Home / server / Questions / 577589
In Process
Mike
Asked: 2014-02-23 07:36:10 +0800 CST

Windows 7 NFS Client Using Kerberos and Linux KDC

  • 772

I am trying to configure a Windows 7 Enterprise client to mount a NFSv4 share on a Linux NFS server using Kerberos and a Linux KDC.

The setup is:

  • IPA Server (OS: Scientific Linux 6.4, Pkg: ipa-server)
  • NFS Server (OS: Scientific Linux 6.4, Pkg: nfs-utils)
  • Windows 7 Client (OS: Enterprise 64-bit, Feature: Client for NFS)

Steps:

  1. On IPA Server, create a principal for the windows client, with a password:

    ipa host-add --ip-address=10.10.0.100 win7ent-client.contoso.com
ipa-getkeytab -s ipa.contoso.com -p host/win7ent-client.contoso.com -k win7ent-client.keytab -P
^
| 
This will create a principal and register the client with IPA server
Set a random password - e.g. - jU96e3Urp6

    Add NFS service for the client:

    ipa service-add nfs/win7ent-client.contoso.com

  2. On the Windows client:

    ksetup /setdomain CONTOSO.COM
ksetup /setmachpassword <password set on step 1>
ksetup /addrealmflags CONTOSO.COM sendaddress delegate
ksetup /mapuser * *

    Reboot Windows Client

    Run:

    ksetup.exe /DumpState

    This shows the current configuration:

    default realm = CONTOSO.COM (external)
CONTOSO.COM:
    (no kdc entries for this realm)
    Realm Flags = 0x5 SendAddress Delegate
Mapping all users (*) to a local account by the same name (*).

    On the Windows client create a local user, a password is not necessary, with a name that exists on the IPA server. Or else you'll get the error - 1332: No mapping between account names and security IDs was done

    Test that you can get a ticket as the user:

    runas /user:[email protected] cmd

    In the new command window, run:

    klist

    This will output the current ticket info:

    Current LogonId is 0:0x6c70e

    Cached Tickets: (1)

#0> Client: joe @ CONTOSO.COM
    Server: krbtgt/CONTOSO.COM @ CONTOSO.COM
    KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
    Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent name_canonicalize
    Start Time: 2/22/2014 5:22:07 (local)
    End Time:   2/23/2014 5:22:07 (local)
    Renew Time: 3/1/2014 5:22:07 (local)
    Session Key Type: AES-256-CTS-HMAC-SHA1-96

  3. NFS Server Configuration

    mkdir -p /winshare/joe
chown -R joe:joe/winshare/joe
exportfs -o rw,sec=krb5 *:/winshare/joe

When trying to mount the share above on the Windows client:

mount -o sec=krb5 nfs.contoso.com:/winshare/joe E:

I get the following error:

Network Error - 121

Type 'NET HELPMSG 121' for more information.

C:\Windows\system32>NET HELPMSG 121

The semaphore timeout period has expired.

Attempt to use ms-nfs41-client-x64 also fails:

C:\Users\joe\Desktop\ms-nfs41-client-x64>nfs_mount.exe -o sec=krb5 * nfs.contoso.com:/winshare/joe

WNetUseConnection(*:, \\nfs.contoso.com\winshare\joe) failed with error code 1231.
The network location cannot be reached. For information about network troubleshooting, see Windows Help.
  1. NFS share using sec=sys works
  2. Logging in to the Windows-7 client as joe works.
  3. Putty to NFS server after Windows logging works (as long as you install MIT Kerberos client for windows first).

The only thing that doesn't work is NFS when using Kerberos.

windows-7

1 Answers

  1. As far as I know this step is likely not needed:

    Add NFS service for the client:

    ipa service-add nfs/win7ent-client.contoso.com

    You need nfs service for a server.

    If you are sure that you need nfs service for Windows client, then very likely it should use exactly the same password as the host principal for that client.

    Additionally: have you enabled secure nfs on the server? I don't remember specifics as I moved to CentOS 7 looong ago (systemctl (enable|start) nfs-secure are your friends there), but I think you should look for this in /etc/sysconfig/nfs.

    • 1