[Freeipa-users] NFS4 after client upgrade to Fedora 13
Simo Sorce
ssorce at redhat.com
Thu May 27 16:27:49 UTC 2010
On Wed, 26 May 2010 20:09:16 +0200
Thomas Sailer <sailer at sailer.dynip.lugs.ch> wrote:
> Hi,
>
> After upgrading one IPA client from Fedora12 to Fedora13 (the server
> runs Fedora12), I'm experiencing NFS4 problems.
>
> I can still mount the server from the client like this:
> mount -t nfs4 -o soft,intr,rsize=8192,wsize=8192,rw,sec=krb5p
> server.xxx.com:/home /tmp/z root can then successfully list
> subdirectories with ls /tmp/z. However, when a normal user tries to
> do this, he gets -EACCES.
>
> Permissions of /tmp/z should be ok:
>
> # ls -ldZ /tmp/z
> drwxr-xr-x. root root system_u:object_r:nfs_t:s0 /tmp/z
>
> # getfacl /tmp/z
> getfacl: Removing leading '/' from absolute path names
> # file: tmp/z
> # owner: root
> # group: root
> user::rwx
> group::r-x
> other::r-x
>
> # nfs4_getfacl /tmp/z
> A::OWNER@:rwaDxtTcCy
> A::GROUP@:rxtcy
> A::EVERYONE@:rxtcy
>
> It worked under Fedora 12. Does anybody have an idea what went wrong?
Tom, if you have only a DES key in your keytab for NFS (and you do if
you used in in F12 as NFS supported only DES) then you probably see the
effect of the new kerberos libraries disallowing DES.
Try adding allow_weak_crypto = true to your krb5.conf or alternatively
rekey your NFS credentials to add RC4/AES keys (rekeying works only if
both client and server kernels supporting anything but DES, I think
F13's kernels should have those patches now, but old kernels support
only DES).
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list