LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices

Reply
 
Search this Thread
Old 05-07-2007, 03:04 AM   #1
linux 2 coglioni
LQ Newbie
 
Registered: May 2007
Posts: 5

Rep: Reputation: 0
nfsv4 not working with mit kerberos v5


hi i'm struggling in configuring nfsv4 working with mit kerberos v5


/etc/exports on server (sequoia)

#/home/condivisa sughero.reti.dist.unige.it(rw,sync)
/home/condivisa gss/krb5(rw,fsid=0,insecure,no_subtree_check,no_root_squash)
#/home/prova sughero.reti.dist.unige.it(rw,sync)
/home/prova gss/krb5(rw,sync)

(commented lines are to do more testing, same for different options in gss/krb5 lines; without kerberos i get to mount the filesystems)

/etc/fstab on client (sughero)

sequoia:/home/condivisa /home/importata nfs defaults,noauto,sec=krb5
sequoia:/home/prova /home/verifica nfs defaults,noauto,sec=krb5



from server (sequoia) /var/log/daemon.log i get:

localhost mountd[30504]: mount request from unknown host 130.251.17.158 for /home/condivisa (/home/condivisa)

(130.251.17.158 is sughero, even if it says unknown host and i get to connect to sughero thru other services, like ssh)

from client (sughero) /var/log/daemon.log i get:

localhost rpc.gssd[7950]: WARNING: Failed to obtain machine credentials for connection to server sequoia.reti.dist.unige.it

when i try to mount the filesystem (for example mount /home/importata) i get:
mount: sequoia:/home/condivisa failed, reason given by server: Permission denied (i use gnomed debian 2.14.3, no ldap netapp and similars)

i hope you can find the solution, i'm going out crazy

thank you
 
Old 05-07-2007, 06:46 AM   #2
nmh+linuxquestions.o
Member
 
Registered: Feb 2007
Posts: 135

Rep: Reputation: 15
I have a few basic questions -
Could you post a short description of your setup - are you running your own kerberos realm? what keytabs have you setup for this? what dns entries relate to these systems? Do you have other kerberized services working with those systems? Do you have kgetcred on the client? if so - I suggest attempting to acquire whatever tickets you need with it (just as a simple test).
 
Old 05-07-2007, 08:14 AM   #3
linux 2 coglioni
LQ Newbie
 
Registered: May 2007
Posts: 5

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by nmh+linuxquestions.o
are you running your own kerberos realm?
well i work in local, the kdc database is on a second machine (server sequoia) and the client is a third machine, client sughero. i use kerberized ssh (thru pam) to connect to both pc

Quote:
Originally Posted by nmh+linuxquestions.o
what keytabs have you setup for this?
on server sequoia:

Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
8 nfs/sughero.reti.dist.unige.it@RETI.DIST.UNIGE.IT
7 nfs/sequoia.reti.dist.unige.it@RETI.DIST.UNIGE.IT
2 sequoia/admin@RETI.DIST.UNIGE.IT
2 sughero/admin@RETI.DIST.UNIGE.IT
2 sughero/admin@RETI.DIST.UNIGE.IT
2 sughero@RETI.DIST.UNIGE.IT
2 sughero@RETI.DIST.UNIGE.IT
3 host/sequoia.reti.dist.unige.it@RETI.DIST.UNIGE.IT
2 sequoia@RETI.DIST.UNIGE.IT
2 nfs/sughero@RETI.DIST.UNIGE.IT
2 nfs/sughero@RETI.DIST.UNIGE.IT
2 nfs/sequoia@RETI.DIST.UNIGE.IT
2 nfs/sequoia@RETI.DIST.UNIGE.IT
9 nfs/sughero.reti.dist.unige.it@RETI.DIST.UNIGE.IT
9 nfs/sughero.reti.dist.unige.it@RETI.DIST.UNIGE.IT
8 nfs/sequoia.reti.dist.unige.it@RETI.DIST.UNIGE.IT
8 nfs/sequoia.reti.dist.unige.it@RETI.DIST.UNIGE.IT
4 host/sequoia.reti.dist.unige.it@RETI.DIST.UNIGE.IT
4 host/sequoia.reti.dist.unige.it@RETI.DIST.UNIGE.IT
4 host/sughero.reti.dist.unige.it@RETI.DIST.UNIGE.IT
4 host/sughero.reti.dist.unige.it@RETI.DIST.UNIGE.IT
2 luca/admin@RETI.DIST.UNIGE.IT
2 luca/admin@RETI.DIST.UNIGE.IT
4 luca/admin@RETI.DIST.UNIGE.IT
4 luca/admin@RETI.DIST.UNIGE.IT
3 sequoia@RETI.DIST.UNIGE.IT
3 sequoia@RETI.DIST.UNIGE.IT
3 sequoia/admin@RETI.DIST.UNIGE.IT
3 sequoia/admin@RETI.DIST.UNIGE.IT
9 nfs/sequoia.reti.dist.unige.it@RETI.DIST.UNIGE.IT
9 nfs/sequoia.reti.dist.unige.it@RETI.DIST.UNIGE.IT
10 nfs/sughero.reti.dist.unige.it@RETI.DIST.UNIGE.IT
10 nfs/sughero.reti.dist.unige.it@RETI.DIST.UNIGE.IT
2 host/sequoia@RETI.DIST.UNIGE.IT
2 host/sequoia@RETI.DIST.UNIGE.IT
3 host/sequoia@RETI.DIST.UNIGE.IT
3 host/sequoia@RETI.DIST.UNIGE.IT
2 gss/krb5@RETI.DIST.UNIGE.IT
2 gss/krb5@RETI.DIST.UNIGE.IT


on client sughero:

Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
8 nfs/sughero.reti.dist.unige.it@RETI.DIST.UNIGE.IT
7 nfs/sequoia.reti.dist.unige.it@RETI.DIST.UNIGE.IT
2 sequoia/admin@RETI.DIST.UNIGE.IT
2 sughero/admin@RETI.DIST.UNIGE.IT
2 sughero/admin@RETI.DIST.UNIGE.IT
2 sughero@RETI.DIST.UNIGE.IT
2 sughero@RETI.DIST.UNIGE.IT
3 host/sequoia.reti.dist.unige.it@RETI.DIST.UNIGE.IT
2 sequoia@RETI.DIST.UNIGE.IT
2 nfs/sughero@RETI.DIST.UNIGE.IT
2 nfs/sughero@RETI.DIST.UNIGE.IT
2 nfs/sequoia@RETI.DIST.UNIGE.IT
2 nfs/sequoia@RETI.DIST.UNIGE.IT
9 nfs/sughero.reti.dist.unige.it@RETI.DIST.UNIGE.IT
9 nfs/sughero.reti.dist.unige.it@RETI.DIST.UNIGE.IT
8 nfs/sequoia.reti.dist.unige.it@RETI.DIST.UNIGE.IT
8 nfs/sequoia.reti.dist.unige.it@RETI.DIST.UNIGE.IT
4 host/sequoia.reti.dist.unige.it@RETI.DIST.UNIGE.IT
4 host/sequoia.reti.dist.unige.it@RETI.DIST.UNIGE.IT
4 host/sughero.reti.dist.unige.it@RETI.DIST.UNIGE.IT
4 host/sughero.reti.dist.unige.it@RETI.DIST.UNIGE.IT
2 luca/admin@RETI.DIST.UNIGE.IT
2 luca/admin@RETI.DIST.UNIGE.IT
4 luca/admin@RETI.DIST.UNIGE.IT
4 luca/admin@RETI.DIST.UNIGE.IT
3 sequoia@RETI.DIST.UNIGE.IT
3 sequoia@RETI.DIST.UNIGE.IT
3 sequoia/admin@RETI.DIST.UNIGE.IT
3 sequoia/admin@RETI.DIST.UNIGE.IT
9 nfs/sequoia.reti.dist.unige.it@RETI.DIST.UNIGE.IT
9 nfs/sequoia.reti.dist.unige.it@RETI.DIST.UNIGE.IT
10 nfs/sughero.reti.dist.unige.it@RETI.DIST.UNIGE.IT
10 nfs/sughero.reti.dist.unige.it@RETI.DIST.UNIGE.IT
2 host/sequoia@RETI.DIST.UNIGE.IT
2 host/sequoia@RETI.DIST.UNIGE.IT
3 host/sequoia@RETI.DIST.UNIGE.IT
3 host/sequoia@RETI.DIST.UNIGE.IT
2 nfs/sughero@RETI.DIST.UNIGE.IT
2 nfs/sughero@RETI.DIST.UNIGE.IT
2 nfs/sughero.reti.dist.unige.it@RETI.DIST.UNIGE.IT
2 nfs/sughero.reti.dist.unige.it@RETI.DIST.UNIGE.IT
3 nfs/sequoia@RETI.DIST.UNIGE.IT
3 nfs/sequoia@RETI.DIST.UNIGE.IT
10 nfs/sequoia.reti.dist.unige.it@RETI.DIST.UNIGE.IT
10 nfs/sequoia.reti.dist.unige.it@RETI.DIST.UNIGE.IT
3 gss/krb5@RETI.DIST.UNIGE.IT
3 gss/krb5@RETI.DIST.UNIGE.IT


Quote:
Originally Posted by nmh+linuxquestions.o
what dns entries relate to these systems?
server sequoia:

127.0.0.1 localhost.localdomain localhost 130.251.17.3 sequoia.reti.dist.unige.it

client sughero

127.0.0.1 localhost sughero
130.251.17.158 sughero.reti.dist.unige.it sughero
130.251.17.158 gss/krb5


Quote:
Originally Posted by nmh+linuxquestions.o
Do you have other kerberized services working with those systems?
ssh as stated above

Quote:
Originally Posted by nmh+linuxquestions.o
Do you have kgetcred on the client?
i think you mean kinit instead of kgetcred, yes i kinit both server and client


EDIT: update, a new error in client syslog:

localhost rpc.gssd[10881]: WARNING: Failed to create krb5 context for user with uid 0 with any credentials cache for server sequoia.reti.dist.unige.it
May 7 12:46:33 localhost rpc.gssd[10881]: rpcsec_gss: gss_init_sec_context: (major) Miscellaneous failure - (minor) Generic error (see e-text)

server syslog:

localhost mountd[32381]: refused mount request from sughero.reti.dist.unige.it for /home/prova (/): not exported

Last edited by linux 2 coglioni; 05-07-2007 at 08:19 AM.
 
