LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Debian
User Name
Password
Debian This forum is for the discussion of Debian Linux.

Notices


Reply
  Search this Thread
Old 08-09-2016, 12:06 PM   #1
desbyleo
Member
 
Registered: Feb 2002
Location: Erie, CO
Distribution: Red Hat 7.1
Posts: 94

Rep: Reputation: 15
NFS4 over Kerberos and Active Directory


Hi all,
I have been trying for over 2 weeks to run nfs4 over kerberos between a client and a server (both running Jessie) in an Active Directory domain.

Both machines have successfully joined the AD.

Client is: leo10.dtschdmz.com (192.168.40.36)
Server is: leo11.dtschdmz.com (192.168.40.37)

My client mount command:
Code:
mount -t nfs4 leo11.dtschdmz.com:/export /mnt -o sec=krb5
My server /etc/exports:
Code:
/share         *(rw,fsid=0,no_root_squash)
/export       *(rw,no_subtree_check,insecure,sync,sec=krb5)
When I do the mount, I get:
Code:
mount.nfs4: access denied by server while mounting leo11.dtschdmz.com:/export
I've scoured the internet for answers but still cannot get this to work. I've included what I think you need to see below. If you need anything, please just let me know I'll post it. Thank you in advance - your help is greatly appreciated.

When I do the mount, client /var/log/daemon.log shows:
Code:
Aug  8 15:35:35 leo10 rpc.idmapd[448]: New client: f
Aug  8 15:35:35 leo10 rpc.idmapd[448]: Opened /run/rpc_pipefs/nfs/clntf/idmap
Aug  8 15:35:35 leo10 rpc.gssd[452]: handling gssd upcall (/run/rpc_pipefs/nfs/clntf)
Aug  8 15:35:35 leo10 rpc.gssd[452]: handle_gssd_upcall: 'mech=krb5 uid=0 service=* enctypes=18,17,16,23,3,1,2 '
Aug  8 15:35:35 leo10 rpc.gssd[452]: handling krb5 upcall (/run/rpc_pipefs/nfs/clntf)
Aug  8 15:35:35 leo10 rpc.gssd[452]: process_krb5_upcall: service is '*'
Aug  8 15:35:35 leo10 rpc.gssd[452]: Full hostname for 'leo11.dtschdmz.com' is 'leo11.dtschdmz.com'
Aug  8 15:35:35 leo10 rpc.gssd[452]: Full hostname for 'leo10.dtschdmz.com' is 'leo10.dtschdmz.com'
Aug  8 15:35:35 leo10 rpc.gssd[452]: No key table entry found for LEO10.DTSCHDMZ.COM$@DTSCHDMZ.COM while getting keytab entry for 'LEO10.DTSCHDMZ.COM$@'
Aug  8 15:35:35 leo10 rpc.gssd[452]: No key table entry found for root/leo10.dtschdmz.com@DTSCHDMZ.COM while getting keytab entry for 'root/leo10.dtschdmz.com@'
Aug  8 15:35:35 leo10 rpc.gssd[452]: Success getting keytab entry for 'nfs/leo10.dtschdmz.com@'
Aug  8 15:35:35 leo10 rpc.gssd[452]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_DTSCHDMZ.COM' are good until 1470726636
Aug  8 15:35:35 leo10 rpc.gssd[452]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_DTSCHDMZ.COM' are good until 1470726636
Aug  8 15:35:35 leo10 rpc.gssd[452]: using FILE:/tmp/krb5ccmachine_DTSCHDMZ.COM as credentials cache for machine creds
Aug  8 15:35:35 leo10 rpc.gssd[452]: using environment variable to select krb5 ccache FILE:/tmp/krb5ccmachine_DTSCHDMZ.COM
Aug  8 15:35:35 leo10 rpc.gssd[452]: creating context using fsuid 0 (save_uid 0)
Aug  8 15:35:35 leo10 rpc.gssd[452]: creating tcp client for server leo11.dtschdmz.com
