Site Navigation

Date:      Sat, 22 Sep 2018 20:46:50 +0900 (JST)
From:      Hiroki Sato <hrs@allbsd.org>
To:        hiroo.ono+freebsd@gmail.com
Cc:        freebsd-users-jp@freebsd.org
Subject:   [FreeBSD-users-jp 96316] Re: NFSv4 + Kerberos
Message-ID:  <20180922.204650.2028642500513623137.hrs@allbsd.org>
In-Reply-To: <CANtk6SjZ028H4vdxhY6TmmpPvwjWE15DOAXPBi8gkg8OkvFynw@mail.gmail.com>
References:  <CANtk6SjZ028H4vdxhY6TmmpPvwjWE15DOAXPBi8gkg8OkvFynw@mail.gmail.com>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

----Security_Multipart(Sat_Sep_22_20_46_50_2018_843)--
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit

$B:4F#$G$9!#$b$&2r7h$7$F$$$k$+$bCN$l$^$;$s$,(B...

Hiroo Ono ($B>.Ln42@8(B) <hiroo.ono+freebsd@gmail.com> wrote
  in <CANtk6SjZ028H4vdxhY6TmmpPvwjWE15DOAXPBi8gkg8OkvFynw@mail.gmail.com>:

hi> samba4 $B$r(B Active Directory $B$N(B DC $B$K$7$F$$$k$N$G$9$,!"$3$$$D$r(B KDC $B$K$7$F(B NFSv4 $B$G(B
hi> -sec=krb5 $B$G%^%&%s%H$7$?$$$H9M$($F$$$^$9!#(B
hi>
hi> https://wiki.freebsd.org/KerberizedNFS
hi> https://lists.samba.org/archive/samba/2014-November/186562.html
hi>
hi> $B$r;29M$K$7$^$7$?!#(B
hi>
hi> -sec=sys $B$G(B NFSv4 $B$G%^%&%s%H$G$-$k$H$3$m$^$G$O3NG'$7$^$7$?!#(B
hi> $B$=$N8e!"2<5-$N<j=g$G(B keytab $B$r:n@.$7$F!"(B
hi> # mount_nfs -o nfsv4,sec=krb5 image.oikumene.ukehi.net:/exports/data /mnt
hi>
hi> $B$H$7$?$N$G$9$,!"%^%&%s%H$O$G$-$F!"(Bls $B$G%U%!%$%k$N%j%9%H$O=P$F$/$k$b$N$N!"(B
hi> # cat /mnt/data.txt
hi> $B$H$9$k$H(B
hi>
hi> nfsv4 err=10016
hi> cat: /mnt/data.txt: Input/output error
hi>
hi> $B$H%(%i!<$K$J$j$^$9!#(B

 $B$Q$C$HFI$`8B$j$G$O!"(BNFS $B%5!<%P$N%5!<%S%9%W%j%s%7%Q%k$,(B
 $BBgJ8;z$G=q$$$F$"$k$H$3$m$,4V0c$$$@$H;W$$$^$9!#(B
 $B%^%&%s%H$7$F$+$i(B KDC $B$N%m%0$r8+$k$H$o$+$k$H;W$$$^$9$,!"(B
 $B$3$N9=@.$J$i(B nfs/image.oikumene.ukehi.net@OIKUMENE.UKEHI.NET $B$H$$$&(B
 $B%W%j%s%7%Q%kL>$,;H$o$l$k$O$:$G$9!#(B

 $B$^$?!"%a!<%k$K$"$k(B exports $B$N(B V4: $B9T$K$"$k(B "kerb5p" $B$O%9%Z%k$,4V0c$C$F$$$^$9!#(B
 /exports/data $B$O(B / $B$HF1$8%Q!<%F%#%7%g%s$G$"$l$P(B -sec $B$N%*%W%7%g%s$,(B
 $BE,MQ$5$l$k$O$:$G$9$,!"4V0c$($d$9$$$N$GF1$8(B -sec $B$rIU$1$k$3$H$r$*4+$a$7$^$9!#(B

