RPCSEC_GSS

Using RPCSEC_GSS with NFS-GANESHA

NFS-GANESHA supports RPCSEC_GSS with krb5 authentication. It use the libgssrpc library provided with the krb5 distribution. For having a clean distribution of this library you must install krb5-1.6 at least.

No rpc.gssd or rpc.svcgssd or rpc.ipmad is required on the host running NFS-GANESHA; it does what these daemons do internally

Enabling RPCSEC_GSS support is done at "./configure" time. You should use something like

# ./configure --with-fsal=<desired FSAL>  --enable-gssrpc

Configuration follows several steps:

Your client is to be configured as if it would mount a linux kernel nfs server. You have to set up the kernel modules, the keytabs, the rpc.gssd and rpc.ipmapd must be running
In the configuration file for NFS-GANESHA you may need to have the following block if deviating from defaults

NFS_KRB5
{
   PrincipalName = <your principal> ;
   KeytabPath = /etc/krb5.keytab ;
   Active_krb5 = YES ;
}

PrincipalName will be combined with the Ganesha server hostname and realm in the form <PrincipalName>/<server hostname>@<realm>. The keytab must contain slots that match this form for each server host.

To perform your mount command:

# mount -t nfs4 -o sec=krb5 <nfs-ganesha server>:<path> /mnt
# mount -t nfs4 -o sec=krb5i <nfs-ganesha server>:<path> /mnt
# mount -t nfs4 -o sec=krb5p <nfs-ganesha server>:<path> /mnt

Remember: when a user traverse a kerberized mount point, they must have a valid kerberos ticket (basically, they used kinit to generate it), otherwise they will receive an EPERM error.

Additional documentation on setting up NFS-Ganesha and Kerberos: Kerberos-setup-for-NFS-Ganesha-in-Ceph

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

RPCSEC_GSS

Using RPCSEC_GSS with NFS-GANESHA

Clone this wiki locally