Kerberized NFSv4 on RHEL4 U4/U5 image
Steve Dickson
SteveD at redhat.com
Mon Jul 30 13:46:10 EDT 2007
Ido Levy wrote:
> Hello All,
>
> I am trying to configure NFSv4 to work with security flavor of krb5 on
> RHEL4 client.
> I tried both update 4 and update 5 and it doesn't seem to work on any of
> them.
> The following error appears in /var/log/messages when issuing the mount
> command:
>
> kernel: RPC: AUTH_GSS upcall timed out.
> kernel: Please check user daemon is running!
> gssd[7229]: Failed to write downcall!
Is SELinux enabled? if so, update your selinux-policy...
Also update to the latest nfs-utils version since there
has been a lot of work in this area...
>
> I did the same configuration ( detailed description below ) for a RHEL 5
> machine and it worked smothly without any problems.
>
> Basically I followed these steps:
>
> 1. Kerberos
> 1.1 Client configuration ( /etc/krb5.conf )
> 1.2 Adding nfs principal for the client ( using kadmin )
> 1.3 Adding the principal to the keytab of the client (
> /etc/krb5.keytab ) using des-cbc-crc:normal encryption.
1) Does 'klist -ek' output the correct 'nfs/server.domanname at REALM' name
and encryption type?
2) as a non-root user, can you get a krb5 ticket via 'kinit'
3) Are all the machine timed-synced? I use 'ntpdate <ntpd-server>'
>
> 2. NFS Configuration
> 2.1 Creating the file /etc/sysconfig/nfs and adding the following
> SECURE_NFS="yes"
> 2.2 Edit the file /etc/idmapd.conf and set nfs domain.
> 2.3 start the following services:
>
> portmap
> rpcidmapd
> rpcgssd
> nfs
Are both rpcgssd ans rpcsvcgssd coming up? Not that you need rpcsvcgssd
if your only using the client, but its a good sign that you have a
healthy configuration with both daemon come up w/out any errors...
>
> Is there anything I need to do differently on RHEL 4 in compare to RHEL5 ?
No... the process should be the same..
>
> I would appreciate your advice
Use the '-vvv' verbose flag to rpc.gssd have it show what its doing...
steved.
More information about the NFSv4
mailing list