This document is to describe steps done to set up NFSv4 on Ubuntu 12.10 and Authentications Services. The steps would be similiar on other operating systems as well.
Please note that NFS clients and servers are not supported. This article is provided as an example of a possible configuration to populate krb5.conf.
Two systems NFS server and client. In this example the NFS server name is nfsv4s; and the NFS client is nfsv4c.
For this example the AD domain name is cpr1.vas, and the machines DNS realm will be cpr.vas to show a disjointed name space.
On nfsv4s:
1 - Configuring the files:
vi /etc/hostname /etc/hosts ( Set new name as nfsv4s, in hosts add long as well. )
hostname nfsv4s
sudo apt-get install nfs-kernel-server
In /etc/default/nfs-common, set NEED_GSSD=yes
In /etc/idmapd.conf, set domain, so for my setup:
Domain = CPR1.VAS
Please note package names, filenames and setting name may differ on other operating systems. Please consult your operating system documentation for this information.
2 - Install Authentication Services and join to the domain:
cd
./install.sh -q vasclnt vasgp
/opt/quest/bin/vastool -u join -f cpr1.vas
( Mine is: s /opt/quest/bin/vastool -u administrator@cpr1.vas join -f -c ou=run_19,ou=cpr_tests_container,DC=cpr1,DC=vas -u ou=run_19,ou=cpr_tests_container,DC=cpr1,DC=vas -g ou=run_19,ou=cpr_tests_container,DC=cpr1,DC=vas cpr1.vas )
Pay attention to the name used:
Joining computer to the domain as host/nfsv4s.cpr.vas ... OK
That should be the configured name so that requests will locate the correct SPN in active directory.
3 - Add the nfs/service to AD:
Get the list of current SPNs:
/opt/quest/bin/vastool -u host/ attrs -q host/ servicePrincipalName
host/NFSV4S
host/nfsv4s.cpr.vas
4 - Set up the share:
mkdir /data
mkdir /data/nfsv4_root
chmod 1777 /data/nfsv4_root
echo "/data/nfsv4_root *(sec=krb5p,rw,fsid=0,insecure,no_subtree_check,sync,no_root_squash,nohide)" >> /etc/exports
vi /etc/default/nfs-kernel-server ( set NEED_SVCGSSD=yes )
service nfs-kernel-server restart
exportfs -arv
The client, nfsv4c:
1 - Configuring the files:
vi /etc/hostname /etc/hosts ( Set new name as nfsv4c, add the long to hosts too. )
hostname nfsv4c
sudo apt-get install nfs-common
In /etc/default/nfs-common, set NEED_GSSD=yes
In /etc/idmapd.conf, set domain, so for my setup:
Domain = CPR1.VAS
2 - Install Authentication Services and join to the domain:
cd
./install.sh -q vasclnt vasgp
/opt/quest/bin/vastool -u join -f -n nfsv4c cpr1.vas
3 - Link the QAS kerberos to the system:
ln -s /etc/opt/quest/vas/vas.conf /etc/krb5.conf
ln -s /etc/opt/quest/vas/host.keytab /etc/krb5.keytab
service gssd restart
service idmapd restart
4- Mount the NFS share:
mount -v -o vers=4,sec=krb5 -t nfs4 nfsv4s:/ /mnt/nfsv4
Remember to mount the 'root' that nfsv4 uses.
Restarting services:
for s in portmap nfs-kernel-server idmapd gssd; do service $s restart; sleep 1; done
On a default system, /etc/services had nfs turned to nfsd, thats what stopped the gssd restart.
© ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center