[35878] in Kerberos
Re: Transferring NFSv4 nfs/ keys from KDC to client?
daemon@ATHENA.MIT.EDU (steve)
Tue Mar 18 18:56:44 2014
Message-ID: <1395183264.8558.5.camel@hh16.hh3.site>
From: steve <steve@steve-ss.com>
To: kerberos@mit.edu
Date: Tue, 18 Mar 2014 23:54:24 +0100
In-Reply-To: <CA+j=ERrBpXSCHYb5P1Ohy1A0Wxo4rVeaGMzxHX-rOwriiqG_Qg@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Tue, 2014-03-18 at 23:20 +0100, Wendy Lin wrote:
> Asking here to make sure I got the mechanism right:
>
> I created the principal nfs/china.mytest.org@TEST1.MYTEST.ORG on the
> KDC machine so that NFSv4 client china.mytest.org can mount a NFSv4
> filesystem.
>
> How does the client china.mytest.org now get the keys?
Hi
It doesn't need to. rpc.gssd can use any of the following keys:
<HOSTNAME>$@<REALM>
root/<hostname>@<REALM>
nfs/<hostname>@<REALM>
host/<hostname>@<REALM>
root/<anyname>@<REALM>
nfs/<anyname>@<REALM>
host/<anyname>@<REALM>
Just make sure that your keytab has one of them. Usually it will already
have the CHINA$ key, so you can mount using that. The nfs server keytab
should have both the nfs servivce and machine keys.
There are many misunderstandings about kerberized nfs:
http://linuxcostablanca.blogspot.com.es/2012/02/nfsv4-myths-and-legends.html
HTH
Steve
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
