Dear openSUSE community,
In my institution we will be required to mount our remote filesystem using secure NFS (v4), by authenticating using Kerberos (krb5), without being assigned a keytab file.
I.e. this means that root needs to acquire a ticket by means of kinit, the mount the NFS share, and then the user needs to authenticate with kinit to access the share locally.
Because no keytab file exists one needs to run the rpc.gssd daemon with the "-n" flag.
Under Debian this would be possible by adding the option
** RPCGSSDOPTS="-n"**
in the file /etc/default/nfs-common
However, I have not found the equivalent of this in openSUSE’s configuration file located at
/etc/sysconfig/nfs
Instead, the only possibility I saw was by modifying the file(s)
** /etc/init.d/nfs**
and perhaps
/usr/sbin/rcnfs
directly, by adding the -n flag by changing all instances of
** startproc $GSSD_BIN**
in those files, to
** startproc $GSSD_BIN -n**
(or by adding some script code to accept a new flag),
and this works!
But of course, this method is not very desirable (I suspect changed will be reverted when the nfs client packages are updated) - or user friendly for that matter!
**Q: **Is there another way to do this properly?
Best regards,
A happy openSUSE 12.1 camper
For completeness I have added the various step to reproduce my sitation, and the corresponding error messages below:
Step 1: Set up NFS configuration file
- Change the follow two options in /etc/sysconfig/nfs to “yes”: **NFS_SECURITY_GSS and **NFS_START_SERVICES ->
NFS_SECURITY_GSS="yes"
NFS_START_SERVICES="yes"
Step 2: Obtain an kerberos ticket by means of kinit -p username as root ->
# kinit -p XYZ123
Step 3: Try to mount the NFS share
# mount -vvv -t nfs -o sec=krb5,proto=tcp,vers=4 servername.domain.local:/Home01/X/Y/Z/XYZ123 /mnt/XYZ123
This will fail with the message:
mount.nfs: mount(2): Permission denied
mount.nfs: access denied by server while mounting servername.domain.local:/Home01/X/Y/Z/XYZ123 /mnt/XYZ123
And in /var/log/warn you will see:
computername rpc.gssd[8820]: ERROR: gssd_refresh_krb5_machine_credential: no usable keytab entry found in keytab /etc/krb5.keytab for connection with host servername.domain.local
computername rpc.gssd[8820]: ERROR: No credentials found for connection to server servername.domain.local
Now this is without the -n flag, to verify this I run:
ps ax | grep gssd
8820 ? Ss 0:00 /usr/sbin/rpc.gssd
Now if I kill rpc.gssd and restart using:
pkill rpc.gssd
/usr/sbin/rpc.gssd -n
and verify:
ps ax | grep gssd
8907 ? Ss 0:00 /usr/sbin/rpc.gssd -n
Then the mount command
**# mount -vvv -t nfs -o sec=krb5,proto=tcp,vers=4 servername.domain.local:/Home01/X/Y/Z/XYZ123 /mnt/XYZ123
**works!