NFS4 + Kerberos with AD

Benjamin Coddington Benjamin.Coddington at uvm.edu
Tue May 13 14:45:43 EDT 2008 

Justin,

	First thing, make sure kerberos is correctly configured on your 
client/server.  You should be able to

kinit -k nfs/client.example.com

If that doesn't get you creds, you'll need a good krb5.conf.  Start with 
the man page for krb5.conf.

You'll also get better help on this list with plain text.

Regards,
Ben

Grover, Justin N. wrote:
> I was wondering if any folks out there have any experience setting up an 
> NFS server/client to authenticate through Active Directory. 
>  
> Can't seem to get NFS to mount.  I receive an 'mount.nfs4: Permission 
> denied' error.
>  
> --------------------General Info-------------------------
> Here's my setup:
> - Ubuntu 6.04 NFS4 server
> - Ubuntu 6.04 NFS4 client
> - Windows 2003 Server w/Services for Unix 
>  
> My Progress:
> - Used 'ktpass' command on Windows server to create keytab files for 
> both the nfs server and client. 
> - Used the DES-CBC-MD5 encryption type.
> - Distributed keytab files accordingly to each machine's /etc directory.
> - Setup file export on NFS server: /files gss/krb5(rw,sync)
> - Attempting to mount from client using 'sudo mount -t nfs4 -o sec=krb5 
> nfs-server:/files /mnt/files'
>  
> Snags:
> - After talking to the AD server to get a ticket, the client machine 
> receives a null reply from the nfs server.  As a side note, the server 
> rpc.svcgssd
>  
> -------------------Specifics---------------------------
>  
> ktpass command used (on Windows Server 2003 server) to create nfs server 
> keytab:
> ktpass -princ nfs/nfsserver.example.com at EXAMPLE.COM 
> <mailto:nfs/nfsserver.example.com at EXAMPLE.COM> -mapuser nfsadmin -pass 
> password -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -out krb5server.keytab
>  
> ktpass command used (on Windows Server 2003 server) to create nfs client 
> keytab:
> ktpass -princ nfs/nfsclient.example.com at EXAMPLE.COM 
> <mailto:nfs/nfsclient.example.com at EXAMPLE.COM> -mapuser nfsuser -pass 
> password -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -out krb5client.keytab
>  
> Each keytab file was then moved to their respective machine and renamed 
> to /etc/krb5.keytab.
>  
> NFS server is properly running rpc.svcgssd, NFS client is running gssd.  
> I set up these according to an Ubuntu HOWTO document.  I can give more 
> details on this if anyone needs it.
>  
> /etc/export server file:
> /files gss/krb5(rw,sync)
>  
> Command executed from client: sudo mount -t nfs4 -o sec=krb5 
> nfs-server:/files /mnt/files
>  
> NFS Client Log Output:
>  
> nfsclient rpc.gssd[17114]: handling krb5 upcall
> nfsclient rpc.gssd[17114]: Full hostname for 'nfsserver.example.com' is 
> 'nfsserver.example.com'
> nfsclient rpc.gssd[17114]: Full hostname for 'nfsclient.example.com' is 
> 'nfsclient.example.com'
> nfsclient rpc.gssd[17114]: Key table entry not found while getting 
> keytab entry for 'root/nfsclient.example.com at EXAMPLE.COM' 
> <mailto:'root/nfsclient.example.com at EXAMPLE.COM'>
> nfsclient rpc.gssd[17114]: Success getting keytab entry for 
> 'nfs/nfsclient.example.com at EXAMPLE.COM' 
> <mailto:'nfs/nfsclient.example.com at EXAMPLE.COM'>
> nfsclient rpc.gssd[17114]: INFO: Credentials in CC 
> 'FILE:/tmp/krb5cc_machine_EXAMPLE.COM' are good until 1210709497
> nfsclient rpc.gssd[17114]: INFO: Credentials in CC 
> 'FILE:/tmp/krb5cc_machine_EXAMPLE.COM' are good until 1210709497
> nfsclient rpc.gssd[17114]: using FILE:/tmp/krb5cc_machine_EXAMPLE.COM as 
> credentials cache for machine creds
> nfsclient rpc.gssd[17114]: using environment variable to select krb5 
> ccache FILE:/tmp.krb5cc_machine_EXAMPLE.COM
> nfsclient rpc.gssd[17114]: creating context using fsuid 0 (save_uid 0)
> nfsclient rpc.gssd[17114]: creating tcp client for server 
> nfsserver.example.com
> nfsclient rpc.gssd[17114]: creating context with server 
> nfs at nfsserver.example.com <mailto:nfs at nfsserver.example.com>
> nfsclient rpc.gssd[17114]: WARNING: failed to create krb5 context for 
> user with uid 0 for server nfsserver.example.com
> nfsclient rpc.gssd[17114]: WARNING: failed to create krb5 context for 
> user with uid 0 with credentials cache 
> FILE:/tmp/krb5cc_machine_EXAMPLE.COM for server nfsserver.example.com
> nfsclient rpc.gssd[17114]: WARNING: failed to create krb5 context for 
> user with uid 0 with any credentials cache for server nfsserver.example.com
> nfsclient rpc.gssd[17114]: doing error downcall
> nfsclient rpc.gssd[17114]: destroying client clnt41
> nfsclient rpc.gssd[17114]: destroying client clnt40
>  
> NFS Server Log Output:
>  
> nfsserver rpc.svcgssd[3320]: leaving poll
> nfsserver rpc.svcgssd[3320]: handling null request
> nfsserver rpc.svcgssd[3320]:
> nfsserver rpc.svcgssd[3320]: in_handle:
> nfsserver rpc.svcgssd[3320]: length 0
> nfsserver rpc.svcgssd[3320]:
> nfsserver rpc.svcgssd[3320]: in_tok:
> nfsserver rpc.svcgssd[3320]: length -1
> nfsserver rpc.svcgssd[3320]:
> nfsserver rpc.svcgssd[3320]: WARNING: gss_accept_sec_context failed
> nfsserver rpc.svcgssd[3320]: ERROR: GSS-API: error in handle_nullreq: 
> gss_accept_sec_context(): A token was invalid - Tokane header is 
> malformed or corrupt
> nfsserver rpc.svcgssd[3320]: sending null reply
>  
> --------------------------------------------------
>  
> Help!!!  :)
> Again if anyone has any knowledge or experience with this, and can offer 
> any troubleshooting insights, I would be greatly appreciative.
>  
>  
> Justin
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> NFSv4 mailing list
> NFSv4 at linux-nfs.org
> http://linux-nfs.org/cgi-bin/mailman/listinfo/nfsv4

More information about the NFSv4 mailing list