problems with sec=krb5

Kevin Coffman kwc at citi.umich.edu
Tue Mar 27 17:30:11 EDT 2007 

On 3/27/07, Rohit Kumar Mehta <rohitm at engr.uconn.edu> wrote:
>
> Hi guys, I am having some trouble getting nfsv4 mounts working whenever
> I use the -o sec=krb5 on the server.  Our nfs4 server is an EMC Celerra
> (5.5.24-2) and I have tried both Fedora and Ubuntu clients and
> successfully gotten sec=sys mounts working, but cannot get sec=krb5.
>
> I have my clients kerberized so that I can run kinit, and then ssh from
> one machine to the other without typing the password. I had to create
> a host/machineName at KERBEROSREALMNAME service principal in the Active
> Directory and add it to my /etc/krb5.keytab
>
> I also created an nfs/machineName at KERBEROSREALMNAME service principal
> (using des-cbc-crc), and that made some of the errors go away, but now
> it is still complaining:
>
> Mar 27 13:33:50 cselin12 rpc.gssd[24685]: processing client list
> Mar 27 13:33:50 cselin12 rpc.gssd[24685]: handling krb5 upcall
> Mar 27 13:33:50 cselin12 rpc.gssd[24685]: Using keytab file
> '/etc/krb5.keytab'
> Mar 27 13:33:50 cselin12 rpc.gssd[24685]: WARNING: Failed to obtain
> machine credentials for connection to server files.ad.engr.uconn.edu
> Mar 27 13:33:50 cselin12 rpc.gssd[24685]: doing error downcall
> Mar 27 13:33:50 cselin12 rpc.gssd[24685]: processing client list
> Mar 27 13:33:50 cselin12 rpc.gssd[21257]: processing client list
> Mar 27 13:33:50 cselin12 rpc.gssd[24685]: processing client list
>
> The EMC filer should have a kerberos principal as well:
>
> [nasadmin at emccs bin]$ server_nfs server_2 -secnfs
> server_2 :
> RPCSEC_GSS server stats
>
> Credential count: 1
>    principal: nfs at filesm.ad.engr.uconn.edu
>
>   No user authentication contexts
>
> [nasadmin at emccs bin]$
>
>
> Does anyone have any idea what is wrong or what I should be looking at?
> I am grateful for any assistance!

If it is it true that the client thinks the server's name is
"files.ad.engr.uconn.edu" but the server's keytab has the name
"filesm.ad.engr.uconn.edu", I would look there.

It is was just a typo in your message, I suspect you are not getting a
service ticket for the server.  I'd check that your /etc/krb5.conf is
configured correctly on the client.  Also, what does "klist -c
/tmp/krb5cc_machine_<REALM>" show after trying the mount?

K.C.

More information about the NFSv4 mailing list