Unable to mount NFS shared file with Kerberos

[hunter86_bg]

If so be advised that instead of copying the "p12" certificate , you need the pem certificate that is located at "/etc/pki/tls/cert.pem" on the ipa server.

[qwerty1111]

Hi,

what does it chaneg if I do cp etc/pki/tls/cert.pem /var/ftp/pub instead of cp /root/cacert.p12 /var/ftp/pub as mentioned in lisenet tuto?

Thank you

[hunter86_bg]

The "authconfig" (cli), "authconfig-tui" (tui) and "authconfig-gtk" (graphical) tools cannot work with p12 certificates, and thus you won't be able to use ldaps against the FreeIPA server.

[qwerty1111]

Thank you for everything, that has been very helpful.
I didn't complete yet everything but will keep posted in the case i have further issues

[qwerty1111]

I tried to understand why it didn’t work the first time and I decided to reinstall everything and now I have the same issue again after I reinstalled everything..

I followed the steps in the lisenet free ipa tuto link provided ( I actually new VM’s from scratch at the beginning) but I still cannot mount a NFS share folder

[root@server2 ~]# cat /etc/redhat-release

[root@server2 ~]# cat /etc/hosts ( similar for the 3 VM’s)
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6

192.168.4.30 server1.car.local server1
192.168.4.31 server2.car.local server2
192.168.4.32 server3.car.local server3

[root@server1 ~]# cat /etc/redhat-release
CentOS Linux release 7.3.1611 (Core)



[root@server2 ~]# dig server1.car.local

; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7_3.1 <<>> server1.car.local
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 3787
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;server1.car.local. IN A

;; AUTHORITY SECTION:
. 86397 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2017081000 1800 900 604800 86400

;; Query time: 12 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Aug 10 13:40:32 BST 2017
;; MSG SIZE rcvd: 121

[root@server2 ~]#
[root@server2 ~]# dig server2.car.local

; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7_3.1 <<>> server2.car.local
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 14458
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;server2.car.local. IN A

;; AUTHORITY SECTION:
. 86388 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2017081000 1800 900 604800 86400

;; Query time: 43 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Aug 10 13:40:40 BST 2017
;; MSG SIZE rcvd: 121

[root@server2 ~]#
[root@server2 ~]#
[root@server2 ~]# dig server3.car.local

; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7_3.1 <<>> server3.car.local
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 47105
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;server3.car.local. IN A

;; AUTHORITY SECTION:
. 86398 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2017081000 1800 900 604800 86400

;; Query time: 11 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Aug 10 13:40:50 BST 2017
;; MSG SIZE rcvd: 121
**********************************Server2 ( NFS SERVER)*********************************
vim /etc/exports
/nfssecure *.*.local(sec=krb5p,rw,sync)
[root@server2 ~]# showmount -e localhost
Export list for localhost:
/nfssecure *.*.local
[root@server2 ~]#
**********************************Server2 ( NFS SERVER)*********************************
********************************** Server 3 NFS CLIENT***********************************
Server 3 NFS CLIENT
[root@server3 ~]# mount -a
mount.nfs: an incorrect mount option was specified
fstab file:
server2.car.local:/nfssecure /secure nfs defaults.v4.2,sec=krb5p,sync 0 0

Manually, I got the following result
[root@server3 ~]# mount -o nfsvers=4.2,sec=krb5p 192.168.4.31:/nfssecure /secure
mount.nfs: access denied by server while mounting 192.168.4.31:/nfssecure

********************************** Server 3 NFS CLIENT***********************************
Thank you for your help

[hunter86_bg]

;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

Easier is just to try this way:

Code: Select all

dig +short server1.car.local server2.car.local server3.car.local

It should return your IPs as per the "/etc/hosts"
Define the FreeIPA server as your DNS...

[qwerty1111]

There is no output..

[root@server1 ~]# dig +short server1.car.local server2.car.local server3.car.local
[root@server1 ~]#

[TrevorH]

Does dig even look at /etc/hosts? The man page seems to imply not...

[qwerty1111]

I tried to define the free ipa server as my dns many times during my previous tests but I’m there unable to complete the ipa-server-install --setup-dns as per instruction in the lisenet tuto.

Only solution to complete the the ipa-server-install --setup-dns was to leave the dns as 8.8.8.8

[hunter86_bg]

What is the error when installing FreeIPA with DNS?
There are some changes in IPA introduced with RHEL7.2