LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (http://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   nfsv4 not working with mit kerberos v5 (http://www.linuxquestions.org/questions/linux-newbie-8/nfsv4-not-working-with-mit-kerberos-v5-551881/)

linux 2 coglioni 05-07-2007 03:04 AM

nfsv4 not working with mit kerberos v5
 
hi i'm struggling in configuring nfsv4 working with mit kerberos v5


/etc/exports on server (sequoia)

#/home/condivisa sughero.reti.dist.unige.it(rw,sync)
/home/condivisa gss/krb5(rw,fsid=0,insecure,no_subtree_check,no_root_squash)
#/home/prova sughero.reti.dist.unige.it(rw,sync)
/home/prova gss/krb5(rw,sync)

(commented lines are to do more testing, same for different options in gss/krb5 lines; without kerberos i get to mount the filesystems)

/etc/fstab on client (sughero)

sequoia:/home/condivisa /home/importata nfs defaults,noauto,sec=krb5
sequoia:/home/prova /home/verifica nfs defaults,noauto,sec=krb5



from server (sequoia) /var/log/daemon.log i get:

localhost mountd[30504]: mount request from unknown host 130.251.17.158 for /home/condivisa (/home/condivisa)

(130.251.17.158 is sughero, even if it says unknown host and i get to connect to sughero thru other services, like ssh)

from client (sughero) /var/log/daemon.log i get:

localhost rpc.gssd[7950]: WARNING: Failed to obtain machine credentials for connection to server sequoia.reti.dist.unige.it

when i try to mount the filesystem (for example mount /home/importata) i get:
mount: sequoia:/home/condivisa failed, reason given by server: Permission denied (i use gnomed debian 2.14.3, no ldap netapp and similars)

i hope you can find the solution, i'm going out crazy

thank you

nmh+linuxquestions.o 05-07-2007 06:46 AM

I have a few basic questions -
Could you post a short description of your setup - are you running your own kerberos realm? what keytabs have you setup for this? what dns entries relate to these systems? Do you have other kerberized services working with those systems? Do you have kgetcred on the client? if so - I suggest attempting to acquire whatever tickets you need with it (just as a simple test).

linux 2 coglioni 05-07-2007 08:14 AM

Quote:

Originally Posted by nmh+linuxquestions.o
are you running your own kerberos realm?

well i work in local, the kdc database is on a second machine (server sequoia) and the client is a third machine, client sughero. i use kerberized ssh (thru pam) to connect to both pc

Quote:

Originally Posted by nmh+linuxquestions.o
what keytabs have you setup for this?

on server sequoia:

Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
8 nfs/sughero.reti.dist.unige.it@RETI.DIST.UNIGE.IT
7 nfs/sequoia.reti.dist.unige.it@RETI.DIST.UNIGE.IT
2 sequoia/admin@RETI.DIST.UNIGE.IT
2 sughero/admin@RETI.DIST.UNIGE.IT
2 sughero/admin@RETI.DIST.UNIGE.IT
2 sughero@RETI.DIST.UNIGE.IT
2 sughero@RETI.DIST.UNIGE.IT
3 host/sequoia.reti.dist.unige.it@RETI.DIST.UNIGE.IT
2 sequoia@RETI.DIST.UNIGE.IT
2 nfs/sughero@RETI.DIST.UNIGE.IT
2 nfs/sughero@RETI.DIST.UNIGE.IT
2 nfs/sequoia@RETI.DIST.UNIGE.IT
2 nfs/sequoia@RETI.DIST.UNIGE.IT
9 nfs/sughero.reti.dist.unige.it@RETI.DIST.UNIGE.IT
9 nfs/sughero.reti.dist.unige.it@RETI.DIST.UNIGE.IT
8 nfs/sequoia.reti.dist.unige.it@RETI.DIST.UNIGE.IT
8 nfs/sequoia.reti.dist.unige.it@RETI.DIST.UNIGE.IT
4 host/sequoia.reti.dist.unige.it@RETI.DIST.UNIGE.IT
4 host/sequoia.reti.dist.unige.it@RETI.DIST.UNIGE.IT
4 host/sughero.reti.dist.unige.it@RETI.DIST.UNIGE.IT
4 host/sughero.reti.dist.unige.it@RETI.DIST.UNIGE.IT
2 luca/admin@RETI.DIST.UNIGE.IT
2 luca/admin@RETI.DIST.UNIGE.IT
4 luca/admin@RETI.DIST.UNIGE.IT
4 luca/admin@RETI.DIST.UNIGE.IT
3 sequoia@RETI.DIST.UNIGE.IT
3 sequoia@RETI.DIST.UNIGE.IT
3 sequoia/admin@RETI.DIST.UNIGE.IT
3 sequoia/admin@RETI.DIST.UNIGE.IT
9 nfs/sequoia.reti.dist.unige.it@RETI.DIST.UNIGE.IT
9 nfs/sequoia.reti.dist.unige.it@RETI.DIST.UNIGE.IT
10 nfs/sughero.reti.dist.unige.it@RETI.DIST.UNIGE.IT
10 nfs/sughero.reti.dist.unige.it@RETI.DIST.UNIGE.IT
2 host/sequoia@RETI.DIST.UNIGE.IT
2 host/sequoia@RETI.DIST.UNIGE.IT
3 host/sequoia@RETI.DIST.UNIGE.IT
3 host/sequoia@RETI.DIST.UNIGE.IT
2 gss/krb5@RETI.DIST.UNIGE.IT
2 gss/krb5@RETI.DIST.UNIGE.IT


on client sughero:

Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
8 nfs/sughero.reti.dist.unige.it@RETI.DIST.UNIGE.IT
7 nfs/sequoia.reti.dist.unige.it@RETI.DIST.UNIGE.IT
2 sequoia/admin@RETI.DIST.UNIGE.IT
2 sughero/admin@RETI.DIST.UNIGE.IT
2 sughero/admin@RETI.DIST.UNIGE.IT
2 sughero@RETI.DIST.UNIGE.IT
2 sughero@RETI.DIST.UNIGE.IT
3 host/sequoia.reti.dist.unige.it@RETI.DIST.UNIGE.IT
2 sequoia@RETI.DIST.UNIGE.IT
2 nfs/sughero@RETI.DIST.UNIGE.IT
2 nfs/sughero@RETI.DIST.UNIGE.IT
2 nfs/sequoia@RETI.DIST.UNIGE.IT
2 nfs/sequoia@RETI.DIST.UNIGE.IT
9 nfs/sughero.reti.dist.unige.it@RETI.DIST.UNIGE.IT
9 nfs/sughero.reti.dist.unige.it@RETI.DIST.UNIGE.IT
8 nfs/sequoia.reti.dist.unige.it@RETI.DIST.UNIGE.IT
8 nfs/sequoia.reti.dist.unige.it@RETI.DIST.UNIGE.IT
4 host/sequoia.reti.dist.unige.it@RETI.DIST.UNIGE.IT
4 host/sequoia.reti.dist.unige.it@RETI.DIST.UNIGE.IT
4 host/sughero.reti.dist.unige.it@RETI.DIST.UNIGE.IT
4 host/sughero.reti.dist.unige.it@RETI.DIST.UNIGE.IT
2 luca/admin@RETI.DIST.UNIGE.IT
2 luca/admin@RETI.DIST.UNIGE.IT
4 luca/admin@RETI.DIST.UNIGE.IT
4 luca/admin@RETI.DIST.UNIGE.IT
3 sequoia@RETI.DIST.UNIGE.IT
3 sequoia@RETI.DIST.UNIGE.IT
3 sequoia/admin@RETI.DIST.UNIGE.IT
3 sequoia/admin@RETI.DIST.UNIGE.IT
9 nfs/sequoia.reti.dist.unige.it@RETI.DIST.UNIGE.IT
9 nfs/sequoia.reti.dist.unige.it@RETI.DIST.UNIGE.IT
10 nfs/sughero.reti.dist.unige.it@RETI.DIST.UNIGE.IT
10 nfs/sughero.reti.dist.unige.it@RETI.DIST.UNIGE.IT
2 host/sequoia@RETI.DIST.UNIGE.IT
2 host/sequoia@RETI.DIST.UNIGE.IT
3 host/sequoia@RETI.DIST.UNIGE.IT
3 host/sequoia@RETI.DIST.UNIGE.IT
2 nfs/sughero@RETI.DIST.UNIGE.IT
2 nfs/sughero@RETI.DIST.UNIGE.IT
2 nfs/sughero.reti.dist.unige.it@RETI.DIST.UNIGE.IT
2 nfs/sughero.reti.dist.unige.it@RETI.DIST.UNIGE.IT
3 nfs/sequoia@RETI.DIST.UNIGE.IT
3 nfs/sequoia@RETI.DIST.UNIGE.IT
10 nfs/sequoia.reti.dist.unige.it@RETI.DIST.UNIGE.IT
10 nfs/sequoia.reti.dist.unige.it@RETI.DIST.UNIGE.IT
3 gss/krb5@RETI.DIST.UNIGE.IT
3 gss/krb5@RETI.DIST.UNIGE.IT


Quote:

Originally Posted by nmh+linuxquestions.o
what dns entries relate to these systems?

server sequoia:

127.0.0.1 localhost.localdomain localhost 130.251.17.3 sequoia.reti.dist.unige.it

client sughero

127.0.0.1 localhost sughero
130.251.17.158 sughero.reti.dist.unige.it sughero
130.251.17.158 gss/krb5


Quote:

Originally Posted by nmh+linuxquestions.o
Do you have other kerberized services working with those systems?

ssh as stated above

Quote:

Originally Posted by nmh+linuxquestions.o
Do you have kgetcred on the client?

i think you mean kinit instead of kgetcred, yes i kinit both server and client


EDIT: update, a new error in client syslog:

localhost rpc.gssd[10881]: WARNING: Failed to create krb5 context for user with uid 0 with any credentials cache for server sequoia.reti.dist.unige.it
May 7 12:46:33 localhost rpc.gssd[10881]: rpcsec_gss: gss_init_sec_context: (major) Miscellaneous failure - (minor) Generic error (see e-text)

server syslog:

localhost mountd[32381]: refused mount request from sughero.reti.dist.unige.it for /home/prova (/): not exported

linux 2 coglioni 05-07-2007 08:25 AM

i tried and writed in shell: rpc.gssd -fvvv

for all entries of the kerberos database minus 1 it says:

Processing keytab entry for principal 'principal@REALM'
We will use this entry (principal@REALM)

for the last principal nfs/sughero.reti.dist.unige.it it says:

WARNING: Decrypt integrity check failed while getting initial ticket for princip al 'nfs/sughero.reti.dist.unige.it@RETI.DIST.UNIGE.IT' from keytab 'FILE:/etc/kr b5.keytab'

and in the end:

ERROR: No usable machine credentials obtained

nmh+linuxquestions.o 05-07-2007 07:45 PM

Quote:

Originally Posted by linux 2 coglioni
i think you mean kinit instead of kgetcred, yes i kinit both server and client

I do mean kgetcred, please see this. Basically, you use kinit to pickup a tgt, and then use kgetcred to pick up service tickets.

Quote:

Originally Posted by linux 2 coglioni
EDIT: update, a new error in client syslog:

localhost rpc.gssd[10881]: WARNING: Failed to create krb5 context for user with uid 0 with any credentials cache for server sequoia.reti.dist.unige.it
May 7 12:46:33 localhost rpc.gssd[10881]: rpcsec_gss: gss_init_sec_context: (major) Miscellaneous failure - (minor) Generic error (see e-text)

server syslog:

localhost mountd[32381]: refused mount request from sughero.reti.dist.unige.it for /home/prova (/): not exported

Are you trying to mount it as root (UID 0)?
What file system are you trying to mount?
DISCLAIMER: I am much more interested in AFS, and have experience with that, not NFS.

linux 2 coglioni 05-08-2007 02:42 AM

Quote:

Originally Posted by nmh+linuxquestions.o
I do mean kgetcred, please see this. Basically, you use kinit to pickup a tgt, and then use kgetcred to pick up service tickets.

sorry i don't have this command available, i'm using gnomed debian 2.14.3, i only have kinit to request the ticket



Quote:

Originally Posted by nmh+linuxquestions.o
Are you trying to mount it as root (UID 0)?

yes, at the moment i tried only as root

Quote:

Originally Posted by nmh+linuxquestions.o
What file system are you trying to mount?

i put the filesystem to mount in etc/exports on server sequoia (/home/condivisa and /home/prova) and correspondive entries in /etc/fstab on client sughero


Quote:

Originally Posted by nmh+linuxquestions.o
DISCLAIMER: I am much more interested in AFS, and have experience with that, not NFS.

i know AFS it's better, but i have to work with nfs, no choice, sorry

sarahsharaf 06-17-2009 08:14 PM

Problem for setting up nfsv4 with linux
 
Hi,
I have the exact same problem as you have. Please let me know if you found a solution for that.

Thanks
Sarah

madmaestro 06-22-2009 12:06 AM

SECURE_NFS="yes" in /etc/sysconfig/nfs
 
Quote:

Originally Posted by sarahsharaf (Post 3577747)
Hi,
I have the exact same problem as you have. Please let me know if you found a solution for that.

Thanks
Sarah

I had a similar problem and had to enable SECURE_NFS="yes" in /etc/sysconfig/nfs. After that it worked like a charm.

i.e.:

# Set to turn on Secure NFS mounts.
SECURE_NFS="yes"


All times are GMT -5. The time now is 01:04 PM.