Old 05-07-2007, 08:25 AM   #4
linux 2 coglioni
LQ Newbie
 
Registered: May 2007
Posts: 5

Original Poster
Rep: Reputation: 0
i tried and writed in shell: rpc.gssd -fvvv

for all entries of the kerberos database minus 1 it says:

Processing keytab entry for principal 'principal@REALM'
We will use this entry (principal@REALM)

for the last principal nfs/sughero.reti.dist.unige.it it says:

WARNING: Decrypt integrity check failed while getting initial ticket for princip al 'nfs/sughero.reti.dist.unige.it@RETI.DIST.UNIGE.IT' from keytab 'FILE:/etc/kr b5.keytab'

and in the end:

ERROR: No usable machine credentials obtained

Last edited by linux 2 coglioni; 05-07-2007 at 08:27 AM.
 
Old 05-07-2007, 07:45 PM   #5
nmh+linuxquestions.o
Member
 
Registered: Feb 2007
Posts: 135

Rep: Reputation: 15
Quote:
Originally Posted by linux 2 coglioni
i think you mean kinit instead of kgetcred, yes i kinit both server and client
I do mean kgetcred, please see this. Basically, you use kinit to pickup a tgt, and then use kgetcred to pick up service tickets.

Quote:
Originally Posted by linux 2 coglioni
EDIT: update, a new error in client syslog:

localhost rpc.gssd[10881]: WARNING: Failed to create krb5 context for user with uid 0 with any credentials cache for server sequoia.reti.dist.unige.it
May 7 12:46:33 localhost rpc.gssd[10881]: rpcsec_gss: gss_init_sec_context: (major) Miscellaneous failure - (minor) Generic error (see e-text)

server syslog:

localhost mountd[32381]: refused mount request from sughero.reti.dist.unige.it for /home/prova (/): not exported
Are you trying to mount it as root (UID 0)?
What file system are you trying to mount?
DISCLAIMER: I am much more interested in AFS, and have experience with that, not NFS.
 
Old 05-08-2007, 02:42 AM   #6
linux 2 coglioni
LQ Newbie
 
Registered: May 2007
Posts: 5

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by nmh+linuxquestions.o
I do mean kgetcred, please see this. Basically, you use kinit to pickup a tgt, and then use kgetcred to pick up service tickets.
sorry i don't have this command available, i'm using gnomed debian 2.14.3, i only have kinit to request the ticket



Quote:
Originally Posted by nmh+linuxquestions.o
Are you trying to mount it as root (UID 0)?
yes, at the moment i tried only as root

Quote:
Originally Posted by nmh+linuxquestions.o
What file system are you trying to mount?
i put the filesystem to mount in etc/exports on server sequoia (/home/condivisa and /home/prova) and correspondive entries in /etc/fstab on client sughero


Quote:
Originally Posted by nmh+linuxquestions.o
DISCLAIMER: I am much more interested in AFS, and have experience with that, not NFS.
i know AFS it's better, but i have to work with nfs, no choice, sorry
 
Old 06-17-2009, 08:14 PM   #7
sarahsharaf
LQ Newbie
 
Registered: Jun 2009
Posts: 1

Rep: Reputation: 0
Problem for setting up nfsv4 with linux

Hi,
I have the exact same problem as you have. Please let me know if you found a solution for that.

Thanks
Sarah
 
Old 06-22-2009, 12:06 AM   #8
madmaestro
LQ Newbie
 
Registered: Jun 2009
Posts: 1

Rep: Reputation: 0
Smile SECURE_NFS="yes" in /etc/sysconfig/nfs

Quote:
Originally Posted by sarahsharaf View Post
Hi,
I have the exact same problem as you have. Please let me know if you found a solution for that.

Thanks
Sarah
I had a similar problem and had to enable SECURE_NFS="yes" in /etc/sysconfig/nfs. After that it worked like a charm.

i.e.:

# Set to turn on Secure NFS mounts.
SECURE_NFS="yes"
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
passwordless OpenSSH with MIT-Kerberos and PAM dbalsige Linux - Software 1 11-12-2009 12:12 PM
NFSv4 replication and migration PhillipHuang Linux - Software 0 04-11-2007 11:07 PM
LXer: MIT fixes critical Kerberos 5 flaws LXer Syndicated Linux News 0 04-05-2007 12:17 AM
NFSv4 + autofs technomancer Linux - Networking 1 11-06-2006 11:10 AM
Tweaking NFSv4 Performance fortezza Linux - Newbie 2 08-14-2005 08:20 PM


All times are GMT -5. The time now is 01:10 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration