problems with sec=krb5
Rohit Kumar Mehta
rohitm at engr.uconn.edu
Tue Mar 27 14:16:17 EDT 2007
Hi guys, I am having some trouble getting nfsv4 mounts working whenever
I use the -o sec=krb5 on the server. Our nfs4 server is an EMC Celerra
(5.5.24-2) and I have tried both Fedora and Ubuntu clients and
successfully gotten sec=sys mounts working, but cannot get sec=krb5.
I have my clients kerberized so that I can run kinit, and then ssh from
one machine to the other without typing the password. I had to create
a host/machineName at KERBEROSREALMNAME service principal in the Active
Directory and add it to my /etc/krb5.keytab
I also created an nfs/machineName at KERBEROSREALMNAME service principal
(using des-cbc-crc), and that made some of the errors go away, but now
it is still complaining:
Mar 27 13:33:50 cselin12 rpc.gssd[24685]: processing client list
Mar 27 13:33:50 cselin12 rpc.gssd[24685]: handling krb5 upcall
Mar 27 13:33:50 cselin12 rpc.gssd[24685]: Using keytab file
'/etc/krb5.keytab'
Mar 27 13:33:50 cselin12 rpc.gssd[24685]: WARNING: Failed to obtain
machine credentials for connection to server files.ad.engr.uconn.edu
Mar 27 13:33:50 cselin12 rpc.gssd[24685]: doing error downcall
Mar 27 13:33:50 cselin12 rpc.gssd[24685]: processing client list
Mar 27 13:33:50 cselin12 rpc.gssd[21257]: processing client list
Mar 27 13:33:50 cselin12 rpc.gssd[24685]: processing client list
The EMC filer should have a kerberos principal as well:
[nasadmin at emccs bin]$ server_nfs server_2 -secnfs
server_2 :
RPCSEC_GSS server stats
Credential count: 1
principal: nfs at filesm.ad.engr.uconn.edu
No user authentication contexts
[nasadmin at emccs bin]$
Does anyone have any idea what is wrong or what I should be looking at?
I am grateful for any assistance!
Thanks,
Rohit
More information about the NFSv4
mailing list