NFSv4 and Kerberos

gatsby · 03-28-2011, 03:04 PM

I am attempting to Kerborize an NFS server on a RHEL6 machine, but I cannot get it quite right. The error message I receive when executing the following command (as myself, not as root) is:

Code:

# sudo mount -t nfs4 -o sec=krb5 server.foo.com:/home /mnt
mount.nfs4: access denied by server while mounting server.foo.com:/home

I have a keytab generated from the KDC for both NFS server and NFS client (both RHEL6 hosts) placed in /etc, and I have configured PAM/Kerberos so I can login via SSH and see I have a valid ticket with klist.

I can login to both NFS server and NFS client via SSH and get a ticket, but I don't know where the problematic NFS permissions reside.

The /etc/exports file on the NFS server looks like:

Code:

/home	gss/krb5(rw,sync,fsid=0,no_subtree_check)

I have disabled IP Tables on both client and server, and hosts.allow and hosts.deny are not blocking traffic at the moment. On the NFS server, here is the output of rpcinfo -p:

# rpcinfo -p
program vers proto port service
100000 4 tcp 111 portmapper
100000 3 tcp 111 portmapper
100000 2 tcp 111 portmapper
100000 4 udp 111 portmapper
100000 3 udp 111 portmapper
100000 2 udp 111 portmapper
100024 1 udp 53322 status
100024 1 tcp 47227 status
100011 1 udp 875 rquotad
100011 2 udp 875 rquotad
100011 1 tcp 875 rquotad
100011 2 tcp 875 rquotad
100003 2 tcp 2049 nfs
100003 3 tcp 2049 nfs
100003 4 tcp 2049 nfs
100227 2 tcp 2049 nfs_acl
100227 3 tcp 2049 nfs_acl
100003 2 udp 2049 nfs
100003 3 udp 2049 nfs
100003 4 udp 2049 nfs
100227 2 udp 2049 nfs_acl
100227 3 udp 2049 nfs_acl
100021 1 udp 41162 nlockmgr
100021 3 udp 41162 nlockmgr
100021 4 udp 41162 nlockmgr
100021 1 tcp 39794 nlockmgr
100021 3 tcp 39794 nlockmgr
100021 4 tcp 39794 nlockmgr
100005 1 udp 55891 mountd
100005 1 tcp 35686 mountd
100005 2 udp 55891 mountd
100005 2 tcp 35686 mountd
100005 3 udp 55891 mountd
100005 3 tcp 35686 mountd

On the NFS client, here is the output of that same command:

# rpcinfo -p
program vers proto port service
100000 4 tcp 111 portmapper
100000 3 tcp 111 portmapper
100000 2 tcp 111 portmapper
100000 4 udp 111 portmapper
100000 3 udp 111 portmapper
100000 2 udp 111 portmapper
100024 1 udp 47549 status
100024 1 tcp 34696 status

gatsby · 03-31-2011, 03:25 PM

The problem was due to two things: my original keytab needed to be recreated with a "host/" principal so the necessary machine credentials could be generated, and I had to specify the desired enctypes I wanted to use.

For whatever reason, my RHEL6 NFS mount will not succeed unless I specify the weaker "des-cbc-crc" algorithm. To specify one or more of the stronger algorithms will cause a problem with generation of the machine credentials - listed as "failed to created context for uid 0" when running rpcgssd and rcpsvcgssd in the foreground and in verbose mode.

Does any kerberos experts know how I can force RHEL to successfully mount over NFS using the stronger crypto? My KDC supports those stronger protocols, so I'm guessing the issue now lies either with NFS or with the OS. Thanks in advance.

mounirSTE · 11-13-2012, 12:22 AM

I know a lot of time to spend since your having this problem, but I have exactly the same problem.
can you please tell me how you solved it in detail? I am a beginner in linux.
thank you