Aug  8 15:35:35 leo10 rpc.gssd[452]: DEBUG: port already set to 2049
Aug  8 15:35:35 leo10 rpc.gssd[452]: creating context with server nfs@leo11.dtschdmz.com
Aug  8 15:35:35 leo10 rpc.gssd[452]: WARNING: Failed to create krb5 context for user with uid 0 for server leo11.dtschdmz.com
Aug  8 15:35:35 leo10 rpc.gssd[452]: WARNING: Failed to create machine krb5 context with credentials cache FILE:/tmp/krb5ccmachine_DTSCHDMZ.COM for server leo11.dtschdmz.com
Aug  8 15:35:35 leo10 rpc.gssd[452]: WARNING: Machine cache is prematurely expired or corrupted trying to recreate cache for server leo11.dtschdmz.com
Aug  8 15:35:35 leo10 rpc.gssd[452]: Full hostname for 'leo11.dtschdmz.com' is 'leo11.dtschdmz.com'
Aug  8 15:35:35 leo10 rpc.gssd[452]: Full hostname for 'leo10.dtschdmz.com' is 'leo10.dtschdmz.com'
Aug  8 15:35:35 leo10 rpc.gssd[452]: No key table entry found for LEO10.DTSCHDMZ.COM$@DTSCHDMZ.COM while getting keytab entry for 'LEO10.DTSCHDMZ.COM$@'
Aug  8 15:35:35 leo10 rpc.gssd[452]: No key table entry found for root/leo10.dtschdmz.com@DTSCHDMZ.COM while getting keytab entry for 'root/leo10.dtschdmz.com@'
Aug  8 15:35:35 leo10 rpc.gssd[452]: Success getting keytab entry for 'nfs/leo10.dtschdmz.com@'
Aug  8 15:35:35 leo10 rpc.gssd[452]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_DTSCHDMZ.COM' are good until 1470726636
Aug  8 15:35:35 leo10 rpc.gssd[452]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_DTSCHDMZ.COM' are good until 1470726636
Aug  8 15:35:35 leo10 rpc.gssd[452]: using FILE:/tmp/krb5ccmachine_DTSCHDMZ.COM as credentials cache for machine creds
Aug  8 15:35:35 leo10 rpc.gssd[452]: using environment variable to select krb5 ccache FILE:/tmp/krb5ccmachine_DTSCHDMZ.COM
Aug  8 15:35:35 leo10 rpc.gssd[452]: creating context using fsuid 0 (save_uid 0)
Aug  8 15:35:35 leo10 rpc.gssd[452]: creating tcp client for server leo11.dtschdmz.com
Aug  8 15:35:35 leo10 rpc.gssd[452]: DEBUG: port already set to 2049
Aug  8 15:35:35 leo10 rpc.gssd[452]: creating context with server nfs@leo11.dtschdmz.com
Aug  8 15:35:35 leo10 rpc.gssd[452]: WARNING: Failed to create krb5 context for user with uid 0 for server leo11.dtschdmz.com
Aug  8 15:35:35 leo10 rpc.gssd[452]: WARNING: Failed to create machine krb5 context with credentials cache FILE:/tmp/krb5ccmachine_DTSCHDMZ.COM for server leo11.dtschdmz.com
Aug  8 15:35:35 leo10 rpc.gssd[452]: WARNING: Failed to create machine krb5 context with any credentials cache for server leo11.dtschdmz.com
Aug  8 15:35:35 leo10 rpc.gssd[452]: doing error downcall
Aug  8 15:35:35 leo10 rpc.gssd[452]: handling gssd upcall (/run/rpc_pipefs/nfs/clntf)
Aug  8 15:35:35 leo10 rpc.gssd[452]: handle_gssd_upcall: 'mech=krb5 uid=0 enctypes=18,17,16,23,3,1,2 '
Aug  8 15:35:35 leo10 rpc.gssd[452]: handling krb5 upcall (/run/rpc_pipefs/nfs/clntf)
Aug  8 15:35:35 leo10 rpc.gssd[452]: process_krb5_upcall: service is '<null>'
Aug  8 15:35:35 leo10 rpc.gssd[452]: Full hostname for 'leo11.dtschdmz.com' is 'leo11.dtschdmz.com'
Aug  8 15:35:35 leo10 rpc.gssd[452]: Full hostname for 'leo10.dtschdmz.com' is 'leo10.dtschdmz.com'
Aug  8 15:35:35 leo10 rpc.gssd[452]: No key table entry found for LEO10.DTSCHDMZ.COM$@DTSCHDMZ.COM while getting keytab entry for 'LEO10.DTSCHDMZ.COM$@'
Aug  8 15:35:35 leo10 rpc.gssd[452]: No key table entry found for root/leo10.dtschdmz.com@DTSCHDMZ.COM while getting keytab entry for 'root/leo10.dtschdmz.com@'
Aug  8 15:35:35 leo10 rpc.gssd[452]: Success getting keytab entry for 'nfs/leo10.dtschdmz.com@'
Aug  8 15:35:35 leo10 rpc.gssd[452]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_DTSCHDMZ.COM' are good until 1470726636
Aug  8 15:35:35 leo10 rpc.gssd[452]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_DTSCHDMZ.COM' are good until 1470726636
Aug  8 15:35:35 leo10 rpc.gssd[452]: using FILE:/tmp/krb5ccmachine_DTSCHDMZ.COM as credentials cache for machine creds
Aug  8 15:35:35 leo10 rpc.gssd[452]: using environment variable to select krb5 ccache FILE:/tmp/krb5ccmachine_DTSCHDMZ.COM
Aug  8 15:35:35 leo10 rpc.gssd[452]: creating context using fsuid 0 (save_uid 0)
Aug  8 15:35:35 leo10 rpc.gssd[452]: creating tcp client for server leo11.dtschdmz.com
Aug  8 15:35:35 leo10 rpc.gssd[452]: DEBUG: port already set to 2049
Aug  8 15:35:35 leo10 rpc.gssd[452]: creating context with server nfs@leo11.dtschdmz.com
Aug  8 15:35:35 leo10 rpc.gssd[452]: WARNING: Failed to create krb5 context for user with uid 0 for server leo11.dtschdmz.com
Aug  8 15:35:35 leo10 rpc.gssd[452]: WARNING: Failed to create machine krb5 context with credentials cache FILE:/tmp/krb5ccmachine_DTSCHDMZ.COM for server leo11.dtschdmz.com
Aug  8 15:35:35 leo10 rpc.gssd[452]: WARNING: Machine cache is prematurely expired or corrupted trying to recreate cache for server leo11.dtschdmz.com
Aug  8 15:35:35 leo10 rpc.gssd[452]: Full hostname for 'leo11.dtschdmz.com' is 'leo11.dtschdmz.com'
Aug  8 15:35:35 leo10 rpc.gssd[452]: Full hostname for 'leo10.dtschdmz.com' is 'leo10.dtschdmz.com'
Aug  8 15:35:35 leo10 rpc.gssd[452]: No key table entry found for LEO10.DTSCHDMZ.COM$@DTSCHDMZ.COM while getting keytab entry for 'LEO10.DTSCHDMZ.COM$@'
Aug  8 15:35:35 leo10 rpc.gssd[452]: No key table entry found for root/leo10.dtschdmz.com@DTSCHDMZ.COM while getting keytab entry for 'root/leo10.dtschdmz.com@'
Aug  8 15:35:35 leo10 rpc.gssd[452]: Success getting keytab entry for 'nfs/leo10.dtschdmz.com@'
Aug  8 15:35:35 leo10 rpc.gssd[452]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_DTSCHDMZ.COM' are good until 1470726636
Aug  8 15:35:35 leo10 rpc.gssd[452]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_DTSCHDMZ.COM' are good until 1470726636
Aug  8 15:35:35 leo10 rpc.gssd[452]: using FILE:/tmp/krb5ccmachine_DTSCHDMZ.COM as credentials cache for machine creds
Aug  8 15:35:35 leo10 rpc.gssd[452]: using environment variable to select krb5 ccache FILE:/tmp/krb5ccmachine_DTSCHDMZ.COM
Aug  8 15:35:35 leo10 rpc.gssd[452]: creating context using fsuid 0 (save_uid 0)
Aug  8 15:35:35 leo10 rpc.gssd[452]: creating tcp client for server leo11.dtschdmz.com
Aug  8 15:35:35 leo10 rpc.gssd[452]: DEBUG: port already set to 2049
Aug  8 15:35:35 leo10 rpc.gssd[452]: creating context with server nfs@leo11.dtschdmz.com
Aug  8 15:35:35 leo10 rpc.gssd[452]: WARNING: Failed to create krb5 context for user with uid 0 for server leo11.dtschdmz.com
Aug  8 15:35:35 leo10 rpc.gssd[452]: WARNING: Failed to create machine krb5 context with credentials cache FILE:/tmp/krb5ccmachine_DTSCHDMZ.COM for server leo11.dtschdmz.com
Aug  8 15:35:35 leo10 rpc.gssd[452]: WARNING: Failed to create machine krb5 context with any credentials cache for server leo11.dtschdmz.com
Aug  8 15:35:35 leo10 rpc.gssd[452]: doing error downcall
Aug  8 15:35:35 leo10 rpc.idmapd[448]: New client: 10
Aug  8 15:35:35 leo10 rpc.idmapd[448]: New client: 11
Aug  8 15:35:35 leo10 rpc.gssd[452]: handling gssd upcall (/run/rpc_pipefs/nfs/clntf)
Aug  8 15:35:35 leo10 rpc.gssd[452]: handle_gssd_upcall: 'mech=krb5 uid=0 enctypes=18,17,16,23,3,1,2 '
Aug  8 15:35:35 leo10 rpc.gssd[452]: handling krb5 upcall (/run/rpc_pipefs/nfs/clntf)
Aug  8 15:35:35 leo10 rpc.gssd[452]: process_krb5_upcall: service is '<null>'
Aug  8 15:35:35 leo10 rpc.gssd[452]: Full hostname for 'leo11.dtschdmz.com' is 'leo11.dtschdmz.com'
Aug  8 15:35:35 leo10 rpc.gssd[452]: Full hostname for 'leo10.dtschdmz.com' is 'leo10.dtschdmz.com'
Aug  8 15:35:35 leo10 rpc.gssd[452]: No key table entry found for LEO10.DTSCHDMZ.COM$@DTSCHDMZ.COM while getting keytab entry for 'LEO10.DTSCHDMZ.COM$@'
Aug  8 15:35:35 leo10 rpc.gssd[452]: No key table entry found for root/leo10.dtschdmz.com@DTSCHDMZ.COM while getting keytab entry for 'root/leo10.dtschdmz.com@'
Aug  8 15:35:35 leo10 rpc.gssd[452]: Success getting keytab entry for 'nfs/leo10.dtschdmz.com@'
Aug  8 15:35:35 leo10 rpc.gssd[452]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_DTSCHDMZ.COM' are good until 1470726636
Aug  8 15:35:35 leo10 rpc.gssd[452]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_DTSCHDMZ.COM' are good until 1470726636
Aug  8 15:35:35 leo10 rpc.gssd[452]: using FILE:/tmp/krb5ccmachine_DTSCHDMZ.COM as credentials cache for machine creds
Aug  8 15:35:35 leo10 rpc.gssd[452]: using environment variable to select krb5 ccache FILE:/tmp/krb5ccmachine_DTSCHDMZ.COM
Aug  8 15:35:35 leo10 rpc.gssd[452]: creating context using fsuid 0 (save_uid 0)
Aug  8 15:35:35 leo10 rpc.gssd[452]: creating tcp client for server leo11.dtschdmz.com
Aug  8 15:35:35 leo10 rpc.gssd[452]: DEBUG: port already set to 2049
Aug  8 15:35:35 leo10 rpc.gssd[452]: creating context with server nfs@leo11.dtschdmz.com
Aug  8 15:35:35 leo10 rpc.gssd[452]: WARNING: Failed to create krb5 context for user with uid 0 for server leo11.dtschdmz.com
Aug  8 15:35:35 leo10 rpc.gssd[452]: WARNING: Failed to create machine krb5 context with credentials cache FILE:/tmp/krb5ccmachine_DTSCHDMZ.COM for server leo11.dtschdmz.com
Aug  8 15:35:35 leo10 rpc.gssd[452]: WARNING: Machine cache is prematurely expired or corrupted trying to recreate cache for server leo11.dtschdmz.com
Aug  8 15:35:35 leo10 rpc.gssd[452]: Full hostname for 'leo11.dtschdmz.com' is 'leo11.dtschdmz.com'
Aug  8 15:35:35 leo10 rpc.gssd[452]: Full hostname for 'leo10.dtschdmz.com' is 'leo10.dtschdmz.com'
Aug  8 15:35:35 leo10 rpc.gssd[452]: No key table entry found for LEO10.DTSCHDMZ.COM$@DTSCHDMZ.COM while getting keytab entry for 'LEO10.DTSCHDMZ.COM$@'
Aug  8 15:35:35 leo10 rpc.gssd[452]: No key table entry found for root/leo10.dtschdmz.com@DTSCHDMZ.COM while getting keytab entry for 'root/leo10.dtschdmz.com@'
Aug  8 15:35:35 leo10 rpc.gssd[452]: Success getting keytab entry for 'nfs/leo10.dtschdmz.com@'
Aug  8 15:35:35 leo10 rpc.gssd[452]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_DTSCHDMZ.COM' are good until 1470726636
Aug  8 15:35:35 leo10 rpc.gssd[452]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_DTSCHDMZ.COM' are good until 1470726636
Aug  8 15:35:35 leo10 rpc.gssd[452]: using FILE:/tmp/krb5ccmachine_DTSCHDMZ.COM as credentials cache for machine creds
Aug  8 15:35:35 leo10 rpc.gssd[452]: using environment variable to select krb5 ccache FILE:/tmp/krb5ccmachine_DTSCHDMZ.COM
Aug  8 15:35:35 leo10 rpc.gssd[452]: creating context using fsuid 0 (save_uid 0)
Aug  8 15:35:35 leo10 rpc.gssd[452]: creating tcp client for server leo11.dtschdmz.com
Aug  8 15:35:35 leo10 rpc.gssd[452]: DEBUG: port already set to 2049
Aug  8 15:35:35 leo10 rpc.gssd[452]: creating context with server nfs@leo11.dtschdmz.com
Aug  8 15:35:35 leo10 rpc.gssd[452]: WARNING: Failed to create krb5 context for user with uid 0 for server leo11.dtschdmz.com
Aug  8 15:35:35 leo10 rpc.gssd[452]: WARNING: Failed to create machine krb5 context with credentials cache FILE:/tmp/krb5ccmachine_DTSCHDMZ.COM for server leo11.dtschdmz.com
Aug  8 15:35:35 leo10 rpc.gssd[452]: WARNING: Failed to create machine krb5 context with any credentials cache for server leo11.dtschdmz.com
Aug  8 15:35:35 leo10 rpc.gssd[452]: doing error downcall
Aug  8 15:35:35 leo10 rpc.idmapd[448]: Stale client: 11
Aug  8 15:35:35 leo10 rpc.idmapd[448]: #011-> closed /run/rpc_pipefs/nfs/clnt11/idmap
Aug  8 15:35:35 leo10 rpc.gssd[452]: destroying client /run/rpc_pipefs/nfs/clnt11
Aug  8 15:35:35 leo10 rpc.idmapd[448]: Stale client: f
Aug  8 15:35:35 leo10 rpc.idmapd[448]: #011-> closed /run/rpc_pipefs/nfs/clntf/idmap
Aug  8 15:35:35 leo10 rpc.idmapd[448]: Stale client: 10
Aug  8 15:35:35 leo10 rpc.idmapd[448]: #011-> closed /run/rpc_pipefs/nfs/clnt10/idmap
Aug  8 15:35:35 leo10 rpc.gssd[452]: Closing 'gssd' pipe for /run/rpc_pipefs/nfs/clntf
Aug  8 15:35:35 leo10 rpc.gssd[452]: destroying client /run/rpc_pipefs/nfs/clnt10
Aug  8 15:35:35 leo10 rpc.gssd[452]: destroying client /run/rpc_pipefs/nfs/clntf
The server /var/log/daemon.log doesn't show much except for this. But it doesn't appear at every failed mount attempt:
Code:
Aug  8 15:24:37 leo11 rpc.mountd[1024]: auth_unix_ip: inbuf 'nfsd 192.168.40.36'
Aug  8 15:24:37 leo11 rpc.mountd[1024]: auth_unix_ip: client 0x2038c20 '*'
klist from client:
Code:
root@leo10:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: nfs/leo10.dtschdmz.com@DTSCHDMZ.COM

Valid starting       Expires              Service principal
08/08/2016 15:19:24  08/09/2016 01:19:24  krbtgt/DTSCHDMZ.COM@DTSCHDMZ.COM
        renew until 08/15/2016 15:19:24
klist from server:
Code:
root@leo11:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: nfs/leo11.dtschdmz.com@DTSCHDMZ.COM

Valid starting       Expires              Service principal
08/08/2016 15:39:46  08/09/2016 01:39:46  krbtgt/DTSCHDMZ.COM@DTSCHDMZ.COM
        renew until 08/15/2016 15:39:46
Client /etc/idmapd.conf:
Code:
[General]

Verbosity = 5
Pipefs-Directory = /run/rpc_pipefs
# set your own domain here, if id differs from FQDN minus hostname
# Domain = localdomain
Domain = dtschdmz.com

[Mapping]

Nobody-User = nobody
Nobody-Group = nogroup
Client and Server /etc/default/nfs-common
Code:
# If you do not set values for the NEED_ options, they will be attempted
# autodetected; this should be sufficient for most people. Valid alternatives
# for the NEED_ options are "yes" and "no".

# Do you want to start the statd daemon? It is not needed for NFSv4.
NEED_STATD=

# Options for rpc.statd.
#   Should rpc.statd listen on a specific port? This is especially useful
#   when you have a port-based firewall. To use a fixed port, set this
#   this variable to a statd argument like: "--port 4000 --outgoing-port 4001".
#   For more information, see rpc.statd(8) or http://wiki.debian.org/SecuringNFS
STATDOPTS=

# Do you want to start the idmapd daemon? It is only needed for NFSv4.
NEED_IDMAPD=yes

# Do you want to start the gssd daemon? It is required for Kerberos mounts.
NEED_GSSD=yes
RPCGSSDOPTS="-vvv -rrr"
Server /etc/default/nfs-kernel-server
Code:
# Number of servers to start up
RPCNFSDCOUNT=8

# Runtime priority of server (see nice(1))
RPCNFSDPRIORITY=0

# Options for rpc.mountd.
# If you have a port-based firewall, you might want to set up
# a fixed port here using the --port option. For more information,
# see rpc.mountd(8) or http://wiki.debian.org/SecuringNFS
# To disable NFSv4 on the server, specify '--no-nfs-version 4' here
#RPCMOUNTDOPTS="--manage-gids"
RPCMOUNTDOPTS="--manage-gids --debug all"

# Do you want to start the svcgssd daemon? It is only required for Kerberos
# exports. Valid alternatives are "yes" and "no"; the default is "no".
NEED_SVCGSSD="yes"

# Options for rpc.svcgssd.
#RPCSVCGSSDOPTS=""
RPCSVCGSSDOPTS="-vvvv"
Client and Server /etc/krb5.conf
Code:
[libdefaults]
        default_realm = DTSCHDMZ.COM
        dns_lookup_realm = false
        dns_lookup_kdc = false
        ticket_lifetime = 24h
        renew_lifetime = 7d
        forwardable = true
        allow_weak_crypto = true

# The following krb5.conf variables are only for MIT Kerberos.
        krb4_config = /etc/krb.conf
        krb4_realms = /etc/krb.realms
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true

# The following encryption type specification will be used by MIT Kerberos
# if uncommented.  In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# Thie only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).

#       default_tgs_enctypes = des3-hmac-sha1
#       default_tkt_enctypes = des3-hmac-sha1
#       permitted_enctypes = des3-hmac-sha1

# The following libdefaults parameters are only for Heimdal Kerberos.
        v4_instance_resolve = false
        v4_name_convert = {
                host = {
                        rcmd = host
                        ftp = ftp
                }
                plain = {
                        something = something-else
                }
        }
        fcc-mit-ticketflags = true

[realms]
        DTSCHDMZ.COM = {
                kdc = chdmztum43.dtschdmz.com
                admin_server = chdmztum43.dtschdmz.com
        }
        ATHENA.MIT.EDU = {
                kdc = kerberos.mit.edu:88
                kdc = kerberos-1.mit.edu:88
                kdc = kerberos-2.mit.edu:88
                admin_server = kerberos.mit.edu
                default_domain = mit.edu
        }
        MEDIA-LAB.MIT.EDU = {
                kdc = kerberos.media.mit.edu
                admin_server = kerberos.media.mit.edu
        }
        ZONE.MIT.EDU = {
                kdc = casio.mit.edu
                kdc = seiko.mit.edu
                admin_server = casio.mit.edu
        }
        MOOF.MIT.EDU = {
                kdc = three-headed-dogcow.mit.edu:88
                kdc = three-headed-dogcow-1.mit.edu:88
                admin_server = three-headed-dogcow.mit.edu
        }
        CSAIL.MIT.EDU = {
                kdc = kerberos-1.csail.mit.edu
                kdc = kerberos-2.csail.mit.edu
                admin_server = kerberos.csail.mit.edu
                default_domain = csail.mit.edu
                krb524_server = krb524.csail.mit.edu
        }
        IHTFP.ORG = {
                kdc = kerberos.ihtfp.org
                admin_server = kerberos.ihtfp.org
        }
        GNU.ORG = {
                kdc = kerberos.gnu.org
                kdc = kerberos-2.gnu.org
                kdc = kerberos-3.gnu.org
                admin_server = kerberos.gnu.org
        }
        1TS.ORG = {
                kdc = kerberos.1ts.org
                admin_server = kerberos.1ts.org
        }
        GRATUITOUS.ORG = {
                kdc = kerberos.gratuitous.org
                admin_server = kerberos.gratuitous.org
        }
        DOOMCOM.ORG = {
                kdc = kerberos.doomcom.org
                admin_server = kerberos.doomcom.org
        }
        ANDREW.CMU.EDU = {
                kdc = kerberos.andrew.cmu.edu
                kdc = kerberos2.andrew.cmu.edu
                kdc = kerberos3.andrew.cmu.edu
                admin_server = kerberos.andrew.cmu.edu
                default_domain = andrew.cmu.edu
        }
        CS.CMU.EDU = {
                kdc = kerberos.cs.cmu.edu
                kdc = kerberos-2.srv.cs.cmu.edu
                admin_server = kerberos.cs.cmu.edu
        }
        DEMENTIA.ORG = {
                kdc = kerberos.dementix.org
                kdc = kerberos2.dementix.org
                admin_server = kerberos.dementix.org
        }
        stanford.edu = {
                kdc = krb5auth1.stanford.edu
                kdc = krb5auth2.stanford.edu
                kdc = krb5auth3.stanford.edu
                master_kdc = krb5auth1.stanford.edu
                admin_server = krb5-admin.stanford.edu
                default_domain = stanford.edu
        }
        UTORONTO.CA = {
                kdc = kerberos1.utoronto.ca
                kdc = kerberos2.utoronto.ca
                kdc = kerberos3.utoronto.ca
                admin_server = kerberos1.utoronto.ca
                default_domain = utoronto.ca
        }

[domain_realm]
        .mit.edu = ATHENA.MIT.EDU
        mit.edu = ATHENA.MIT.EDU
        .media.mit.edu = MEDIA-LAB.MIT.EDU
        media.mit.edu = MEDIA-LAB.MIT.EDU
        .csail.mit.edu = CSAIL.MIT.EDU
        csail.mit.edu = CSAIL.MIT.EDU
        .whoi.edu = ATHENA.MIT.EDU
        whoi.edu = ATHENA.MIT.EDU
        .stanford.edu = stanford.edu
        .slac.stanford.edu = SLAC.STANFORD.EDU
        .toronto.edu = UTORONTO.CA
        .utoronto.ca = UTORONTO.CA

[login]
        krb4_convert = true
        krb4_get_tickets = false
 
Old 08-10-2016, 10:03 AM   #2
desbyleo
Member
 
Registered: Feb 2002
Location: Erie, CO
Distribution: Red Hat 7.1
Posts: 94

Original Poster
Rep: Reputation: 15
I think I made some progress today.

