Windows 7 NFS Client Using Kerberos and Linux KDC
I am trying to configure a Windows 7 Enterprise client to mount a NFSv4 share on a Linux NFS server using Kerberos and a Linux KDC.
The setup is:
- IPA Server (OS: Scientific Linux 6.4, Pkg: ipa-server)
- NFS Server (OS: Scientific Linux 6.4, Pkg: nfs-utils)
- Windows 7 Client (OS: Enterprise 64-bit, Feature: Client for NFS)
Steps:
-
On IPA Server, create a principal for the windows client, with a password:
ipa host-add --ip-address=10.10.0.100 win7ent-client.contoso.com ipa-getkeytab -s ipa.contoso.com -p host/win7ent-client.contoso.com -k win7ent-client.keytab -P ^ | This will create a principal and register the client with IPA server Set a random password - e.g. - jU96e3Urp6
Add NFS service for the client:
ipa service-add nfs/win7ent-client.contoso.com
-
On the Windows client:
ksetup /setdomain CONTOSO.COM ksetup /setmachpassword <password set on step 1> ksetup /addrealmflags CONTOSO.COM sendaddress delegate ksetup /mapuser * *
Reboot Windows Client
Run:
ksetup.exe /DumpState
This shows the current configuration:
default realm = CONTOSO.COM (external) CONTOSO.COM: (no kdc entries for this realm) Realm Flags = 0x5 SendAddress Delegate Mapping all users (*) to a local account by the same name (*).
On the Windows client create a local user, a password is not necessary, with a name that exists on the IPA server. Or else you'll get the error - 1332: No mapping between account names and security IDs was done
Test that you can get a ticket as the user:
runas /user:[email protected] cmd
In the new command window, run:
klist
This will output the current ticket info:
Current LogonId is 0:0x6c70e
Cached Tickets: (1) #0> Client: joe @ CONTOSO.COM Server: krbtgt/CONTOSO.COM @ CONTOSO.COM KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96 Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent name_canonicalize Start Time: 2/22/2014 5:22:07 (local) End Time: 2/23/2014 5:22:07 (local) Renew Time: 3/1/2014 5:22:07 (local) Session Key Type: AES-256-CTS-HMAC-SHA1-96
-
NFS Server Configuration
mkdir -p /winshare/joe chown -R joe:joe/winshare/joe exportfs -o rw,sec=krb5 *:/winshare/joe
When trying to mount the share above on the Windows client:
mount -o sec=krb5 nfs.contoso.com:/winshare/joe E:
I get the following error:
Network Error - 121
Type 'NET HELPMSG 121' for more information.
C:\Windows\system32>NET HELPMSG 121
The semaphore timeout period has expired.
Attempt to use ms-nfs41-client-x64 also fails:
C:\Users\joe\Desktop\ms-nfs41-client-x64>nfs_mount.exe -o sec=krb5 * nfs.contoso.com:/winshare/joe
WNetUseConnection(*:, \\nfs.contoso.com\winshare\joe) failed with error code 1231.
The network location cannot be reached. For information about network troubleshooting, see Windows Help.
- NFS share using sec=sys works
- Logging in to the Windows-7 client as joe works.
- Putty to NFS server after Windows logging works (as long as you install MIT Kerberos client for windows first).
The only thing that doesn't work is NFS when using Kerberos.
Solution 1:
As far as I know this step is likely not needed:
Add NFS service for the client:
ipa service-add nfs/win7ent-client.contoso.com
You need nfs service for a server.
If you are sure that you need nfs service for Windows client, then very likely it should use exactly the same password as the host principal for that client.
Additionally: have you enabled secure nfs on the server? I don't remember specifics as I moved to CentOS 7 looong ago (systemctl (enable|start) nfs-secure are your friends there), but I think you should look for this in /etc/sysconfig/nfs.