Hi all, the last days I found a little time to have a look into the issue of using NFSv4 (and perhaps Kerberos) to mount the home directories.
I first configured NFS4 to export the home directories. After that I tried kerberos authentication. However, I observed that it works only in some cases, in most of the attempts to mount the share a missing principal of the form nfs/x...@intern was reported, where XXX is one of the hostnames (and not tjener.intern) reported by this command: r...@tjener:~# host 10.0.2.2 2.2.0.10.in-addr.arpa domain name pointer tjener.intern. 2.2.0.10.in-addr.arpa domain name pointer kerberos.intern. 2.2.0.10.in-addr.arpa domain name pointer ldap.intern. 2.2.0.10.in-addr.arpa domain name pointer domain.intern. 2.2.0.10.in-addr.arpa domain name pointer postoffice.intern. 2.2.0.10.in-addr.arpa domain name pointer syslog.intern. If I understand things correctly, mounting the share with mount -t nfs4 -o sec=krb5 tjener.intern:/ /skole/tjener/ converts tjener.intern into an IP adress and that address back to the (full qualified) hostname. So only if by chance tjener.intern is used for the lookup, the (existing) nfs/tjener.int...@intern principal is used and things work as they should. If another hostname is used, things fail because there is no corresponding service principal. I tried to find the reason for these corresponding A-records, they have been changed in commit 71704. (<URL:http://svn.debian.org/wsvn/debian-edu/trunk/src/debian-edu-config/ldap-bootstrap/?rev=71704&sc=1>) I am not an expert regarding that stuff and I don't know if there are other ways to achieve the desired. However, it looks as with the current setup we need service principals for all host aliases. Best regards, Andi -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110105175842.ga4...@flashgordon
