LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 11-06-2011, 06:46 PM   #1
tekkon7
LQ Newbie
 
Registered: Nov 2011
Location: Eastern USA
Distribution: mint/slack/ubu/gentoo
Posts: 3

Rep: Reputation: Disabled
Ubuntu Server - 10.04.03 - NFS export with Kerberos (MIT) - NFS Won't Start


Ok, I give, NFS/Kerberos has left me a broken, broken man.

I've got an Ubuntu 10.04 server, running openldap, and kdc-ldap.

Everything is working fine, kinit, workstation logons, etc... other than I'm trying to get NFS to use Kerberos.

Here's the gist of the error I'm getting, this is from syslog when nfs-kernel is trying to start, but it pretty much says the same in other logs.

Quote:
Nov 6 19:11:47 LNXCORE2 nfsd[1234]: nfssvc: Setting version failed: errno 16 (Device or resource busy)
Nov 6 19:11:47 LNXCORE2 rpc.svcgssd[1239]: rpcsec_gss: debug level is 3
Nov 6 19:11:47 LNXCORE2 rpc.svcgssd[1240]: ERROR: GSS-API: error in gss_acquire_cred(): Unspecified GSS failure. Minor code may provide more information - Key table file '/etc/krb5/krb5.keytab' not found
Nov 6 19:11:47 LNXCORE2 rpc.svcgssd[1240]: Unable to obtain credentials for 'nfs'
Nov 6 19:11:47 LNXCORE2 rpc.svcgssd[1240]: unable to obtain root (machine) credentials
Nov 6 19:11:47 LNXCORE2 rpc.svcgssd[1240]: do you have a keytab entry for nfs/<your.host>@<YOUR.REALM> in /etc/krb5.keytab?
First thought, the keytab, here it is:
Quote:
1 3 nfs/lnxcore2.example.com@EXAMPLE.COM
2 3 nfs/lnxcore2.example.com@EXAMPLE.COM
3 3 nfs/lnxcore2.example.com@EXAMPLE.COM
4 3 nfs/lnxcore2.example.com@EXAMPLE.COM
Those are the default encryption types BTW, the last one listed is old des-cbc-crc. Again, those are the defaults.

The /etc/exports: (have tried krb5i, and p as well)
Quote:
/export gss/krb5(rw,sync,fsid=0,no_subtree_check,crossmnt)
/export/sharednfs1 gss/krb5(rw,sync,no_subtree_check)
The important parts from /etc/default/nfs-kernel-server:
Quote:
RPCMOUNTDOPTS=--manage-gids
RPCMOUNTDOPTS="-p 31005"
NEED_SVCGSSD=yes
I'm running UFW, but all the correct ports are open and unrestricted.

I've been buried in the internet for days looks for a solution. I've tried allowing the weak encryption types, and also totally disallowing them. My guess at the moment is that is probably the issue. Most things say old des is required, but I've also seen a few references saying it may not be.

If nothing else, if someone knows a way to uber debug SVCGSS, or even strace it in its appropriate security context, pls let me know? I can see in the docs what it -should- be looking for the keytab, but I swear it's there already.
 
Old 11-07-2011, 09:45 AM   #2
tekkon7
LQ Newbie
 
Registered: Nov 2011
Location: Eastern USA
Distribution: mint/slack/ubu/gentoo
Posts: 3

Original Poster
Rep: Reputation: Disabled
Found the issue

So this turned out to be an issue with the servername vs. FQDN. The SPN & keytab format I used was all FQDN. However, typing 'hostname -f' produced just the server name.

This is goverened from the /etc/hosts file, the second local entry is just the servername.

Quote:
127.0.0.1 localhost
127.0.1.1 LNXCORE1
By changing this to include the FQDN, the 'hostname -f' now returns correctly:

Quote:
127.0.0.1 localhost
127.0.1.1 LNXCORE1.example.com
Thus, nfs-kernel-server can find the correct keytab entry for the server by name and load the exports.
 
Old 11-07-2011, 09:53 AM   #3
tekkon7
LQ Newbie
 
Registered: Nov 2011
Location: Eastern USA
Distribution: mint/slack/ubu/gentoo
Posts: 3

Original Poster
Rep: Reputation: Disabled
Also, just for reference, here are some great articles I found on this topic.

NFSv4Howto on Ubutu

Single Sign On on Ubutu

Good Related Question on NFS4 with Krb

Legacy Article, well done though

FYI, that last link on the legacy article, it shows how to force the crusty des encryption type. Though, from what I've found here, you can totally disable it at the KDC, keytabs, etc... and NFS/krb still works great.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] fstab or export options needed to write to an nfs mounted ntfs export chief427 Linux - General 2 07-21-2011 07:07 AM
xfs, inode64, NFS export, no_subtree_check and "Stale NFS file handle" message mcacciagrano Red Hat 1 01-16-2011 03:25 PM
[SOLVED] NFS mount fails (times out): NFS server is in DMZ, NFS client is in intranet Hiroshi Linux - Networking 2 05-24-2010 10:22 AM
nfs server on ubuntu doesn't play nice with nfs client on solaris mathiraj Linux - Networking 11 09-15-2009 02:08 PM
export NFS mounted file system via NFS smkamene Linux - Networking 3 02-10-2009 03:12 PM


All times are GMT -5. The time now is 09:37 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration