-   Linux - Server (
-   -   Ubuntu Server - 10.04.03 - NFS export with Kerberos (MIT) - NFS Won't Start (

tekkon7 11-06-2011 07:46 PM

Ubuntu Server - 10.04.03 - NFS export with Kerberos (MIT) - NFS Won't Start
Ok, I give, NFS/Kerberos has left me a broken, broken man.

I've got an Ubuntu 10.04 server, running openldap, and kdc-ldap.

Everything is working fine, kinit, workstation logons, etc... other than I'm trying to get NFS to use Kerberos.

Here's the gist of the error I'm getting, this is from syslog when nfs-kernel is trying to start, but it pretty much says the same in other logs.


Nov 6 19:11:47 LNXCORE2 nfsd[1234]: nfssvc: Setting version failed: errno 16 (Device or resource busy)
Nov 6 19:11:47 LNXCORE2 rpc.svcgssd[1239]: rpcsec_gss: debug level is 3
Nov 6 19:11:47 LNXCORE2 rpc.svcgssd[1240]: ERROR: GSS-API: error in gss_acquire_cred(): Unspecified GSS failure. Minor code may provide more information - Key table file '/etc/krb5/krb5.keytab' not found
Nov 6 19:11:47 LNXCORE2 rpc.svcgssd[1240]: Unable to obtain credentials for 'nfs'
Nov 6 19:11:47 LNXCORE2 rpc.svcgssd[1240]: unable to obtain root (machine) credentials
Nov 6 19:11:47 LNXCORE2 rpc.svcgssd[1240]: do you have a keytab entry for nfs/<>@<YOUR.REALM> in /etc/krb5.keytab?
First thought, the keytab, here it is:

1 3 nfs/
2 3 nfs/
3 3 nfs/
4 3 nfs/
Those are the default encryption types BTW, the last one listed is old des-cbc-crc. Again, those are the defaults.

The /etc/exports: (have tried krb5i, and p as well)

/export gss/krb5(rw,sync,fsid=0,no_subtree_check,crossmnt)
/export/sharednfs1 gss/krb5(rw,sync,no_subtree_check)
The important parts from /etc/default/nfs-kernel-server:

I'm running UFW, but all the correct ports are open and unrestricted.

I've been buried in the internet for days looks for a solution. I've tried allowing the weak encryption types, and also totally disallowing them. My guess at the moment is that is probably the issue. Most things say old des is required, but I've also seen a few references saying it may not be.

If nothing else, if someone knows a way to uber debug SVCGSS, or even strace it in its appropriate security context, pls let me know? I can see in the docs what it -should- be looking for the keytab, but I swear it's there already.

tekkon7 11-07-2011 10:45 AM

Found the issue
So this turned out to be an issue with the servername vs. FQDN. The SPN & keytab format I used was all FQDN. However, typing 'hostname -f' produced just the server name.

This is goverened from the /etc/hosts file, the second local entry is just the servername.

Quote: localhost LNXCORE1
By changing this to include the FQDN, the 'hostname -f' now returns correctly:

Quote: localhost
Thus, nfs-kernel-server can find the correct keytab entry for the server by name and load the exports.

tekkon7 11-07-2011 10:53 AM

Also, just for reference, here are some great articles I found on this topic.

NFSv4Howto on Ubutu

Single Sign On on Ubutu

Good Related Question on NFS4 with Krb

Legacy Article, well done though

FYI, that last link on the legacy article, it shows how to force the crusty des encryption type. Though, from what I've found here, you can totally disable it at the KDC, keytabs, etc... and NFS/krb still works great.

All times are GMT -5. The time now is 03:39 AM.