Windows 7 NFS Client Using Kerberos and Linux KDC

I am trying to configure a Windows 7 Enterprise client to mount a NFSv4 share on a Linux NFS server using Kerberos and a Linux KDC.

The setup is:

  • IPA Server (OS: Scientific Linux 6.4, Pkg: ipa-server)
  • NFS Server (OS: Scientific Linux 6.4, Pkg: nfs-utils)
  • Windows 7 Client (OS: Enterprise 64-bit, Feature: Client for NFS)

Steps:

  1. On IPA Server, create a principal for the windows client, with a password:

    ipa host-add --ip-address=10.10.0.100 win7ent-client.contoso.com
    ipa-getkeytab -s ipa.contoso.com -p host/win7ent-client.contoso.com -k win7ent-client.keytab -P
    ^
    | 
    This will create a principal and register the client with IPA server
    Set a random password - e.g. - jU96e3Urp6
    

    Add NFS service for the client:

    ipa service-add nfs/win7ent-client.contoso.com

  2. On the Windows client:

    ksetup /setdomain CONTOSO.COM
    ksetup /setmachpassword <password set on step 1>
    ksetup /addrealmflags CONTOSO.COM sendaddress delegate
    ksetup /mapuser * *
    

    Reboot Windows Client

    Run:

    ksetup.exe /DumpState

    This shows the current configuration:

    default realm = CONTOSO.COM (external)
    CONTOSO.COM:
        (no kdc entries for this realm)
        Realm Flags = 0x5 SendAddress Delegate
    Mapping all users (*) to a local account by the same name (*).
    

    On the Windows client create a local user, a password is not necessary, with a name that exists on the IPA server. Or else you'll get the error - 1332: No mapping between account names and security IDs was done

    Test that you can get a ticket as the user:

    runas /user:[email protected] cmd

    In the new command window, run:

    klist

    This will output the current ticket info:

    Current LogonId is 0:0x6c70e

    Cached Tickets: (1)
    
    #0> Client: joe @ CONTOSO.COM
        Server: krbtgt/CONTOSO.COM @ CONTOSO.COM
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent name_canonicalize
        Start Time: 2/22/2014 5:22:07 (local)
        End Time:   2/23/2014 5:22:07 (local)
        Renew Time: 3/1/2014 5:22:07 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96
    
  3. NFS Server Configuration

    mkdir -p /winshare/joe
    chown -R joe:joe/winshare/joe
    exportfs -o rw,sec=krb5 *:/winshare/joe
    

When trying to mount the share above on the Windows client:

mount -o sec=krb5 nfs.contoso.com:/winshare/joe E:

I get the following error:

Network Error - 121

Type 'NET HELPMSG 121' for more information.

C:\Windows\system32>NET HELPMSG 121

The semaphore timeout period has expired.

Attempt to use ms-nfs41-client-x64 also fails:

C:\Users\joe\Desktop\ms-nfs41-client-x64>nfs_mount.exe -o sec=krb5 * nfs.contoso.com:/winshare/joe

WNetUseConnection(*:, \\nfs.contoso.com\winshare\joe) failed with error code 1231.
The network location cannot be reached. For information about network troubleshooting, see Windows Help.
  1. NFS share using sec=sys works
  2. Logging in to the Windows-7 client as joe works.
  3. Putty to NFS server after Windows logging works (as long as you install MIT Kerberos client for windows first).

The only thing that doesn't work is NFS when using Kerberos.


Solution 1:

As far as I know this step is likely not needed:

Add NFS service for the client:

ipa service-add nfs/win7ent-client.contoso.com

You need nfs service for a server.

If you are sure that you need nfs service for Windows client, then very likely it should use exactly the same password as the host principal for that client.

Additionally: have you enabled secure nfs on the server? I don't remember specifics as I moved to CentOS 7 looong ago (systemctl (enable|start) nfs-secure are your friends there), but I think you should look for this in /etc/sysconfig/nfs.