Date: Thu, 28 Jun 2012 16:25:16 +0200 From: Herbert Poeckl <freebsdml@ist.tugraz.at> To: Rick Macklem <rmacklem@uoguelph.ca> Cc: freebsd-stable@FreeBSD.org Subject: Re: Need help with nfsv4 and krb5 access denied Message-ID: <4FEC694C.6060408@ist.tugraz.at> In-Reply-To: <686121506.2338267.1340842067785.JavaMail.root@erie.cs.uoguelph.ca> References: <686121506.2338267.1340842067785.JavaMail.root@erie.cs.uoguelph.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
On 06/28/2012 02:07 AM, Rick Macklem wrote: > The NFS server will authenticate nfs/tmp2.ist.intra against the Kerberos > KDC, using the information in the keytab entry. The whole idea behind a > host based principal like "nfs/tmp2.ist.intra" is that it can only be > used by the host "tmp2.ist.intra". As such, when the Kerberos KDC receives > an auathentication request for nfs/tmp2.ist.intra, it will DNS resolve > tmp2.ist.intra (to 192.168.1.164 it seems) and will compare that to the > IP address the authentication request is received from. I think this > means the KDC will fail the request if it is sent to the KDC from 192.168.6.2. Yes, of course. There is and will be no traffic on 192.168.6.2. What I've tried to say (and probably failed), is that we have a network card in the machine, where the result is always access denied (with the correct server IP address set for that NIC). > Your KDC should be logging something when this fails and the traffic you'd > need to look at is the traffic between the NFS server and the KDC. (I'd use > wireshark, since it probably knows a fair bit about Kerberos.) Thank you, I will give it a try. Kind regards, Herbert
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4FEC694C.6060408>