help getting kerberized nfs4 mounts working

Kevin Coffman kwc at citi.umich.edu
Mon May 12 11:55:13 EDT 2008 

On Mon, May 12, 2008 at 11:19 AM, Rohit Kumar Mehta
<rohitm at engr.uconn.edu> wrote:
>
>
> > Actually, I think you need to have the following entries:
> >
> > .engr.uconn.edu = ENGR.UCONN.EDU
> > .ad.engr.uconn.edu = AD.ENGR.UCONN.EDU
> >
> > So that client, user.engr.uconn.edu, realizes it is in the
> > ENGR.UCONN.EDU realm and the server, filesm.ad.engr.uconn.edu,  is in
> > the AD.ENGR.UCONN.EDU realm.
> >
> > K.C.
> >
> >
>
>  That is what I have:  (snippet of krb5.conf follows)
>
>  [domain_ream]
>
>  .engr.uconn.edu = ENGR.UCONN.EDU
>  engr.uconn.edu = ENGR.UCONN.EDU
>  # ad.engr.uconn.edu = ENGR.UCONN.EDU
>  # .ad.engr.uconn.edu = ENGR.UCONN.EDU
>  .ad.engr.uconn.edu = AD.ENGR.UCONN.EDU
>
>  ad.engr.uconn.edu = AD.ENGR.UCONN.EDU


This looks fine from your description of the realms.


>  Also I have set the default_realm in [libdefaults] to AD.ENGR.UCONN.EDU
>  to force users to authenticate off the Active Directory.

You said the client is in the ENGR.UCONN.EDU realm.  If so, it's
default_realm should be ENGR.UCONN.EDU.


>  This error persists:
>  May 12 10:49:46 user rpc.gssd[3534]: Key table entry not found while
> getting keytab entry for 'host/user.engr.uconn.edu at AD.ENGR.UCONN.EDU'
>  In wireshark I see quite a few error messages from the MIT KDC to the NFS
> client with the type
>  (KRB5KRB_ERR_GENERIC).  The message looks like this:
>    MSG Type: KRB-ERROR (30)
>    error_code: KRB5KRB_ERR_GENERIC (60)
>    Client Name (Principal): nfs/user.engr.uconn.edu
>    Realm: ENGR.UCONN.EDU
>    Server Name (Unknown): krbtgt/AD.ENGR.UCONN.EDU
>    e-text: NO PREAUTH

Is this error followed by another successful request, or no?  If no,
see below.  If yes, then it probably isn't a problem.

>  Do you the  version of nfs-utils that ships with Gutsy
> (1.1.1~git-20070709-3ubuntu1) could be
>  the problem?

This version should be fine, AFAIK.

One "feature" with the MIT Kerberos code is that if a service
principal has the "REQUIRES_PRE_AUTH" flag set, then you must have
used pre-authentication when obtaining your TGT, before requesting a
service ticket for that service principal.

So things to check:

Since your service principal (krbtgt/AD.ENGR.UCONN.EDU at ENGR.UCONN.EDU)
requires preauth, you need to make sure that your client principal
(nfs/client.engr.uconn.edu at ENGR.UCONN.EDU) also requires preauth.  If
not, you need to set that flag for your client principal.  You'll need
to restart rpc.gssd on the client after making this change.

If making that change doesn't help, send me a wireshark trace along
with a copy of your /etc/krb5.conf on the NFS client machine.  (And
perhaps output from getprinc for the same two principals in the
ENGR.UCONN.EDU realm.)

K.C.

More information about the NFSv4 mailing list