Trying to configure NFSv4 and Kerberos - have managed it several times now with boxes that are on the domain, but for various reasons, this one doesn't have a CIFS license.
I'm getting an error:
"unable to setup kerberos for NFS could not set up active directory KDC"
After entering my administrator account in "nfs setup".
Can anyone point me in the direction of what I'm missing here? (Am wondering if it's some variant of needing a machine account created to act as a service principal, or something else is going wrong).
Thanks, Ed.
More specifically - my error is: "Unable to search Active Directory for an active machine account using the current settings. "
This occurs after the domain admin authenticates (successfully).
On 27 March 2015 at 15:02, Edward Rolison ed.rolison@gmail.com wrote:
Trying to configure NFSv4 and Kerberos - have managed it several times now with boxes that are on the domain, but for various reasons, this one doesn't have a CIFS license.
I'm getting an error:
"unable to setup kerberos for NFS could not set up active directory KDC"
After entering my administrator account in "nfs setup".
Can anyone point me in the direction of what I'm missing here? (Am wondering if it's some variant of needing a machine account created to act as a service principal, or something else is going wrong).
Thanks, Ed.
I assume this is 7mode. In cDOT there is no need to have a CIFS license when using Windows KDC.
When doing this in 7mode, you get 2 options for KDC types – Windows and non-Windows.
filer> nfs setup Enable Kerberos for NFS? y The filer supports these types of Kerberos Key Distribution Centers (KDCs):
1 - UNIX KDC 2 - Microsoft Active Directory KDC
Enter the type of your KDC (1-2):
When you use Windows as the KDC type, it wants to leverage the CIFS account/krb5.conf file for Kerberos. Thus, the need for a CIFS license.
If you don’t have a CIFS license, choose the UNIX style KDC. Then you would need to set Kerberos up manually like you would with a MIT KDC. http://www.netapp.com/us/media/tr-3481.pdf
1) Ensure DNS is correct (filer has correct info, DNS server has hostname with forward/reverse lookup)
2) KDC info will be the windows domain name, etc.
3) SPN gets created/added to KDC (and only DES and RC4 is allowed – see TR-4073 on how to do that http://www.netapp.com/us/media/tr-4073.pdf - 7 would be the value for msDs-SupportedEnctypes)
4) Keytab file created on KDC and ported over to the 7mode filer and the krb5.conf is properly populated
Example: parisi-7mode> nfs setup Enable Kerberos for NFS? y The filer supports these types of Kerberos Key Distribution Centers (KDCs):
1 - UNIX KDC 2 - Microsoft Active Directory KDC
Enter the type of your KDC (1-2): 1 Enter the Kerberos realm name: DOMAIN.WIN2K8.NETAPP.COM Enter the host instance of the NFS server principal name [default: parisi-7mode.domain.win2k8.netapp.com]: nfskrb-7mode.domain.win2k8.netapp.com NFS setup complete.
parisi-7mode*> options kerberos kerberos.file_keytab.enable on kerberos.file_keytab.principal nfskrb-7mode.domain.win2k8.netapp.com kerberos.file_keytab.realm DOMAIN.WIN2K8.NETAPP.COM kerberos.multirealm.enable on kerberos.replay_cache.enable off
[root@centos64 /]# nslookup nfskrb-7mode Server: 10.228.225.120 Address: 10.228.225.120#53
Name: nfskrb-7mode.domain.win2k8.netapp.com Address: 10.63.9.69
[root@centos64 /]# nslookup 10.63.9.69 Server: 10.228.225.120 Address: 10.228.225.120#53
69.9.63.10.in-addr.arp
parisi-7mode> exportfs /vol/vol0/home -sec=sys,rw,nosuid /vol/vol0 -sec=sys,rw,anon=0,nosuid /vol/nfs -sec=sys,rw,nosuid /vol/vfiler1 -sec=sys,rw,nosuid /vol/cifs -sec=sys,rw,nosuid /vol/krb5 -sec=krb5,rw,root=10.228.225.140,nosuid
[root@centos64 etc]# mount -o sec=krb5 nfskrb-7mode:/vol/krb5 /krb5
sh-4.1$ cd /krb5 sh-4.1$ klist Ticket cache: FILE:/tmp/krb5cc_1107 Default principal: ldapuser@DOMAIN.WIN2K8.NETAPP.COM
Valid starting Expires Service principal 03/27/15 16:47:44 04/26/15 16:47:44 krbtgt/DOMAIN.WIN2K8.NETAPP.COM@DOMAIN.WIN2K8.NETAPP.COM renew until 04/26/15 16:47:44 03/27/15 16:49:46 04/26/15 16:47:44 nfs/nfskrb-7mode.domain.win2k8.netapp.com@DOMAIN.WIN2K8.NETAPP.COM renew until 04/26/15 16:47:44
sh-4.1$ mount | grep krb5 nfskrb-7mode:/vol/krb5 on /krb5 type nfs (rw,sec=krb5,vers=4,addr=10.63.9.69,clientaddr=10.228.225.140)
From: toasters-bounces@teaparty.net [mailto:toasters-bounces@teaparty.net] On Behalf Of Edward Rolison Sent: Friday, March 27, 2015 11:03 AM To: toasters@teaparty.net Subject: NFSv4/krb against an AD without a CIFS license
Trying to configure NFSv4 and Kerberos - have managed it several times now with boxes that are on the domain, but for various reasons, this one doesn't have a CIFS license.
I'm getting an error:
"unable to setup kerberos for NFS could not set up active directory KDC"
After entering my administrator account in "nfs setup".
Can anyone point me in the direction of what I'm missing here? (Am wondering if it's some variant of needing a machine account created to act as a service principal, or something else is going wrong).
Thanks, Ed.
-
Edward Rolison -
Parisi, Justin