help getting kerberized nfs4 mounts working

Rohit Kumar Mehta rohitm at engr.uconn.edu
Fri May 9 17:29:27 EDT 2008 

Hi guys, we have nfs3 working with sec=krb5 and we have nfs4 working
with sec=sys.  nfs4_acl utils work wonderful in sec=sys mode, but for some
reasons whenever I attempt to mount using both -t nfs4 and -o sec=krb5,
I get the following error:

mount.nfs4: Permission denied

We are using the following:
NFS server: filesm.ad.engr.uconn.edu (EMC Celerra) is in the Active 
Directory realm AD.ENGR.UCONN.EDU
NFS client: user.engr.uconn.edu (Ubuntu Gutsy) in the MIT realm 
ENGR.UCONN.EDU

There is a trust between the two kerberos realms, and this works great 
for kerberized NFSv3.  I can log
into a system using an Active Directory account, and securely mount 
using NFSv3.

I looked in the daemon log and saw a bunch of errors like this:
May  9 17:14:35 user rpc.gssd[3498]: Full hostname for 
'filesm.ad.engr.uconn.edu' is 'filesm.ad.engr.uconn.edu'
May  9 17:14:35 user rpc.gssd[3498]: Full hostname for 
'user.engr.uconn.edu' is 'user.engr.uconn.edu'
May  9 17:14:35 user rpc.gssd[3498]: Key table entry not found while 
getting keytab entry for 'root/user.engr.uconn.edu at AD.ENGR.UCONN.EDU'
May  9 17:14:35 user rpc.gssd[3498]: Key table entry not found while 
getting keytab entry for 'nfs/user.engr.uconn.edu at AD.ENGR.UCONN.EDU'
May  9 17:14:35 user rpc.gssd[3498]: Key table entry not found while 
getting keytab entry for 'host/user.engr.uconn.edu at AD.ENGR.UCONN.EDU'
May  9 17:14:35 user rpc.gssd[3498]: ERROR: 
gssd_refresh_krb5_machine_credential: no usable keytab entry found in 
keytab /etc/krb5.keytab for connection with host filesm.ad.engr.uconn.edu
May  9 17:14:35 user rpc.gssd[3498]: ERROR: No credentials found for 
connection to server filesm.ad.engr.uconn.edu
May  9 17:14:35 user rpc.gssd[3498]: doing error downcall
May  9 17:14:35 user rpc.gssd[3498]: destroying client clnt1
May  9 17:14:37 user rpc.gssd[3498]: destroying client clnt0

My krb5.keytab contains the following:
 1    3  host/user.engr.uconn.edu at ENGR.UCONN.EDU
 2    3  host/user.engr.uconn.edu at ENGR.UCONN.EDU
 3    3   nfs/user.engr.uconn.edu at ENGR.UCONN.EDU
 4    3   nfs/user.engr.uconn.edu at ENGR.UCONN.EDU

We do have a cross realm trust setup between AD.ENGR.UCONN.EDU and 
ENGR.UCONN.EDU.  Is there some
reason it cannot use the principal 
nfs/user.engr.uconn.edu at ENGR.UCONN.EDU to setup the nfs4 mount?

I appreciate any help!

Thanks!

Rohit

More information about the NFSv4 mailing list