I am trying to configure a Windows 7 Enterprise client to mount a NFSv4 share on a Linux NFS server using Kerberos and a Linux KDC.
The setup is:
- IPA Server (OS: Scientific Linux 6.4, Pkg: ipa-server)
- NFS Server (OS: Scientific Linux 6.4, Pkg: nfs-utils)
- Windows 7 Client (OS: Enterprise 64-bit, Feature: Client for NFS)
Steps:
On IPA Server, create a principal for the windows client, with a password:
ipa host-add --ip-address=10.10.0.100 win7ent-client.contoso.com ipa-getkeytab -s ipa.contoso.com -p host/win7ent-client.contoso.com -k win7ent-client.keytab -P ^ | This will create a principal and register the client with IPA server Set a random password - e.g. - jU96e3Urp6
Add NFS service for the client:
ipa service-add nfs/win7ent-client.contoso.com
On the Windows client:
ksetup /setdomain CONTOSO.COM ksetup /setmachpassword <password set on step 1> ksetup /addrealmflags CONTOSO.COM sendaddress delegate ksetup /mapuser * *
Reboot Windows Client
Run:
ksetup.exe /DumpState
This shows the current configuration:
default realm = CONTOSO.COM (external) CONTOSO.COM: (no kdc entries for this realm) Realm Flags = 0x5 SendAddress Delegate Mapping all users (*) to a local account by the same name (*).
On the Windows client create a local user, a password is not necessary, with a name that exists on the IPA server. Or else you'll get the error - 1332: No mapping between account names and security IDs was done
Test that you can get a ticket as the user:
runas /user:joe@CONTOSO.COM cmd
In the new command window, run:
klist
This will output the current ticket info:
Current LogonId is 0:0x6c70e
Cached Tickets: (1) #0> Client: joe @ CONTOSO.COM Server: krbtgt/CONTOSO.COM @ CONTOSO.COM KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96 Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent name_canonicalize Start Time: 2/22/2014 5:22:07 (local) End Time: 2/23/2014 5:22:07 (local) Renew Time: 3/1/2014 5:22:07 (local) Session Key Type: AES-256-CTS-HMAC-SHA1-96
NFS Server Configuration
mkdir -p /winshare/joe chown -R joe:joe/winshare/joe exportfs -o rw,sec=krb5 *:/winshare/joe
When trying to mount the share above on the Windows client:
mount -o sec=krb5 nfs.contoso.com:/winshare/joe E:
I get the following error:
Network Error - 121
Type 'NET HELPMSG 121' for more information.
C:\Windows\system32>NET HELPMSG 121
The semaphore timeout period has expired.
Attempt to use ms-nfs41-client-x64 also fails:
C:\Users\joe\Desktop\ms-nfs41-client-x64>nfs_mount.exe -o sec=krb5 * nfs.contoso.com:/winshare/joe
WNetUseConnection(*:, \\nfs.contoso.com\winshare\joe) failed with error code 1231.
The network location cannot be reached. For information about network troubleshooting, see Windows Help.
- NFS share using sec=sys works
- Logging in to the Windows-7 client as joe works.
- Putty to NFS server after Windows logging works (as long as you install MIT Kerberos client for windows first).
The only thing that doesn't work is NFS when using Kerberos.