 $B%W%j%s%7%Q%kL>$r=$@5$9$k$@$1$GF0$/$+$bCN$l$^$;$s!#(B
 $B$?$@!"$3$N@_Dj$G$O%^%&%s%H$9$kA0$K(B kinit $B$7$J$$$H%5!<%S%9%W%j%s%7%Q%k$N%A%1%C%H$,(B
 $B$H$l$J$$$N$G!"5/F0;~$K%^%&%s%H$9$k$3$H$,$G$-$J$$$H;W$$$^$9!#(B

 NFSv4 + Kerberos $B$r@_Dj$9$k>l9g!"<!$N$h$&$K$9$k$N$,$*$9$9$a$G$9!#(B

 * NFS $B%5!<%P$G(B NFS $BMQ$N%5!<%S%9%W%j%s%7%Q%k$r:n@.$9$k(B

  $B%I%-%e%a%s%H$K$O(B kadmin $B$r;H$C$?Nc$,$"$j$^$9$,!"(B
  kadmind $B$rF0$+$7$F$$$k$N$G$"$l$P!"(Bktutil $B$r;H$&$H(B
  $B?7$7$$%W%j%s%7%Q%k$N:n@.$H(B keytab $B$X$NA^F~$,0lEY$K$G$-$^$9!#(B

   server# ktutil get nfs/`hostname`

  FQDN $B$H$7$F;XDj$7$F$$$kL>A0$O!"5U0z$-$,@5$7$/9T$J$($k(B
  $BI,MW$,$"$j$^$9!#(BDNS $B$G@_Dj$9$k$N$,0lHLE*$G$9$,!"(B
  KDC, $B%/%i%$%"%s%H(B, $B%5!<%P$G>pJs$,0lCW$7$F$$$l$PNI$$$N$G(B
  3 $B<T$N(B /etc/hosts $B$r<jF0$G$=$m$($F$bF0$+$;$^$9!#(B

 * NFS $B%/%i%$%"%s%H$G(B host/FQDN $B$H$$$&%5!<%S%9%W%j%s%7%Q%k$r:n@.$9$k(B

  $B%^%&%s%H$9$k$?$a$N%W%j%s%7%Q%k$r:n@.$7$^$9!#M}M3$O<!$N$H$*$j$G$9!#(B

  $B%m%0%$%s%f!<%6$N%W%j%s%7%Q%k$G$b%^%&%s%H$O2DG=$G$9$,!"(B
  $B5/F0;~$K<+F0E*$K%^%&%s%H$9$k$K$O!"(B
  $B$=$N%f!<%6$N%A%1%C%H$r$"$i$+$8$a(B keytab $B$KF~$l$k$+(B
  $B5/F0$N$?$S$K(B kinit $B$9$k$+!"$$$:$l$+$N:n6H$,I,MW$G$9!#(B
  $B%m%0%$%s%f!<%6$N%A%1%C%H$r(B keytab $B$KF~$l$F;H$&$H(B
  $B%;%-%e%j%F%#E*$KLdBj$J$N$G!"DL>o$O@lMQ$N%W%j%s%7%Q%k$rMQ0U$7$^$9!#(B

  root/FQDN, nfs/FQDN, host/FQDN $B$"$?$j$,NI$/;H$o$l$^$9!#(B
  $B2<5-$NNc$O(B host/FQDN $B$r;H$&>l9g$G$9!#(B

   client# ktutil get host/`hostname`

 * $B%5!<%P!&%/%i%$%"%s%H!&(BKDC $B$N;~9o$,9g$C$F$$$k$3$H$r3NG'$9$k(B

  $B$:$l$F$$$k$H%A%1%C%HMW5a$,<:GT$7$^$9!#(B

 * $B%5!<%P!&%/%i%$%"%s%H$G(B gssd $B$,>e$,$C$F$$$k$3$H$r3NG'$9$k(B

  gssd_enable="YES"

