NFSv4/krb5: Cannot mount: "Warning: rpc.gssd appears not to be running."

Georg C. F. Greve greve at fsfeurope.org
Mon Aug 14 15:06:48 EDT 2006 

Hi all,

I'm trying to set up an NFSv4 with Kerberos 5 sharing of disks in a
small local network, which is proving itself more difficult than I had
hoped. After parsing all documentation I could find, I don't know
where to continue looking.

Here is the situation:

Local subnet "mydomain" with "MYDOMAIN" Kerberos domain. One machine
(server) hosting the Kerberos authentication and file server, one
machine (client) trying to mount a disk from the file server.

Both are running Debian GNU/Linux machines (one etch, one sid) and it
is Kerberos Version 1.4.3 all around. All firewalls in between were
torn down entirely for tests.


The server seems to be set up correctly, at least all the processes
are running, kinit can connect to the KDC, and rpc.gssd is happily
running. Here is the output of klist for its cache:

 klist -e -c /tmp/krb5cc_machine_MYDOMAIN

 Ticket cache: FILE:/tmp/krb5cc_machine_MYDOMAIN
 Default principal: nfs/server.mydomain at MYDOMAIN

 Valid starting     Expires            Service principal
 08/14/06 20:44:00  08/15/06 06:44:00  krbtgt/MYDOMAIN at MYDOMAIN
         renew until 08/15/06 20:44:00, Etype (skey, tkt): Triple DES cbc mode with HMAC/sha1, Triple DES cbc mode with HMAC/sha1


On the client, I can reach the kerberos server, and indeed almost all
things seem fine. There is only client flaw: they don't work.

Doing a

 mount -t nfs4 -o sec=krb5 server.mydomain:/media /mnt

gives

 Warning: rpc.gssd appears not to be running.
 mount: block device server.mydomain:/media is write-protected, mounting read-only
 Warning: rpc.gssd appears not to be running.
 mount: cannot mount block device server.mydomain:/media read-only

While klist -e -c /tmp/krb5cc_machine_MYDOMAIN *during* the mount
attempt shows

 Ticket cache: FILE:/tmp/krb5cc_machine_MYDOMAIN
 Default principal: nfs/client.mydomain at MYDOMAIN

 Valid starting     Expires            Service principal
 08/14/06 20:54:23  08/15/06 06:54:23  krbtgt/MYDOMAIN at MYDOMAIN
         renew until 08/15/06 20:54:03, Etype (skey, tkt): Triple DES cbc mode with HMAC/sha1, Triple DES cbc mode with HMAC/sha1
 08/14/06 20:57:47  08/15/06 06:54:23  nfs/server.mydomain at MYDOMAIN
         renew until 08/15/06 20:54:03, Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with CRC-32

Which from other postings to this list I understood to be fine.

Doing rpc.gssd -f -vvvvvvvvvvvvvvvvvvvvvvv gives:

 Using keytab file '/etc/krb5.keytab'
 Processing keytab entry for principal 'host/client.mydomain at MYDOMAIN'
 We will NOT use this entry (host/client.mydomain at MYDOMAIN)
 Processing keytab entry for principal 'host/client.mydomain at MYDOMAIN'
 We will NOT use this entry (host/client.mydomain at MYDOMAIN)
 Processing keytab entry for principal 'nfs/client.mydomain at MYDOMAIN'
 We will use this entry (nfs/client.mydomain at MYDOMAIN)
 Using (machine) credentials cache: 'FILE:/tmp/krb5cc_machine_MYDOMAIN'
 handling krb5 upcall
 Using keytab file '/etc/krb5.keytab'
 INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_MYDOMAIN' are good until 1155617663
 using FILE:/tmp/krb5cc_machine_MYDOMAIN as credentials cache for machine creds
 using environment variable to select krb5 ccache FILE:/tmp/krb5cc_machine_MYDOMAIN
 creating context using fsuid 0 (save_uid 0)
 creating tcp client for server server.mydomain
 creating context with server nfs at server.mydomain
 WARNING: Failed to create krb5 context for user with uid 0 for server server.mydomain
 WARNING: Failed to create krb5 context for user with uid 0 with credentials cache FILE:/tmp/krb5cc_machine_MYDOMAIN for server server.mydomain
 WARNING: Failed to create krb5 context for user with uid 0 with any credentials cache for server server.mydomain
 doing error downcall
 Failed to write error downcall!
 destroying client clnt2a

and I cannot find any more diagnostic output that would tell me where
things actually break -- and this is the biggest problem, to be
honest, because I don't know anymore where to look.

Can anyone help?

Best regards,
Georg

-- 
Georg C. F. Greve                                 <greve at fsfeurope.org>
Free Software Foundation Europe	                 (http://fsfeurope.org)
Join the Fellowship and protect your freedom!     (http://www.fsfe.org)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 306 bytes
Desc: not available
Url : http://linux-nfs.org/pipermail/nfsv4/attachments/20060814/73350e73/attachment.pgp

More information about the NFSv4 mailing list