I think once I ran this command (on the client and server):
Code:
net ADS keytab add nfs -U 'Administrator'
It added this to my keytab (client):
Code:
root@leo10:~# ktutil
ktutil:  rkt /etc/krb5.keytab
ktutil:  list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    2      nfs/leo10.dtschdmz.com@DTSCHDMZ.COM
   2    2      nfs/leo10.dtschdmz.com@DTSCHDMZ.COM
   3    2      nfs/leo10.dtschdmz.com@DTSCHDMZ.COM
   4    2      nfs/leo10.dtschdmz.com@DTSCHDMZ.COM
   5    2      nfs/leo10.dtschdmz.com@DTSCHDMZ.COM
   6    2                   nfs/leo10@DTSCHDMZ.COM
   7    2                   nfs/leo10@DTSCHDMZ.COM
   8    2                   nfs/leo10@DTSCHDMZ.COM
   9    2                   nfs/leo10@DTSCHDMZ.COM
  10    2                   nfs/leo10@DTSCHDMZ.COM
ktutil:
It added this to my keytab (server):
Code:
root@leo11:~# ktutil
ktutil:  rkt /etc/krb5.keytab
ktutil:  list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    2      nfs/leo11.dtschdmz.com@DTSCHDMZ.COM
   2    2      nfs/leo11.dtschdmz.com@DTSCHDMZ.COM
   3    2      nfs/leo11.dtschdmz.com@DTSCHDMZ.COM
   4    2      nfs/leo11.dtschdmz.com@DTSCHDMZ.COM
   5    2      nfs/leo11.dtschdmz.com@DTSCHDMZ.COM
   6    2                   nfs/leo11@DTSCHDMZ.COM
   7    2                   nfs/leo11@DTSCHDMZ.COM
   8    2                   nfs/leo11@DTSCHDMZ.COM
   9    2                   nfs/leo11@DTSCHDMZ.COM
  10    2                   nfs/leo11@DTSCHDMZ.COM
ktutil:
I bounced both client and server. Now when I try to mount (same command as before), I get this now (on client /var/log/daemon.log)
Code:
Aug 10 08:13:28 leo10 rpc.gssd[447]: WARNING: Preauthentication failed while getting initial ticket for principal 'nfs/leo10.dtschdmz.com@DTSCHDMZ.COM' using keytab 'FILE:/etc/krb5.keytab'
Then I recall another blob saying that I needed to check the box "Do not require Kerberos Preauthentication" in the user properties of the user I setup in AD for the nfs service SPN (https://blogs.technet.microsoft.com/...-linux-client/).

After I did that... now I get a different error:
Code:
Aug 10 08:48:56 leo10 rpc.gssd[447]: WARNING: Decrypt integrity check failed while getting initial ticket for principal 'nfs/leo10.dtschdmz.com@DTSCHDMZ.COM' using keytab 'FILE:/etc/krb5.keytab'
So I think I'm chipping away at this, but still missing a piece. Your help is greatly appreciated.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Cannot authenticate mount with Kerberos and Active Directory adi5 Linux - Server 3 12-14-2021 03:54 PM
Samba, Active Directory, and Kerberos -- Not Working STILL Imprive Linux - Newbie 2 03-17-2014 02:02 PM
Kerberos and Active Directory Integration jonofmac Red Hat 4 07-19-2012 11:16 PM
Kerberos -> Active Directory Authentication Ogrius Red Hat 0 04-05-2006 02:26 PM
Active Directory Kerberos macusr Linux - Networking 5 03-24-2006 03:36 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Debian

All times are GMT -5. The time now is 05:50 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration