nfsv4 not working with mit kerberos v5
 

hi i'm struggling in configuring nfsv4 working with mit kerberos v5


/etc/exports on server (sequoia)

#/home/condivisa sughero.reti.dist.unige.it(rw,sync)
/home/condivisa gss/krb5(rw,fsid=0,insecure,no_subtree_check,no_root_squash)
#/home/prova sughero.reti.dist.unige.it(rw,sync)
/home/prova gss/krb5(rw,sync)

(commented lines are to do more testing, same for different options in gss/krb5 lines; without kerberos i get to mount the filesystems)

/etc/fstab on client (sughero)

sequoia:/home/condivisa /home/importata nfs defaults,noauto,sec=krb5
sequoia:/home/prova /home/verifica nfs defaults,noauto,sec=krb5



from server (sequoia) /var/log/daemon.log i get:

localhost mountd[30504]: mount request from unknown host 130.251.17.158 for /home/condivisa (/home/condivisa)

(130.251.17.158 is sughero, even if it says unknown host and i get to connect to sughero thru other services, like ssh)

from client (sughero) /var/log/daemon.log i get:

localhost rpc.gssd[7950]: WARNING: Failed to obtain machine credentials for connection to server sequoia.reti.dist.unige.it

when i try to mount the filesystem (for example mount /home/importata) i get:
mount: sequoia:/home/condivisa failed, reason given by server: Permission denied (i use gnomed debian 2.14.3, no ldap netapp and similars)

i hope you can find the solution, i'm going out crazy

thank you

I have a few basic questions -
Could you post a short description of your setup - are you running your own kerberos realm? what keytabs have you setup for this? what dns entries relate to these systems? Do you have other kerberized services working with those systems? Do you have kgetcred on the client? if so - I suggest attempting to acquire whatever tickets you need with it (just as a simple test).

well i work in local, the kdc database is on a second machine (server sequoia) and the client is a third machine, client sughero. i use kerberized ssh (thru pam) to connect to both pc

on server sequoia:

Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
8 nfs/sughero.reti.dist.unige.it@RETI.DIST.UNIGE.IT
7 nfs/sequoia.reti.dist.unige.it@RETI.DIST.UNIGE.IT
2 sequoia/admin@RETI.DIST.UNIGE.IT
2 sughero/admin@RETI.DIST.UNIGE.IT
2 sughero/admin@RETI.DIST.UNIGE.IT
2 sughero@RETI.DIST.UNIGE.IT
2 sughero@RETI.DIST.UNIGE.IT
3 host/sequoia.reti.dist.unige.it@RETI.DIST.UNIGE.IT
2 sequoia@RETI.DIST.UNIGE.IT
2 nfs/sughero@RETI.DIST.UNIGE.IT
2 nfs/sughero@RETI.DIST.UNIGE.IT
2 nfs/sequoia@RETI.DIST.UNIGE.IT
2 nfs/sequoia@RETI.DIST.UNIGE.IT
9 nfs/sughero.reti.dist.unige.it@RETI.DIST.UNIGE.IT
9 nfs/sughero.reti.dist.unige.it@RETI.DIST.UNIGE.IT
8 nfs/sequoia.reti.dist.unige.it@RETI.DIST.UNIGE.IT
8 nfs/sequoia.reti.dist.unige.it@RETI.DIST.UNIGE.IT
4 host/sequoia.reti.dist.unige.it@RETI.DIST.UNIGE.IT
4 host/sequoia.reti.dist.unige.it@RETI.DIST.UNIGE.IT
4 host/sughero.reti.dist.unige.it@RETI.DIST.UNIGE.IT
4 host/sughero.reti.dist.unige.it@RETI.DIST.UNIGE.IT
2 luca/admin@RETI.DIST.UNIGE.IT
2 luca/admin@RETI.DIST.UNIGE.IT
4 luca/admin@RETI.DIST.UNIGE.IT
4 luca/admin@RETI.DIST.UNIGE.IT
3 sequoia@RETI.DIST.UNIGE.IT
3 sequoia@RETI.DIST.UNIGE.IT
3 sequoia/admin@RETI.DIST.UNIGE.IT
3 sequoia/admin@RETI.DIST.UNIGE.IT
9 nfs/sequoia.reti.dist.unige.it@RETI.DIST.UNIGE.IT
9 nfs/sequoia.reti.dist.unige.it@RETI.DIST.UNIGE.IT
10 nfs/sughero.reti.dist.unige.it@RETI.DIST.UNIGE.IT
10 nfs/sughero.reti.dist.unige.it@RETI.DIST.UNIGE.IT
2 host/sequoia@RETI.DIST.UNIGE.IT
2 host/sequoia@RETI.DIST.UNIGE.IT
3 host/sequoia@RETI.DIST.UNIGE.IT
3 host/sequoia@RETI.DIST.UNIGE.IT
2 gss/krb5@RETI.DIST.UNIGE.IT
2 gss/krb5@RETI.DIST.UNIGE.IT


on client sughero:

Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
8 nfs/sughero.reti.dist.unige.it@RETI.DIST.UNIGE.IT
7 nfs/sequoia.reti.dist.unige.it@RETI.DIST.UNIGE.IT
2 sequoia/admin@RETI.DIST.UNIGE.IT
2 sughero/admin@RETI.DIST.UNIGE.IT
2 sughero/admin@RETI.DIST.UNIGE.IT
2 sughero@RETI.DIST.UNIGE.IT
2 sughero@RETI.DIST.UNIGE.IT
3 host/sequoia.reti.dist.unige.it@RETI.DIST.UNIGE.IT
2 sequoia@RETI.DIST.UNIGE.IT
2 nfs/sughero@RETI.DIST.UNIGE.IT
2 nfs/sughero@RETI.DIST.UNIGE.IT
2 nfs/sequoia@RETI.DIST.UNIGE.IT
2 nfs/sequoia@RETI.DIST.UNIGE.IT
9 nfs/sughero.reti.dist.unige.it@RETI.DIST.UNIGE.IT
9 nfs/sughero.reti.dist.unige.it@RETI.DIST.UNIGE.IT
8 nfs/sequoia.reti.dist.unige.it@RETI.DIST.UNIGE.IT
8 nfs/sequoia.reti.dist.unige.it@RETI.DIST.UNIGE.IT
4 host/sequoia.reti.dist.unige.it@RETI.DIST.UNIGE.IT
4 host/sequoia.reti.dist.unige.it@RETI.DIST.UNIGE.IT
4 host/sughero.reti.dist.unige.it@RETI.DIST.UNIGE.IT
4 host/sughero.reti.dist.unige.it@RETI.DIST.UNIGE.IT
2 luca/admin@RETI.DIST.UNIGE.IT
2 luca/admin@RETI.DIST.UNIGE.IT
4 luca/admin@RETI.DIST.UNIGE.IT
4 luca/admin@RETI.DIST.UNIGE.IT
3 sequoia@RETI.DIST.UNIGE.IT
3 sequoia@RETI.DIST.UNIGE.IT
3 sequoia/admin@RETI.DIST.UNIGE.IT
3 sequoia/admin@RETI.DIST.UNIGE.IT
9 nfs/sequoia.reti.dist.unige.it@RETI.DIST.UNIGE.IT
9 nfs/sequoia.reti.dist.unige.it@RETI.DIST.UNIGE.IT
10 nfs/sughero.reti.dist.unige.it@RETI.DIST.UNIGE.IT
10 nfs/sughero.reti.dist.unige.it@RETI.DIST.UNIGE.IT
2 host/sequoia@RETI.DIST.UNIGE.IT
2 host/sequoia@RETI.DIST.UNIGE.IT
3 host/sequoia@RETI.DIST.UNIGE.IT
3 host/sequoia@RETI.DIST.UNIGE.IT
2 nfs/sughero@RETI.DIST.UNIGE.IT
2 nfs/sughero@RETI.DIST.UNIGE.IT
2 nfs/sughero.reti.dist.unige.it@RETI.DIST.UNIGE.IT
2 nfs/sughero.reti.dist.unige.it@RETI.DIST.UNIGE.IT
3 nfs/sequoia@RETI.DIST.UNIGE.IT
3 nfs/sequoia@RETI.DIST.UNIGE.IT
10 nfs/sequoia.reti.dist.unige.it@RETI.DIST.UNIGE.IT
10 nfs/sequoia.reti.dist.unige.it@RETI.DIST.UNIGE.IT
3 gss/krb5@RETI.DIST.UNIGE.IT
3 gss/krb5@RETI.DIST.UNIGE.IT


server sequoia:

127.0.0.1 localhost.localdomain localhost 130.251.17.3 sequoia.reti.dist.unige.it

client sughero

127.0.0.1 localhost sughero
130.251.17.158 sughero.reti.dist.unige.it sughero
130.251.17.158 gss/krb5


ssh as stated above

i think you mean kinit instead of kgetcred, yes i kinit both server and client


EDIT: update, a new error in client syslog:

localhost rpc.gssd[10881]: WARNING: Failed to create krb5 context for user with uid 0 with any credentials cache for server sequoia.reti.dist.unige.it
May 7 12:46:33 localhost rpc.gssd[10881]: rpcsec_gss: gss_init_sec_context: (major) Miscellaneous failure - (minor) Generic error (see e-text)

server syslog:

localhost mountd[32381]: refused mount request from sughero.reti.dist.unige.it for /home/prova (/): not exported

i tried and writed in shell: rpc.gssd -fvvv

for all entries of the kerberos database minus 1 it says:

Processing keytab entry for principal 'principal@REALM'
We will use this entry (principal@REALM)

for the last principal nfs/sughero.reti.dist.unige.it it says:

WARNING: Decrypt integrity check failed while getting initial ticket for princip al 'nfs/sughero.reti.dist.unige.it@RETI.DIST.UNIGE.IT' from keytab 'FILE:/etc/kr b5.keytab'

and in the end:

ERROR: No usable machine credentials obtained

I do mean kgetcred, please see this. Basically, you use kinit to pickup a tgt, and then use kgetcred to pick up service tickets.

Are you trying to mount it as root (UID 0)?
What file system are you trying to mount?
DISCLAIMER: I am much more interested in AFS, and have experience with that, not NFS.

sorry i don't have this command available, i'm using gnomed debian 2.14.3, i only have kinit to request the ticket



yes, at the moment i tried only as root

i put the filesystem to mount in etc/exports on server sequoia (/home/condivisa and /home/prova) and correspondive entries in /etc/fstab on client sughero


i know AFS it's better, but i have to work with nfs, no choice, sorry

Problem for setting up nfsv4 with linux
 

Hi,
I have the exact same problem as you have. Please let me know if you found a solution for that.

Thanks
Sarah

SECURE_NFS="yes" in /etc/sysconfig/nfs
 

I had a similar problem and had to enable SECURE_NFS="yes" in /etc/sysconfig/nfs. After that it worked like a charm.

i.e.:

# Set to turn on Secure NFS mounts.
SECURE_NFS="yes"