Mount Homedisk

From Cncz
Revision as of 10:51, 1 October 2018 by Jzelenka2 (talk | contribs)
Jump to navigation Jump to search

Mounting home (U:) drive on Linux via NFS/Kerberos

About NFS

Quote from the NFS wiki entry:

   Network File System (NFS) is a distributed file system protocol originally developed by Sun Microsystems in 1984, allowing a user on a client computer to access files over a computer network much like local storage is accessed.

On C&CZ, Kerberos ticket system is used to ensure the security.

Every @science user has its own shared homedrive as referred here.


You need to have your krb5.keytab file generated by the C&CZ. If you do not have any, please contact C&CZ and one will be generated.


For kerberos to work you must be within the realm - thus being connected directly to network, or be tunneled-in by the vpn.

Rename the file provided by the C&CZ to krb5.keytab and move it to the /etc/ folder, change its mod to rw------ and ownership to root:root. Finally, the file should look like this:

[chuck@uberpc ~]$ ls -l /etc/krb5.keytab
-rw------- 1 root root 1337 Jan 1 00:01 /etc/krb5.keytab

Next you need to configure your kerberos properly in your krb5.conf. At the end, the file should look like this in the case of portable PCs (notebooks):

[chuck@uberpc ~]$ cat /etc/krb5.conf
# RU krb5config

        default_realm = SCIENCE.RU.NL
        forwardable = yes
        forward = yes
        encrypt = yes
        srv_lookup = no
        srv_try_txt = no
        no-addresses = yes
        rdns = no
        allow_weak_crypto = yes

            admin_server =

[domain_realm] = SCIENCE.RU.NL = SCIENCE.RU.NL

In case of the destkop PCs within university the rdns = no parameter should be ommited. After setting-up the kerberos try "kinit $USERNAME" command where you substitute $USERNAME by your science login name. For simplicity science user Chuck Norris (thus username cnorris) will be used as an example. Try to kinit with your science password and check if the ticket has been leased by klist command:

[chuck@uberpc ~]$ kinit cnorris
Password for :
[chuck@uberpc ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: 

Valid starting       Expires              Service principal
01/01/2018 06:06:06  01/02/2018 06:06:06  krbtgt/

To proceed further with our mounting, we need to determine which folder we should mount on the server, fast way how to determine that is by executing this command:

[chuck@uberpc ~]$ ssh """mount | grep nfs | grep cnorris"""

The output should be similar to this:'s password: on /home/cnorris type nfs (rw,nosuid,relatime,vers=3,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,mountaddr=,mountvers=3,mountport=656,mountproto=udp,local_lock=none,addr=

From the output of above command we can clearly see that Chuck Norrises homedrive is located in /VGsda66, thus we will attempt to mount the directory.

Now that you now the proper mount path and kerberos is setted-up, you need to get working nfs sw on your unix pc. In case of Archlinux that consists of nfs-utils package, in other distributions nfs will most probably come preinstalled. Ensure that rpc-gssd.service is up and running as it is vital for the kerberos authentication procedure as referred here

if rpc-gssd.service is NOT running, the output will look similar to this:

[root@uberpc cnorris]# mount -t nfs /mnt/ -vv
mount.nfs: timeout set for Fri Jan 1 06:23:39 2018
mount.nfs: trying text-based options 'vers=4.2,addr=,clientaddr='
mount.nfs: mount(2): Operation not permitted
mount.nfs: trying text-based options 'addr='
mount.nfs: prog 100003, trying vers=3, prot=6
mount.nfs: trying prog 100003 vers 3 prot TCP port 2049
mount.nfs: prog 100005, trying vers=3, prot=17
mount.nfs: trying prog 100005 vers 3 prot UDP port 656
mount.nfs: mount(2): Invalid argument
mount.nfs: an incorrect mount option was specified

when rpc-gssd.service is up an running as it should the correct output will look similar to this:

[root@uberpc cnorris]# mount -t nfs /mnt/ -vv
mount.nfs: timeout set for Fri Jan 1 06:24:09 2018
mount.nfs: trying text-based options 'vers=4.2,addr=,clientaddr='
[root@uberpc cnorris]#

if you have active kerberos ticket you should be able to list content of the /mnt/ directory by now.

[chuck@uberpc ~]$ ls /mnt/
'$RECYCLE.BIN'/   desktop.ini    /MK_ultra_results    /answer_to_42.txt    /cancer_cure

When finished, please umount the /mnt/ and destroy ticket by kdestroy command.

Further reading

if interested in the topic, you can proceed to: