help getting kerberized nfs4 mounts working

Rohit Kumar Mehta rohitm at engr.uconn.edu
Sat May 10 11:13:12 EDT 2008 

Thanks

I feel pretty confident that kerberos is used in the v3 case.  I have
just removed all sec=sys export from the NFS server, and retested
and I am able to mount successfully. The one krb5/nfs3 export is
the only remote filesystem mount on the client.  However trying
to mount the same filesystem sec=krb5, fstype=nfs4 still fails.

I'll poke around in wireshark a little...

Rohit



J. Bruce Fields wrote:
> On Fri, May 09, 2008 at 05:29:27PM -0400, Rohit Kumar Mehta wrote:
>   
>> Hi guys, we have nfs3 working with sec=krb5 and we have nfs4 working
>> with sec=sys.  nfs4_acl utils work wonderful in sec=sys mode, but for some
>> reasons whenever I attempt to mount using both -t nfs4 and -o sec=krb5,
>> I get the following error:
>>     
>
> Hm. The v3 and v4 cases shouldn't be any different.  Are you *certain*
> that krb5 is actually being used in the v3 case?  (How to check: turn
> off all auth_sys access on the server and make sure you can still do
> stuff.  Or capture some traffic with wireshark, find some nfsv3 packets
> in the listing, look under the rpc header, and the "credential", and
> check the credential flavor.)
>
> If there's another auth_sys mount of the same filesystem it might just
> be using its mount options.
>
>   
>> mount.nfs4: Permission denied
>>
>> We are using the following:
>> NFS server: filesm.ad.engr.uconn.edu (EMC Celerra) is in the Active 
>> Directory realm AD.ENGR.UCONN.EDU
>> NFS client: user.engr.uconn.edu (Ubuntu Gutsy) in the MIT realm 
>> ENGR.UCONN.EDU
>>
>> There is a trust between the two kerberos realms, and this works great 
>> for kerberized NFSv3.  I can log
>> into a system using an Active Directory account, and securely mount 
>> using NFSv3.
>>
>> I looked in the daemon log and saw a bunch of errors like this:
>> May  9 17:14:35 user rpc.gssd[3498]: Full hostname for 
>> 'filesm.ad.engr.uconn.edu' is 'filesm.ad.engr.uconn.edu'
>> May  9 17:14:35 user rpc.gssd[3498]: Full hostname for 
>> 'user.engr.uconn.edu' is 'user.engr.uconn.edu'
>> May  9 17:14:35 user rpc.gssd[3498]: Key table entry not found while 
>> getting keytab entry for 'root/user.engr.uconn.edu at AD.ENGR.UCONN.EDU'
>> May  9 17:14:35 user rpc.gssd[3498]: Key table entry not found while 
>> getting keytab entry for 'nfs/user.engr.uconn.edu at AD.ENGR.UCONN.EDU'
>> May  9 17:14:35 user rpc.gssd[3498]: Key table entry not found while 
>> getting keytab entry for 'host/user.engr.uconn.edu at AD.ENGR.UCONN.EDU'
>> May  9 17:14:35 user rpc.gssd[3498]: ERROR: 
>> gssd_refresh_krb5_machine_credential: no usable keytab entry found in 
>> keytab /etc/krb5.keytab for connection with host filesm.ad.engr.uconn.edu
>> May  9 17:14:35 user rpc.gssd[3498]: ERROR: No credentials found for 
>> connection to server filesm.ad.engr.uconn.edu
>> May  9 17:14:35 user rpc.gssd[3498]: doing error downcall
>> May  9 17:14:35 user rpc.gssd[3498]: destroying client clnt1
>> May  9 17:14:37 user rpc.gssd[3498]: destroying client clnt0
>>
>> My krb5.keytab contains the following:
>>  1    3  host/user.engr.uconn.edu at ENGR.UCONN.EDU
>>  2    3  host/user.engr.uconn.edu at ENGR.UCONN.EDU
>>  3    3   nfs/user.engr.uconn.edu at ENGR.UCONN.EDU
>>  4    3   nfs/user.engr.uconn.edu at ENGR.UCONN.EDU
>>
>> We do have a cross realm trust setup between AD.ENGR.UCONN.EDU and 
>> ENGR.UCONN.EDU.  Is there some
>> reason it cannot use the principal 
>> nfs/user.engr.uconn.edu at ENGR.UCONN.EDU to setup the nfs4 mount?
>>     
>
> I'm not sure what's going on.
>
> --b.
>
>   
>> I appreciate any help!
>>
>> Thanks!
>>
>> Rohit
>> _______________________________________________
>> NFSv4 mailing list
>> NFSv4 at linux-nfs.org
>> http://linux-nfs.org/cgi-bin/mailman/listinfo/nfsv4
>>     
>
>

More information about the NFSv4 mailing list