-
Notifications
You must be signed in to change notification settings - Fork 502
RPCSEC_GSS
NFS-GANESHA supports RPCSEC_GSS with krb5 authentication. It use the libgssrpc library provided with the krb5 distribution. For having a clean distribution of this library you must install krb5-1.6 at least.
- No rpc.gssd or rpc.svcgssd or rpc.ipmad is required on the host running NFS-GANESHA; it does what these daemons do internally
# ./configure --with-fsal=<desired FSAL> --enable-gssrpc
Configuration follows several steps:
- Your client is to be configured as if it would mount a linux kernel nfs server. You have to set up the kernel modules, the keytabs, the rpc.gssd and rpc.ipmapd must be running
- In the configuration file for NFS-GANESHA you may need to have the following block if deviating from defaults
NFS_KRB5 { PrincipalName = <your principal> ; KeytabPath = /etc/krb5.keytab ; Active_krb5 = YES ; }
PrincipalName
will be combined with the Ganesha server hostname and realm in the form <PrincipalName>/<server hostname>@<realm>
. The keytab must contain slots that match this form for each server host.
To perform your mount command:
# mount -t nfs4 -o sec=krb5 <nfs-ganesha server>:<path> /mnt # mount -t nfs4 -o sec=krb5i <nfs-ganesha server>:<path> /mnt # mount -t nfs4 -o sec=krb5p <nfs-ganesha server>:<path> /mnt
Remember: when a user traverse a kerberized mount point, they must have a valid kerberos ticket (basically, they used kinit to generate it), otherwise they will receive an EPERM error.
Additional documentation on setting up NFS-Ganesha and Kerberos: Kerberos-setup-for-NFS-Ganesha-in-Ceph