help getting kerberized nfs4 mounts working

J. Bruce Fields bfields at fieldses.org
Fri May 9 18:29:28 EDT 2008 

On Fri, May 09, 2008 at 05:29:27PM -0400, Rohit Kumar Mehta wrote:
> 
> Hi guys, we have nfs3 working with sec=krb5 and we have nfs4 working
> with sec=sys.  nfs4_acl utils work wonderful in sec=sys mode, but for some
> reasons whenever I attempt to mount using both -t nfs4 and -o sec=krb5,
> I get the following error:

Hm. The v3 and v4 cases shouldn't be any different.  Are you *certain*
that krb5 is actually being used in the v3 case?  (How to check: turn
off all auth_sys access on the server and make sure you can still do
stuff.  Or capture some traffic with wireshark, find some nfsv3 packets
in the listing, look under the rpc header, and the "credential", and
check the credential flavor.)

If there's another auth_sys mount of the same filesystem it might just
be using its mount options.

> mount.nfs4: Permission denied
> 
> We are using the following:
> NFS server: filesm.ad.engr.uconn.edu (EMC Celerra) is in the Active 
> Directory realm AD.ENGR.UCONN.EDU
> NFS client: user.engr.uconn.edu (Ubuntu Gutsy) in the MIT realm 
> ENGR.UCONN.EDU
> 
> There is a trust between the two kerberos realms, and this works great 
> for kerberized NFSv3.  I can log
> into a system using an Active Directory account, and securely mount 
> using NFSv3.
> 
> I looked in the daemon log and saw a bunch of errors like this:
> May  9 17:14:35 user rpc.gssd[3498]: Full hostname for 
> 'filesm.ad.engr.uconn.edu' is 'filesm.ad.engr.uconn.edu'
> May  9 17:14:35 user rpc.gssd[3498]: Full hostname for 
> 'user.engr.uconn.edu' is 'user.engr.uconn.edu'
> May  9 17:14:35 user rpc.gssd[3498]: Key table entry not found while 
> getting keytab entry for 'root/user.engr.uconn.edu at AD.ENGR.UCONN.EDU'
> May  9 17:14:35 user rpc.gssd[3498]: Key table entry not found while 
> getting keytab entry for 'nfs/user.engr.uconn.edu at AD.ENGR.UCONN.EDU'
> May  9 17:14:35 user rpc.gssd[3498]: Key table entry not found while 
> getting keytab entry for 'host/user.engr.uconn.edu at AD.ENGR.UCONN.EDU'
> May  9 17:14:35 user rpc.gssd[3498]: ERROR: 
> gssd_refresh_krb5_machine_credential: no usable keytab entry found in 
> keytab /etc/krb5.keytab for connection with host filesm.ad.engr.uconn.edu
> May  9 17:14:35 user rpc.gssd[3498]: ERROR: No credentials found for 
> connection to server filesm.ad.engr.uconn.edu
> May  9 17:14:35 user rpc.gssd[3498]: doing error downcall
> May  9 17:14:35 user rpc.gssd[3498]: destroying client clnt1
> May  9 17:14:37 user rpc.gssd[3498]: destroying client clnt0
> 
> My krb5.keytab contains the following:
>  1    3  host/user.engr.uconn.edu at ENGR.UCONN.EDU
>  2    3  host/user.engr.uconn.edu at ENGR.UCONN.EDU
>  3    3   nfs/user.engr.uconn.edu at ENGR.UCONN.EDU
>  4    3   nfs/user.engr.uconn.edu at ENGR.UCONN.EDU
> 
> We do have a cross realm trust setup between AD.ENGR.UCONN.EDU and 
> ENGR.UCONN.EDU.  Is there some
> reason it cannot use the principal 
> nfs/user.engr.uconn.edu at ENGR.UCONN.EDU to setup the nfs4 mount?

I'm not sure what's going on.

--b.

> 
> I appreciate any help!
> 
> Thanks!
> 
> Rohit
> _______________________________________________
> NFSv4 mailing list
> NFSv4 at linux-nfs.org
> http://linux-nfs.org/cgi-bin/mailman/listinfo/nfsv4

More information about the NFSv4 mailing list