NFSv4 and Kerberos - "access denied by server"
I am attempting to Kerborize an NFS server on a RHEL6 machine, but I cannot get it quite right. The error message I receive when executing the following command (as myself, not as root) is:
Code:
# sudo mount -t nfs4 -o sec=krb5 server.foo.com:/home /mnt I can login to both NFS server and NFS client via SSH and get a ticket, but I don't know where the problematic NFS permissions reside. The /etc/exports file on the NFS server looks like: Code:
/home gss/krb5(rw,sync,fsid=0,no_subtree_check) # rpcinfo -p program vers proto port service 100000 4 tcp 111 portmapper 100000 3 tcp 111 portmapper 100000 2 tcp 111 portmapper 100000 4 udp 111 portmapper 100000 3 udp 111 portmapper 100000 2 udp 111 portmapper 100024 1 udp 53322 status 100024 1 tcp 47227 status 100011 1 udp 875 rquotad 100011 2 udp 875 rquotad 100011 1 tcp 875 rquotad 100011 2 tcp 875 rquotad 100003 2 tcp 2049 nfs 100003 3 tcp 2049 nfs 100003 4 tcp 2049 nfs 100227 2 tcp 2049 nfs_acl 100227 3 tcp 2049 nfs_acl 100003 2 udp 2049 nfs 100003 3 udp 2049 nfs 100003 4 udp 2049 nfs 100227 2 udp 2049 nfs_acl 100227 3 udp 2049 nfs_acl 100021 1 udp 41162 nlockmgr 100021 3 udp 41162 nlockmgr 100021 4 udp 41162 nlockmgr 100021 1 tcp 39794 nlockmgr 100021 3 tcp 39794 nlockmgr 100021 4 tcp 39794 nlockmgr 100005 1 udp 55891 mountd 100005 1 tcp 35686 mountd 100005 2 udp 55891 mountd 100005 2 tcp 35686 mountd 100005 3 udp 55891 mountd 100005 3 tcp 35686 mountd On the NFS client, here is the output of that same command: # rpcinfo -p program vers proto port service 100000 4 tcp 111 portmapper 100000 3 tcp 111 portmapper 100000 2 tcp 111 portmapper 100000 4 udp 111 portmapper 100000 3 udp 111 portmapper 100000 2 udp 111 portmapper 100024 1 udp 47549 status 100024 1 tcp 34696 status |
The problem was due to two things: my original keytab needed to be recreated with a "host/" principal so the necessary machine credentials could be generated, and I had to specify the desired enctypes I wanted to use.
For whatever reason, my RHEL6 NFS mount will not succeed unless I specify the weaker "des-cbc-crc" algorithm. To specify one or more of the stronger algorithms will cause a problem with generation of the machine credentials - listed as "failed to created context for uid 0" when running rpcgssd and rcpsvcgssd in the foreground and in verbose mode. Does any kerberos experts know how I can force RHEL to successfully mount over NFS using the stronger crypto? My KDC supports those stronger protocols, so I'm guessing the issue now lies either with NFS or with the OS. Thanks in advance. |
same problem
I know a lot of time to spend since your having this problem, but I have exactly the same problem.
can you please tell me how you solved it in detail? I am a beginner in linux. thank you |
All times are GMT -5. The time now is 05:54 PM. |