Mounting NFS3 using Kerberos and AD

I've got a Linux server (Centos 5.6) that needs to automount home directories from a Windows (Server 2008) NFS share using Kerberos. The share mounts (with the nobody user and group) if authentication is turned off. However, if the -o sec=krb5 flag is passed, I get mount.nfs: permission denied.

As root, I used kinit to get a ticket, and klist tells me that it's a valid ticket. Googling the error didn't give much, as it seems to be a bit of a catch-all. Nothing useful was found in any of the logs I looked in. Root access is set to allowed on the Windows share.

Because of the sharing from Windows thing, a lot of the resources saying to change server settings don't apply as directly.

Any ideas for getting this to work?

Solution 1:

The thing that's caught me out - and looks to be the problem you're having- is that root doesn't use ... whatever you get from kinit.

It uses /etc/krb5.keytab, which you can list with klist -kt. Depending on which version of OS you have, it either needs a HOST service principal or - for older versions - needs a nfs service principal.

net ads join and net ads keytab create will do the first part - creating the host keytab. For RHEL 5 I'm pretty sure you need to create an nfs Service Principal on your client, to allow it to access the NFS resource. I would assume the same is true of Centos 5.6, but I'm not 100% sure. I can't give you instructions off the top of my head - I'll have a look and see if I can find more detail. (I've done it, and it definitely works this way on RHEL, but it's long enough ago that if I quoted the instructions, I'd get it wrong).

You can troubleshoot by firing up rpc.gssd -f -vvv