Ubuntu – NFSv3 with Kerberos “unmatched host” error

linuxnfsUbuntu

I've setup NFSv4 using Kerberos (works great), but now I need to add NFSv3 with Kerberos. When trying to mount the NFSv3 export, I get a permission needed error on the client and on the server the error is "unmatched host". 

In /etc/export I just have: 
/test gss/krb5(rw,sync)

The "unmatched host" error usually means that you haven't specified that the client can access the server in the export file. But with kerberos you shouldn't need to. The export man file states:

RPCSEC_GSS security
To restrict access to an export using rpcsec_gss security, use the special string "gss/krb5" as the client. It is not possible to simultaneously require rpcsec_gss and to make requirements on the IP address of the client.

I'm pretty sure Kerberos is setup correctly (again NFSv4 with kerberos works) and from what I've read on the web, I think the NFS server is setup correctly (settings are below) and the necessary services are running. I currently testing on Ubuntu 10.4, but had the same problem on Novell SLED 10.3.

Anyone have an idea what I could be doing wrong? or can point me to a NFSv3 w/kerberos how-to?

nss-common:
NEED_STATD=yes
STATDOPTS=
NEED_IDMAPD=no
NEED_GSSD=yes

nss-kernel-srever:
RPCNFSDCOUNT="8 --no-nfs-version 4  --no-nfs-version 2"
RPCNFSDPRIORITY=0
RPCMOUNTDOPTS="--manage-gids"
NEED_SVCGSSD=yes
RPCSVCGSSDOPTS=" -vvv "

Best Answer

I'm actually using NFS v3 + Kerberos between some boxes at home (mix of CentOS 5 and Gentoo clients and servers, with Gentoo KDCs). To get it to work, I ended up using an /etc/exports entry that looks like:

/export hostname.local.lan(rw,insecure,sync,sec=krb5p:krb5i:krb5)

On the client, /etc/fstab contains:

hostname.local.lan:/export   /nfs/hostname/export   nfs sec=krb5p,nfsvers=3,mountvers=3,proto=tcp,acl,rw,soft,bg,intr 0 0

When mounted, 'mount' returns the following for that filesystem:

hostname.local.lan:/export on /nfs/hostname/export type nfs (rw,sec=krb5p,nfsvers=3,mountvers=3,proto=tcp,acl,soft,bg,intr,addr=192.168.1.15)

From the NFSv4 experiments, I do still have rpc.idmapd running, but I don't think it's needed for v3.

The last tricky bit was the /etc/exports bit when I set it up. A lot of tutorials list something else like the gss/krb5 export entry you have above, but that never worked for me, although if you read the nfs utils source, it looks like it should.

I hope this steers someone else in the right direction. Good luck.

Related Question