[Linux-cluster] nfs4 kerberos
Daniel R. Gore
danielgore at yaktech.com
Thu Apr 7 01:01:00 UTC 2011
I also found this thread, after many searches.
http://linux-nfs.org/pipermail/nfsv4/2009-April/010583.html
As I read through it, there appears to be a patch for rpc.gssd which
allows for the daemon to be started and associated with multiple hosts.
I do not want to compile rpc.gssd and it appears the patch is from over
two years ago. I would hope that RHEL6 would have rpc.gssd patched to
meet this requirement, but no documentation appear to exist for how to
use it.
On Wed, 2011-04-06 at 20:23 -0400, Daniel R. Gore wrote:
> Ian,
>
> Thanks for the info.
>
> My cluster is only a two node cluster. I have NFSv4 with Kerberos
> working on both node separately. I went and created a virtual IP on
> each node with the same IP to accommodate the floating IP. I associated
> the virtual IP with a new DNS name (fserv) and ensured forward and
> reverse look-up works. I create Kerberos host and nfs principals for
> fserv and added the associated keys to /etc/krb5.keytab on each node.
>
> Unfortunately, it still does not work and I am sure one of the reasons
> is because the "uname -n" comes up as the node name and not fserv.
>
> I also suspect that the nfs service that gets started through Redhat's
> HA service does not use the /etc/exports file on the nodes.
>
> How did you manage to change the nodes name when the nfs server was
> started? What worries me about that is then other services will like
> fail.
>
> Any guidance is appreciated.
>
> Thanks.
>
> Dan
>
> On Wed, 2011-04-06 at 16:14 -0700, Ian Hayes wrote:
> > I've done some work on clustering NFSv4 using Kerberos at a previous
> > job.... I probably did this completely wrong, but I did get it
> > working. The big gotcha that I had was that all cluster members need
> > the same keytab for the NFS service. I also had to have the active
> > node change its hostname to match the keytab before it started up NFS.
> > There are the usual NFS4 specific stuff you need to do
> > like /etc/exports and building the pseudo filesystem. I did a few bind
> > mounts to get everything under the pseudo-fs. Obviously I'm assuming
> > that you have NFS4 working on a single-node environment and therefore
> > know what to do to get that working (ie, keytabs for the clients).
> >
> > The cluster I had built was hosting NFS4 and Samba, with a shared GFS
> > filesystem on an iSCSI backend. It ran pretty decent for secondhand
> > test equipment. I was actually able to benchmark the GFS performance
> > while I tuned the GFS with a little script that wrote out randomly
> > sized files.
> >
> > I did some extensive build documentation of how to build a Kerberized
> > NFS4 cluster, but I doubt my old employer would be willing to release
> > them. But like Henry Jones, Sr., I wrote them down so I wouldn't have
> > to remember them.
> >
> > On Wed, Apr 6, 2011 at 3:42 PM, Daniel R. Gore
> > <danielgore at yaktech.com> wrote:
> > I am trying to get Kerberos authenticated high available NFS
> > service
> > running. I have looked at the cookbook, but it does not cover
> > this.
> >
> > Any ideas?
> >
> > Thank you
> >
> > Dan
> >
> >
> > --
> > This message has been scanned for viruses and
> > dangerous content by MailScanner, and is
> > believed to be clean.
> >
> > --
> > Linux-cluster mailing list
> > Linux-cluster at redhat.com
> > https://www.redhat.com/mailman/listinfo/linux-cluster
> >
> >
> > --
> > This message has been scanned for viruses and
> > dangerous content by MailScanner, and is
> > believed to be clean.
> > --
> > Linux-cluster mailing list
> > Linux-cluster at redhat.com
> > https://www.redhat.com/mailman/listinfo/linux-cluster
>
>
>
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the Linux-cluster
mailing list