RPCSEC_GSS

Using RPCSEC_GSS with NFS-GANESHA

NFS-GANESHA supports RPCSEC_GSS with krb5 authentication. It use the libgssrpc library provided with the krb5 distribution. For having a clean distribution of this libraray you must install krb5-1.6 at least.

Enabling RPCSEC_GSS support is done at "./configure" time. You should use something like

# ./configure --with-fsal=<desired FSAL>  --enable-gssrpc

Configuration follows several steps:

- - Your client is to be configured as if it would mount a linux nfsd server. You have to set up the kernel modules, the keytabs, the rpc.gssd and rpc.ipmapd must be running
  - In the configuration file for NFS-GANESHA you must have the following block

NFS_KRB5
{
   PrincipalName = nfs@<yourhost> ;
   KeytabPath = /etc/krb5.keytab ;
   Active_krb5 = YES ;
}

The principal name should contain the nfs server hostname, the keytab must contain slots related to nfs/<nfs></nfs>

- - No rpc.gssd or rpc.svcgssd or rpc.ipmad is required on the host running NFS-GANESHA, it does what these daemons do internally
  - Perform your mount command

       mount &#45;t nfs4 &#45;o sec&#61;krb5 &lt;nfs&#45;ganesha server&gt;&#58;&lt;path&gt; /mnt &lt;br&gt;
       mount &#45;t nfs4 &#45;o sec&#61;krb5i &lt;nfs&#45;ganesha server&gt;&#58;&lt;path&gt; /mnt &lt;br&gt;
       mount &#45;t nfs4 &#45;o sec&#61;krb5p &lt;nfs&#45;ganesha server&gt;&#58;&lt;path&gt; /mnt &lt;br&gt;

Remember: when a user traverse a kerberized mount point, it must have a valid kerberos ticket (basically, he used kinit to generate it), otherwise he will receive a EPERM error.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

RPCSEC_GSS

Using RPCSEC_GSS with NFS-GANESHA

Clone this wiki locally