LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 03-28-2011, 03:04 PM   #1
gatsby
Member
 
Registered: Jan 2006
Posts: 34

Rep: Reputation: 15
NFSv4 and Kerberos - "access denied by server"


I am attempting to Kerborize an NFS server on a RHEL6 machine, but I cannot get it quite right. The error message I receive when executing the following command (as myself, not as root) is:

Code:
# sudo mount -t nfs4 -o sec=krb5 server.foo.com:/home /mnt
mount.nfs4: access denied by server while mounting server.foo.com:/home
I have a keytab generated from the KDC for both NFS server and NFS client (both RHEL6 hosts) placed in /etc, and I have configured PAM/Kerberos so I can login via SSH and see I have a valid ticket with klist.

I can login to both NFS server and NFS client via SSH and get a ticket, but I don't know where the problematic NFS permissions reside.

The /etc/exports file on the NFS server looks like:
Code:
/home	gss/krb5(rw,sync,fsid=0,no_subtree_check)
I have disabled IP Tables on both client and server, and hosts.allow and hosts.deny are not blocking traffic at the moment. On the NFS server, here is the output of rpcinfo -p:

# rpcinfo -p
program vers proto port service
100000 4 tcp 111 portmapper
100000 3 tcp 111 portmapper
100000 2 tcp 111 portmapper
100000 4 udp 111 portmapper
100000 3 udp 111 portmapper
100000 2 udp 111 portmapper
100024 1 udp 53322 status
100024 1 tcp 47227 status
100011 1 udp 875 rquotad
100011 2 udp 875 rquotad
100011 1 tcp 875 rquotad
100011 2 tcp 875 rquotad
100003 2 tcp 2049 nfs
100003 3 tcp 2049 nfs
100003 4 tcp 2049 nfs
100227 2 tcp 2049 nfs_acl
100227 3 tcp 2049 nfs_acl
100003 2 udp 2049 nfs
100003 3 udp 2049 nfs
100003 4 udp 2049 nfs
100227 2 udp 2049 nfs_acl
100227 3 udp 2049 nfs_acl
100021 1 udp 41162 nlockmgr
100021 3 udp 41162 nlockmgr
100021 4 udp 41162 nlockmgr
100021 1 tcp 39794 nlockmgr
100021 3 tcp 39794 nlockmgr
100021 4 tcp 39794 nlockmgr
100005 1 udp 55891 mountd
100005 1 tcp 35686 mountd
100005 2 udp 55891 mountd
100005 2 tcp 35686 mountd
100005 3 udp 55891 mountd
100005 3 tcp 35686 mountd

On the NFS client, here is the output of that same command:

# rpcinfo -p
program vers proto port service
100000 4 tcp 111 portmapper
100000 3 tcp 111 portmapper
100000 2 tcp 111 portmapper
100000 4 udp 111 portmapper
100000 3 udp 111 portmapper
100000 2 udp 111 portmapper
100024 1 udp 47549 status
100024 1 tcp 34696 status

Last edited by gatsby; 03-28-2011 at 03:06 PM.
 
Old 03-31-2011, 03:25 PM   #2
gatsby
Member
 
Registered: Jan 2006
Posts: 34

Original Poster
Rep: Reputation: 15
The problem was due to two things: my original keytab needed to be recreated with a "host/" principal so the necessary machine credentials could be generated, and I had to specify the desired enctypes I wanted to use.

For whatever reason, my RHEL6 NFS mount will not succeed unless I specify the weaker "des-cbc-crc" algorithm. To specify one or more of the stronger algorithms will cause a problem with generation of the machine credentials - listed as "failed to created context for uid 0" when running rpcgssd and rcpsvcgssd in the foreground and in verbose mode.

Does any kerberos experts know how I can force RHEL to successfully mount over NFS using the stronger crypto? My KDC supports those stronger protocols, so I'm guessing the issue now lies either with NFS or with the OS. Thanks in advance.

Last edited by gatsby; 03-31-2011 at 03:28 PM.
 
Old 11-13-2012, 12:22 AM   #3
mounirSTE
LQ Newbie
 
Registered: Nov 2012
Posts: 1

Rep: Reputation: Disabled
Smile same problem

I know a lot of time to spend since your having this problem, but I have exactly the same problem.
can you please tell me how you solved it in detail? I am a beginner in linux.
thank you
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] "Access denied" error when "./configure" Cassanova Linux - Software 6 09-21-2010 12:18 AM
Snort SMTP rule "Access Denied for Mail Relay" volga629 Linux - Server 3 01-19-2010 01:09 PM
du gives error : "du: cannot access `./.gvfs': Permission denied"du: cannot access `. MihirSahasrabudhe Linux - Security 4 12-29-2009 11:10 AM
"Access denied" in MySQL server seprob Linux - Server 3 10-27-2008 12:17 PM
squid "access.log" access denied no user name jatender Linux - Server 1 10-02-2007 04:28 AM


All times are GMT -5. The time now is 07:40 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration