Tracy_Baker
Starfighter Starfighter
Starfighter
  • 1,249 Views

Anyone else having issues with Kerberized NFS labs?

Jump to solution

I'll keep this one fairly simple: Is anyone else having issues with the Kerberized NFS labs in RH134 and RH254 (or, in the case of the comprehensive review labs, the Kerberized [encrypted] NFS sections)?

It seems, in our case, that either they work . . . or they don't.

When they don't work, there doesn't seem to be anything that we can do to make them work, short of resetting the server and desktop and starting over (and crossing fingers that'll work this time).

It also doesn't seem to make a difference what environment is being used (Netlab or DIY lab).

  • The RH134 comprehensive review one works much more often than not.
  • The RH254 comprehensive review works some of the time.

On a related note:

We have never gotten the RH254 chapter 8.9 one, the one that uses NFS v4.2, to work as it should -- the grading script normally comes back with a SUCCESS as it simply checks for the existence of the mount point and that the services are running on the client.

However, the student cannot then create a file in /mnt/securespace on the desktop machine (which is the /krbnfs directory being exported from the server). Granted, this isn't part of the instructions, but it is the whole point of mounting an exported directory.

Anyway... Anyone else having Kerberized NFS issues? Any suggetions?

Program Lead at Arizona's first Red Hat Academy, est. 2005
Estrella Mountain Community College
0 Kudos
1 Solution

Accepted Solutions
Tracy_Baker
Starfighter Starfighter
Starfighter
  • 1,224 Views

@ricardodacosta

I am exposing my ignorance with regard to Kerberos. With that said:

[1] We have been wondering if the time synchronization has been an issue. I've been led to understand that the two systems need to be synchronized very closely (I was told that the differenece must be within be 200 msec -- but then I read about 5 min) or the authentication will fail. We are thinking that this is the root of the problem

[2] (wget -- with renaming the file and saving it to /etc/), [4] (krb5p option), [5] (services) and [6] (firewall) are part of the specific things that students are instructed to do when doing the lab -- as appropriate when working on the client or the server..

[3] (strings), [7] (kinit) are not part of the lab's instructions. I always appreciate ways to verify/validate the work that has to be done. When I re-wrote the RH124, RH134, RH254 labs, I included many extra steps to get the students to verify their work.

I'll have to look into this more during our winter break. Thanks for the suggestions.

 

Program Lead at Arizona's first Red Hat Academy, est. 2005
Estrella Mountain Community College

View solution in original post

0 Kudos
3 Replies
ricardodacosta
Moderator
Moderator
  • 1,241 Views

Hey Tracy

A few tips:

 

[1] Check that time is synchronized between the kerberized elements.

[2] Make sure that you have downloaded the keytab file correctly, being mindful that the command used is:

wget -O /etc/krb5.keytab http://classroom.example.com/ pub/keytabs/desktopX.keytab

This is an uppercase O as in Oscar. You're downloading the source file (the last argument) from http://classroom.example.com/pub/keytabs/desktopX.keytab and saving it to /etc/krb5.keytab

Also, you need to replace X with the number of your virtual machine.

[3] Verify that the download is good by running this command:

strings /etc/krb5.keytab

What you should see if your hostname (as per the hostname command), and your Kerberos realm name. Running the same command on serverX won't work as the keytab is created on a per host basis, so you need to download the appropriate file for the serverX machine.

[4] Make sure that the option sec=krb5p is used by both the NFS server exporting the share, and the client to mount the share.

[5] Verify that the necessary services are started: nfs-secure on the kerberized NFS client (for RH134), and nfs-secure-server for the kerberized NFS server (for RH254)

[6] Make sure that the firewall allows for NFS communication on the NFS server

[7] Make sure that you have a valid Kerberos ticket, check the output of:

kinit list

and if you don't have a Kerberos ticket, use

kinit

The labs work - and are fun! Please reach out to us if you still have issues, and if you have further questions. 

----------------------------------------------------------------------------------


If you're satisfied with the solutions provided please mark the solution as ACCEPTED.

Don't forget to thank those who helped you out with kudos!

0 Kudos
Tracy_Baker
Starfighter Starfighter
Starfighter
  • 1,023 Views

I know it has been a long time -- I didn't get to this during winter break after all. Anyway, I did mess with the Kerberized NFS practice lab just now, and it worked.

I will be doing the chapter ending one very soon. I'll see how that goes.

Program Lead at Arizona's first Red Hat Academy, est. 2005
Estrella Mountain Community College
0 Kudos
Tracy_Baker
Starfighter Starfighter
Starfighter
  • 1,225 Views

@ricardodacosta

I am exposing my ignorance with regard to Kerberos. With that said:

[1] We have been wondering if the time synchronization has been an issue. I've been led to understand that the two systems need to be synchronized very closely (I was told that the differenece must be within be 200 msec -- but then I read about 5 min) or the authentication will fail. We are thinking that this is the root of the problem

[2] (wget -- with renaming the file and saving it to /etc/), [4] (krb5p option), [5] (services) and [6] (firewall) are part of the specific things that students are instructed to do when doing the lab -- as appropriate when working on the client or the server..

[3] (strings), [7] (kinit) are not part of the lab's instructions. I always appreciate ways to verify/validate the work that has to be done. When I re-wrote the RH124, RH134, RH254 labs, I included many extra steps to get the students to verify their work.

I'll have to look into this more during our winter break. Thanks for the suggestions.

 

Program Lead at Arizona's first Red Hat Academy, est. 2005
Estrella Mountain Community College
0 Kudos
Join the discussion
You must log in to join this conversation.