NFS4 + Kerberos with AD

Grover, Justin N. Justin.Grover at ic.fbi.gov
Tue May 13 13:53:16 EDT 2008 

I was wondering if any folks out there have any experience setting up an NFS server/client to authenticate through Active Directory.

Can't seem to get NFS to mount.  I receive an 'mount.nfs4: Permission denied' error.

--------------------General Info-------------------------
Here's my setup:
- Ubuntu 6.04 NFS4 server
- Ubuntu 6.04 NFS4 client
- Windows 2003 Server w/Services for Unix

My Progress:
- Used 'ktpass' command on Windows server to create keytab files for both the nfs server and client.
- Used the DES-CBC-MD5 encryption type.
- Distributed keytab files accordingly to each machine's /etc directory.
- Setup file export on NFS server: /files gss/krb5(rw,sync)
- Attempting to mount from client using 'sudo mount -t nfs4 -o sec=krb5 nfs-server:/files /mnt/files'

Snags:
- After talking to the AD server to get a ticket, the client machine receives a null reply from the nfs server.  As a side note, the server rpc.svcgssd

-------------------Specifics---------------------------

ktpass command used (on Windows Server 2003 server) to create nfs server keytab:
ktpass -princ nfs/nfsserver.example.com at EXAMPLE.COM<mailto:nfs/nfsserver.example.com at EXAMPLE.COM> -mapuser nfsadmin -pass password -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -out krb5server.keytab

ktpass command used (on Windows Server 2003 server) to create nfs client keytab:
ktpass -princ nfs/nfsclient.example.com at EXAMPLE.COM<mailto:nfs/nfsclient.example.com at EXAMPLE.COM> -mapuser nfsuser -pass password -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -out krb5client.keytab

Each keytab file was then moved to their respective machine and renamed to /etc/krb5.keytab.

NFS server is properly running rpc.svcgssd, NFS client is running gssd.  I set up these according to an Ubuntu HOWTO document.  I can give more details on this if anyone needs it.

/etc/export server file:
/files gss/krb5(rw,sync)

Command executed from client: sudo mount -t nfs4 -o sec=krb5 nfs-server:/files /mnt/files

NFS Client Log Output:

nfsclient rpc.gssd[17114]: handling krb5 upcall
nfsclient rpc.gssd[17114]: Full hostname for 'nfsserver.example.com' is 'nfsserver.example.com'
nfsclient rpc.gssd[17114]: Full hostname for 'nfsclient.example.com' is 'nfsclient.example.com'
nfsclient rpc.gssd[17114]: Key table entry not found while getting keytab entry for 'root/nfsclient.example.com at EXAMPLE.COM'<mailto:'root/nfsclient.example.com at EXAMPLE.COM'>
nfsclient rpc.gssd[17114]: Success getting keytab entry for 'nfs/nfsclient.example.com at EXAMPLE.COM'<mailto:'nfs/nfsclient.example.com at EXAMPLE.COM'>
nfsclient rpc.gssd[17114]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_EXAMPLE.COM' are good until 1210709497
nfsclient rpc.gssd[17114]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_EXAMPLE.COM' are good until 1210709497
nfsclient rpc.gssd[17114]: using FILE:/tmp/krb5cc_machine_EXAMPLE.COM as credentials cache for machine creds
nfsclient rpc.gssd[17114]: using environment variable to select krb5 ccache FILE:/tmp.krb5cc_machine_EXAMPLE.COM
nfsclient rpc.gssd[17114]: creating context using fsuid 0 (save_uid 0)
nfsclient rpc.gssd[17114]: creating tcp client for server nfsserver.example.com
nfsclient rpc.gssd[17114]: creating context with server nfs at nfsserver.example.com<mailto:nfs at nfsserver.example.com>
nfsclient rpc.gssd[17114]: WARNING: failed to create krb5 context for user with uid 0 for server nfsserver.example.com
nfsclient rpc.gssd[17114]: WARNING: failed to create krb5 context for user with uid 0 with credentials cache FILE:/tmp/krb5cc_machine_EXAMPLE.COM for server nfsserver.example.com
nfsclient rpc.gssd[17114]: WARNING: failed to create krb5 context for user with uid 0 with any credentials cache for server nfsserver.example.com
nfsclient rpc.gssd[17114]: doing error downcall
nfsclient rpc.gssd[17114]: destroying client clnt41
nfsclient rpc.gssd[17114]: destroying client clnt40

NFS Server Log Output:

nfsserver rpc.svcgssd[3320]: leaving poll
nfsserver rpc.svcgssd[3320]: handling null request
nfsserver rpc.svcgssd[3320]:
nfsserver rpc.svcgssd[3320]: in_handle:
nfsserver rpc.svcgssd[3320]: length 0
nfsserver rpc.svcgssd[3320]:
nfsserver rpc.svcgssd[3320]: in_tok:
nfsserver rpc.svcgssd[3320]: length -1
nfsserver rpc.svcgssd[3320]:
nfsserver rpc.svcgssd[3320]: WARNING: gss_accept_sec_context failed
nfsserver rpc.svcgssd[3320]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): A token was invalid - Tokane header is malformed or corrupt
nfsserver rpc.svcgssd[3320]: sending null reply

--------------------------------------------------

Help!!!  :)
Again if anyone has any knowledge or experience with this, and can offer any troubleshooting insights, I would be greatly appreciative.


Justin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://linux-nfs.org/pipermail/nfsv4/attachments/20080513/ee412648/attachment.htm

More information about the NFSv4 mailing list