problems with sec=krb5
Rohit Kumar Mehta
rohitm at engr.uconn.edu
Wed Mar 28 10:32:21 EDT 2007
Kevin Coffman wrote:
> On 3/27/07, Rohit Kumar Mehta <rohitm at engr.uconn.edu> wrote:
>
>>
>> Hi guys, I am having some trouble getting nfsv4 mounts working whenever
>> I use the -o sec=krb5 on the server. Our nfs4 server is an EMC Celerra
>> (5.5.24-2) and I have tried both Fedora and Ubuntu clients and
>> successfully gotten sec=sys mounts working, but cannot get sec=krb5.
>>
>> I have my clients kerberized so that I can run kinit, and then ssh from
>> one machine to the other without typing the password. I had to create
>> a host/machineName at KERBEROSREALMNAME service principal in the Active
>> Directory and add it to my /etc/krb5.keytab
>>
>> I also created an nfs/machineName at KERBEROSREALMNAME service principal
>> (using des-cbc-crc), and that made some of the errors go away, but now
>> it is still complaining:
>>
>> Mar 27 13:33:50 cselin12 rpc.gssd[24685]: processing client list
>> Mar 27 13:33:50 cselin12 rpc.gssd[24685]: handling krb5 upcall
>> Mar 27 13:33:50 cselin12 rpc.gssd[24685]: Using keytab file
>> '/etc/krb5.keytab'
>> Mar 27 13:33:50 cselin12 rpc.gssd[24685]: WARNING: Failed to obtain
>> machine credentials for connection to server files.ad.engr.uconn.edu
>> Mar 27 13:33:50 cselin12 rpc.gssd[24685]: doing error downcall
>> Mar 27 13:33:50 cselin12 rpc.gssd[24685]: processing client list
>> Mar 27 13:33:50 cselin12 rpc.gssd[21257]: processing client list
>> Mar 27 13:33:50 cselin12 rpc.gssd[24685]: processing client list
>>
>> The EMC filer should have a kerberos principal as well:
>>
>> [nasadmin at emccs bin]$ server_nfs server_2 -secnfs
>> server_2 :
>> RPCSEC_GSS server stats
>>
>> Credential count: 1
>> principal: nfs at filesm.ad.engr.uconn.edu
>>
>> No user authentication contexts
>>
>> [nasadmin at emccs bin]$
>>
>>
>> Does anyone have any idea what is wrong or what I should be looking at?
>> I am grateful for any assistance!
>
>
> If it is it true that the client thinks the server's name is
> "files.ad.engr.uconn.edu" but the server's keytab has the name
> "filesm.ad.engr.uconn.edu", I would look there.
Thanks, this was actually an error on my part, not a typo. Our server's
keytab is filesm, but we were mounting files (which is a CNAME to
files). I reproduced the exact same problem trying to mount filesm
though (works with sec=sys, but not sec=krb5) and we get the error:
root at cselin12:/tmp# mount -t nfs4 -o sec=krb5
filesm:/StaffDirectories/nfs/rohitm /home/rohitm
Warning: rpc.gssd appears not to be running.
mount: block device filesm:/StaffDirectories/nfs/rohitm is
write-protected, mounting read-only
Warning: rpc.gssd appears not to be running.
mount: cannot mount block device filesm:/StaffDirectories/nfs/rohitm
read-only
and in /var/log/daemon.log:
Mar 28 10:24:29 cselin12 rpc.gssd[24685]: WARNING: Failed to obtain
machine credentials for connection to server filesm
> It is was just a typo in your message, I suspect you are not getting a
> service ticket for the server. I'd check that your /etc/krb5.conf is
> configured correctly on the client. Also, what does "klist -c
> /tmp/krb5cc_machine_<REALM>" show after trying the mount?
after trying the mount, I don't see a file called
/tmp/krb5cc_machine_AD.ENGR.UCONN.EDU
only /tmp/krb5cc_0
klist -c shows the following:
root at cselin12:/tmp# klist -c
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: rohitm at AD.ENGR.UCONN.EDU
Valid starting Expires Service principal
03/27/07 12:56:39 03/27/07 22:59:12
krbtgt/AD.ENGR.UCONN.EDU at AD.ENGR.UCONN.EDU
renew until 03/28/07 12:56:39
03/27/07 12:59:13 03/27/07 22:59:12
host/cselin12.engr.uconn.edu at AD.ENGR.UCONN.EDU
renew until 03/28/07 12:56:39
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
More information about the NFSv4
mailing list