I know that this is not the ideal list for NFS questions, but I'm not sure of a better one.
I'm exploring NFSv4 with kerberos security, all tied into FreeIPA.
My question is whether or not the NFSv4 clients need nfs service principals. Obviously the NFSv4 server needs both, but the client side is where I'm confused.
Some documentations say the client needs both a host and nfs service principal: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/htm...
Other documentations say the client needs just a host principal: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...
Any clarification would be appreciated.
Thanks!
ZZ
On pe, 08 kesä 2018, Zane Zak via FreeIPA-users wrote:
I know that this is not the ideal list for NFS questions, but I'm not sure of a better one.
I'm exploring NFSv4 with kerberos security, all tied into FreeIPA.
My question is whether or not the NFSv4 clients need nfs service principals. Obviously the NFSv4 server needs both, but the client side is where I'm confused.
Some documentations say the client needs both a host and nfs service principal: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/htm...
Other documentations say the client needs just a host principal: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...
Any clarification would be appreciated.
You don't need more than host/... principal on the client side.
You can check rpc.gssd manual page. It says:
------------------------------------------------------------------------ rpc.gssd searches in the following order for a principal to use. The first matching credential is used. For the search, <hostname> and <REALM> are replaced with the local sys‐ tem's hostname and Kerberos realm.
<HOSTNAME>$@<REALM> root/<hostname>@<REALM> nfs/<hostname>@<REALM> host/<hostname>@<REALM> root/<anyname>@<REALM> nfs/<anyname>@<REALM> host/<anyname>@<REALM>
The <anyname> entries match on the service name and realm, but ignore the hostname. These can be used if a principal matching the local host's name is not found.
Note that the first principal in the search order is a user principal that enables Kerberized NFS when the local system is joined to an Active Directory domain using Samba. A password for this principal must be provided in the local system's keytab. --------------------------------------------------------------------------------
The documentation links you point are for two different versions of RHEL. RHEL7 documentation basically corresponds to rpc.gssd man page. The older documentation wasn't updated.
In case you haven't found out yet, only the nfs servers need service principals.
/tony
On 09/06/18 01:29, Zane Zak via FreeIPA-users wrote:
I know that this is not the ideal list for NFS questions, but I'm not sure of a better one.
I'm exploring NFSv4 with kerberos security, all tied into FreeIPA.
My question is whether or not the NFSv4 clients need nfs service principals. Obviously the NFSv4 server needs both, but the client side is where I'm confused.
Some documentations say the client needs both a host and nfs service principal: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/htm...
Other documentations say the client needs just a host principal: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...
Any clarification would be appreciated.
Thanks!
ZZ _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahost...
Right. the documentation is often not clear. Most Linux client software will try several principals. One of them is host/hostname. So you don’t need nfs/hostname. Since nfs/hostname is one of the principals it tries, some documentation says to use that principal.
On Jun 19, 2018, at 3:24 AM, Tony Brian Albers via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
In case you haven't found out yet, only the nfs servers need service principals.
/tony
On 09/06/18 01:29, Zane Zak via FreeIPA-users wrote:
I know that this is not the ideal list for NFS questions, but I'm not sure of a better one.
I'm exploring NFSv4 with kerberos security, all tied into FreeIPA.
My question is whether or not the NFSv4 clients need nfs service principals. Obviously the NFSv4 server needs both, but the client side is where I'm confused.
Some documentations say the client needs both a host and nfs service principal: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/htm...
Other documentations say the client needs just a host principal: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...
Any clarification would be appreciated.
Thanks!
ZZ _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahost...
-- Tony Albers Systems administrator, IT-development Royal Danish Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark. Tel: +45 2566 2383 / +45 8946 2316 _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahost...
freeipa-users@lists.fedorahosted.org