 $B$r(B rc.conf $B$K=q$/I,MW$,$"$j$^$9!#(B

 $B$3$3$^$G:n6H$7$?$i!"%/%i%$%"%s%H$G<!$N=gHV$GF0:n$r3NG'$7$^$9!#(B

 1. kdestroy $B$7$F!"<+J,$N%f!<%6%W%j%s%7%Q%k$N%A%1%C%H$N%-%c%C%7%e$r>C$9!#(B

 2. $B%/%i%$%"%s%H$G%^%&%s%H$9$k!#(B

    client# mount -o rw,nfsv4,sec=krb5p,gssname=host,noinet6 server.fqdn:/dir /mnt

    $B%/%i%$%"%s%H$O(B KDC $B$K(B host/FQDN $B$G%"%/%;%9$7!"%5!<%P$N(B nfs/FQDN ($B>e$NNc$@$H(B
    nfs/server.fqdn) $B$N%A%1%C%H$r<h$j=P$7$^$9!#$3$3$G(B err=10016 $B$,=P$k>l9g!"(B
    $B>e5-$N=`Hw$N$I$l$+$,7g$1$F$$$^$9!#(BKDC $BB&$N%"%/%;%9%m%0$rD4$Y$F!"(B
    $B$A$c$s$H%A%1%C%H$r<h$j$K$$$C$F$$$k$+3NG'$7$^$7$g$&!#(B

 3. ls -al /mnt $B$7$F$_$k!#(B

    $B$3$3$G$O<!$N%(%i!<$,=P$k$O$:$G!"%(%i!<$,=P$k$N$,@5$7$$$G$9!#(B

    nfsv4 err=10016
    ls: /mnt: Input/output error

 4. kinit $B$9$k!#(B

    $B<+J,$N%f!<%6$G(B kinit $B$7!"%A%1%C%H$r<h$j$^$9!#(B

 5. $B$b$&0lEY(B ls -al /mnt $B$9$k!#(B

    $B:#EY$O%(%i!<$K$J$i$J$$$O$:$G$9$,!"(Bowner $B$N>pJs$,(B
    nobody:nogroup $B$K$J$C$F8+$($k$H;W$$$^$9!#(B

    $B$3$N%"%/%;%9$N:]!"(Bnfs/FQDN $B$N%A%1%C%H$r<hF@$7$^$9!#(B
    3 $B$G<:GT$9$k$N$O!"(Bkinit $B$9$kA0$O(B TGT $B$,$J$$$N$G(B nfs/FQDN $B$,(B
    $B<hF@$G$-$J$$$N$,860x$G$9!#(B
    $B$3$3$G(B klist $B$r<B9T$9$k$H!"(Bnfs/FQDN $B$N%A%1%C%H$r(B
    $B<h$C$F$$$k$3$H$,$o$+$j$^$9!#(B

 6. nfsuserd $B$r%5!<%P!&%/%i%$%"%s%H$G5/F0$9$k(B

    rc.conf $B$K(B nfsuserd_enable="YES" $B$H$7$F(B
    $B%G!<%b%s$r5/F0$7$^$9!#(B

 7. $B$b$&0lEY(B ls -al /mnt $B$9$k!#(B

    owner $B$,$-$A$s$HI=<($5$l$k$O$:$G$9!#(B
    NFSv4 $B$O%5!<%P$+$i(B UID $B$r?tCM$G$O$J$/J8;zNs$GAw$k$?$a!"(B
    $B%5!<%P$HF1$8L>A0$N%f!<%6$,%/%i%$%"%s%H$KB8:_$7$J$$>l9g$O(B
    nobody:nogroup $B$K$J$j$^$9!#(B

 $B3NG'$G$-$?$i!"(Brc.conf $B$H(B fstab $B$K@_Dj$r=q$-9~$s$G:F5/F0$5$;!"(B
 $B<+F0$G%^%&%s%H$5$l$k$+$I$&$+3NG'$9$k$HNI$$$G$7$g$&!#(B
 gssd $B$,>e$,$i$J$$$H%^%&%s%H$K<:GT$7$^$9$N$G!"(Bfstab $B$K$O(B late $B%*%W%7%g%s$r(B
 $B;XDj$7$F$*$/$HNI$$$+$bCN$l$^$;$s!#(B

-- Hiroki

----Security_Multipart(Sat_Sep_22_20_46_50_2018_843)--
Content-Type: application/pgp-signature
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----

iEYEABECAAYFAlumK6oACgkQTyzT2CeTzy3daACeO1eSJ/mcaNzslpo72jQZXjqs
u/0AoIOW1OJ1P9l9MjLP38SUVJcWoI5K
=Uvdu
-----END PGP SIGNATURE-----

----Security_Multipart(Sat_Sep_22_20_46_50_2018_843)----

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20180922.204650.2028642500513623137.hrs>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact