein.nl@DOMEIN.NL'
We will use this entry (nfs/nfsserver.domein.nl@DOMEIN.NL)
Using (machine) credentials cache: 'MEMORY:/tmp/krb5cc_machine_DOMEIN.NL'

I have no idea what I am doing wrong here, I reinstalled kerberos/nfs a lot of 
times and checked a lot of howtos..........
Does anyone have any idea? Can it have anything to do with the fact that they 
are vmware guests and I use NAT networking or did I do something wrong in the 
configuration?





________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

home	help	back	first	fref	pref	prev	next	nref	lref	last	post
[31717] in Kerberos

kerberos/nfs problems: unmatched host

daemon@ATHENA.MIT.EDU (Chantal Rosmuller)Mon Nov 23 02:05:47 2009

daemon@ATHENA.MIT.EDU (Chantal Rosmuller)
Mon Nov 23 02:05:47 2009
