NFSv4/krb5: Cannot mount: "Warning: rpc.gssd appears not to be running."

Kevin Coffman kwc at citi.umich.edu
Mon Aug 14 15:23:22 EDT 2006 

Hello Georg,
My initial guess from your description is that the server is failing
to map the client's name (nfs/client.mydomain at MYDOMAIN) to a uid.
Check the syslog on the nfs server side?  (perhaps run rpc.svcgssd
with -vvv)

If this is nfs-utils-1.0.8, the server is missing a patch to make that
mapping failure non-fatal and map to the nobody user instead.

If my guesses are correct, let me know and we can figure out how to
move forward.

K.C.

On 8/14/06, Georg C. F. Greve <greve at fsfeurope.org> wrote:
> Hi all,
>
> I'm trying to set up an NFSv4 with Kerberos 5 sharing of disks in a
> small local network, which is proving itself more difficult than I had
> hoped. After parsing all documentation I could find, I don't know
> where to continue looking.
>
> Here is the situation:
>
> Local subnet "mydomain" with "MYDOMAIN" Kerberos domain. One machine
> (server) hosting the Kerberos authentication and file server, one
> machine (client) trying to mount a disk from the file server.
>
> Both are running Debian GNU/Linux machines (one etch, one sid) and it
> is Kerberos Version 1.4.3 all around. All firewalls in between were
> torn down entirely for tests.
>
>
> The server seems to be set up correctly, at least all the processes
> are running, kinit can connect to the KDC, and rpc.gssd is happily
> running. Here is the output of klist for its cache:
>
>  klist -e -c /tmp/krb5cc_machine_MYDOMAIN
>
>  Ticket cache: FILE:/tmp/krb5cc_machine_MYDOMAIN
>  Default principal: nfs/server.mydomain at MYDOMAIN
>
>  Valid starting     Expires            Service principal
>  08/14/06 20:44:00  08/15/06 06:44:00  krbtgt/MYDOMAIN at MYDOMAIN
>          renew until 08/15/06 20:44:00, Etype (skey, tkt): Triple DES cbc mode with HMAC/sha1, Triple DES cbc mode with HMAC/sha1
>
>
> On the client, I can reach the kerberos server, and indeed almost all
> things seem fine. There is only client flaw: they don't work.
>
> Doing a
>
>  mount -t nfs4 -o sec=krb5 server.mydomain:/media /mnt
>
> gives
>
>  Warning: rpc.gssd appears not to be running.
>  mount: block device server.mydomain:/media is write-protected, mounting read-only
>  Warning: rpc.gssd appears not to be running.
>  mount: cannot mount block device server.mydomain:/media read-only
>
> While klist -e -c /tmp/krb5cc_machine_MYDOMAIN *during* the mount
> attempt shows
>
>  Ticket cache: FILE:/tmp/krb5cc_machine_MYDOMAIN
>  Default principal: nfs/client.mydomain at MYDOMAIN
>
>  Valid starting     Expires            Service principal
>  08/14/06 20:54:23  08/15/06 06:54:23  krbtgt/MYDOMAIN at MYDOMAIN
>          renew until 08/15/06 20:54:03, Etype (skey, tkt): Triple DES cbc mode with HMAC/sha1, Triple DES cbc mode with HMAC/sha1
>  08/14/06 20:57:47  08/15/06 06:54:23  nfs/server.mydomain at MYDOMAIN
>          renew until 08/15/06 20:54:03, Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with CRC-32
>
> Which from other postings to this list I understood to be fine.
>
> Doing rpc.gssd -f -vvvvvvvvvvvvvvvvvvvvvvv gives:
>
>  Using keytab file '/etc/krb5.keytab'
>  Processing keytab entry for principal 'host/client.mydomain at MYDOMAIN'
>  We will NOT use this entry (host/client.mydomain at MYDOMAIN)
>  Processing keytab entry for principal 'host/client.mydomain at MYDOMAIN'
>  We will NOT use this entry (host/client.mydomain at MYDOMAIN)
>  Processing keytab entry for principal 'nfs/client.mydomain at MYDOMAIN'
>  We will use this entry (nfs/client.mydomain at MYDOMAIN)
>  Using (machine) credentials cache: 'FILE:/tmp/krb5cc_machine_MYDOMAIN'
>  handling krb5 upcall
>  Using keytab file '/etc/krb5.keytab'
>  INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_MYDOMAIN' are good until 1155617663
>  using FILE:/tmp/krb5cc_machine_MYDOMAIN as credentials cache for machine creds
>  using environment variable to select krb5 ccache FILE:/tmp/krb5cc_machine_MYDOMAIN
>  creating context using fsuid 0 (save_uid 0)
>  creating tcp client for server server.mydomain
>  creating context with server nfs at server.mydomain
>  WARNING: Failed to create krb5 context for user with uid 0 for server server.mydomain
>  WARNING: Failed to create krb5 context for user with uid 0 with credentials cache FILE:/tmp/krb5cc_machine_MYDOMAIN for server server.mydomain
>  WARNING: Failed to create krb5 context for user with uid 0 with any credentials cache for server server.mydomain
>  doing error downcall
>  Failed to write error downcall!
>  destroying client clnt2a
>
> and I cannot find any more diagnostic output that would tell me where
> things actually break -- and this is the biggest problem, to be
> honest, because I don't know anymore where to look.
>
> Can anyone help?
>
> Best regards,
> Georg
>
> --
> Georg C. F. Greve                                 <greve at fsfeurope.org>
> Free Software Foundation Europe                  (http://fsfeurope.org)
> Join the Fellowship and protect your freedom!     (http://www.fsfe.org)
>
>
> _______________________________________________
> NFSv4 mailing list
> NFSv4 at linux-nfs.org
> http://linux-nfs.org/cgi-bin/mailman/listinfo/nfsv4
>
>
>

More information about the NFSv4 mailing list