NFS4 + Kerberos with AD

Tue May 13 17:27:53 EDT 2008

Ben & all,

kinit -k nfs/nfsclient.example.com works correctly.  I'm fairly certain I have a solid krb5.conf file.

And thanks for the tip with the plain text--will do!

~Justin
________________________________________
From: Benjamin Coddington [Benjamin.Coddington at uvm.edu]
Sent: Tuesday, May 13, 2008 2:45 PM
To: Grover, Justin N.
Cc: nfsv4 at linux-nfs.org
Subject: Re: NFS4 + Kerberos with AD

Justin,

        First thing, make sure kerberos is correctly configured on your
client/server.  You should be able to

kinit -k nfs/client.example.com

If that doesn't get you creds, you'll need a good krb5.conf.  Start with
the man page for krb5.conf.

You'll also get better help on this list with plain text.

Regards,
Ben

Grover, Justin N. wrote:
> I was wondering if any folks out there have any experience setting up an
> NFS server/client to authenticate through Active Directory.
>
> Can't seem to get NFS to mount.  I receive an 'mount.nfs4: Permission
> denied' error.
>
> --------------------General Info-------------------------
> Here's my setup:
> - Ubuntu 6.04 NFS4 server
> - Ubuntu 6.04 NFS4 client
> - Windows 2003 Server w/Services for Unix
>
> My Progress:
> - Used 'ktpass' command on Windows server to create keytab files for
> both the nfs server and client.
> - Used the DES-CBC-MD5 encryption type.
> - Distributed keytab files accordingly to each machine's /etc directory.
> - Setup file export on NFS server: /files gss/krb5(rw,sync)
> - Attempting to mount from client using 'sudo mount -t nfs4 -o sec=krb5
> nfs-server:/files /mnt/files'
>
> Snags:
> - After talking to the AD server to get a ticket, the client machine
> receives a null reply from the nfs server.  As a side note, the server
> rpc.svcgssd
>
> -------------------Specifics---------------------------
>
> ktpass command used (on Windows Server 2003 server) to create nfs server
> keytab:
> ktpass -princ nfs/nfsserver.example.com at EXAMPLE.COM
> <mailto:nfs/nfsserver.example.com at EXAMPLE.COM> -mapuser nfsadmin -pass
> password -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -out krb5server.keytab
>
> ktpass command used (on Windows Server 2003 server) to create nfs client
> keytab:
> ktpass -princ nfs/nfsclient.example.com at EXAMPLE.COM
> <mailto:nfs/nfsclient.example.com at EXAMPLE.COM> -mapuser nfsuser -pass
> password -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -out krb5client.keytab
>
> Each keytab file was then moved to their respective machine and renamed
> to /etc/krb5.keytab.
>
> NFS server is properly running rpc.svcgssd, NFS client is running gssd.
> I set up these according to an Ubuntu HOWTO document.  I can give more
> details on this if anyone needs it.
>
> /etc/export server file:
> /files gss/krb5(rw,sync)
>
> Command executed from client: sudo mount -t nfs4 -o sec=krb5
> nfs-server:/files /mnt/files
>
> NFS Client Log Output:
>
> nfsclient rpc.gssd[17114]: handling krb5 upcall
> nfsclient rpc.gssd[17114]: Full hostname for 'nfsserver.example.com' is
> 'nfsserver.example.com'
> nfsclient rpc.gssd[17114]: Full hostname for 'nfsclient.example.com' is
> 'nfsclient.example.com'
> nfsclient rpc.gssd[17114]: Key table entry not found while getting
> keytab entry for 'root/nfsclient.example.com at EXAMPLE.COM'
> <mailto:'root/nfsclient.example.com at EXAMPLE.COM'>
> nfsclient rpc.gssd[17114]: Success getting keytab entry for
> 'nfs/nfsclient.example.com at EXAMPLE.COM'
> <mailto:'nfs/nfsclient.example.com at EXAMPLE.COM'>
> nfsclient rpc.gssd[17114]: INFO: Credentials in CC
> 'FILE:/tmp/krb5cc_machine_EXAMPLE.COM' are good until 1210709497
> nfsclient rpc.gssd[17114]: INFO: Credentials in CC
> 'FILE:/tmp/krb5cc_machine_EXAMPLE.COM' are good until 1210709497
> nfsclient rpc.gssd[17114]: using FILE:/tmp/krb5cc_machine_EXAMPLE.COM as
> credentials cache for machine creds
> nfsclient rpc.gssd[17114]: using environment variable to select krb5
> ccache FILE:/tmp.krb5cc_machine_EXAMPLE.COM
> nfsclient rpc.gssd[17114]: creating context using fsuid 0 (save_uid 0)
> nfsclient rpc.gssd[17114]: creating tcp client for server
> nfsserver.example.com
> nfsclient rpc.gssd[17114]: creating context with server
> nfs at nfsserver.example.com <mailto:nfs at nfsserver.example.com>
> nfsclient rpc.gssd[17114]: WARNING: failed to create krb5 context for
> user with uid 0 for server nfsserver.example.com
> nfsclient rpc.gssd[17114]: WARNING: failed to create krb5 context for
> user with uid 0 with credentials cache
> FILE:/tmp/krb5cc_machine_EXAMPLE.COM for server nfsserver.example.com
> nfsclient rpc.gssd[17114]: WARNING: failed to create krb5 context for
> user with uid 0 with any credentials cache for server nfsserver.example.com
> nfsclient rpc.gssd[17114]: doing error downcall
> nfsclient rpc.gssd[17114]: destroying client clnt41
> nfsclient rpc.gssd[17114]: destroying client clnt40
>
> NFS Server Log Output:
>
> nfsserver rpc.svcgssd[3320]: leaving poll
> nfsserver rpc.svcgssd[3320]: handling null request
> nfsserver rpc.svcgssd[3320]:
> nfsserver rpc.svcgssd[3320]: in_handle:
> nfsserver rpc.svcgssd[3320]: length 0
> nfsserver rpc.svcgssd[3320]:
> nfsserver rpc.svcgssd[3320]: in_tok:
> nfsserver rpc.svcgssd[3320]: length -1
> nfsserver rpc.svcgssd[3320]:
> nfsserver rpc.svcgssd[3320]: WARNING: gss_accept_sec_context failed
> nfsserver rpc.svcgssd[3320]: ERROR: GSS-API: error in handle_nullreq:
> gss_accept_sec_context(): A token was invalid - Tokane header is
> malformed or corrupt
> nfsserver rpc.svcgssd[3320]: sending null reply
>
> --------------------------------------------------
>
> Help!!!  :)
> Again if anyone has any knowledge or experience with this, and can offer
> any troubleshooting insights, I would be greatly appreciative.
>
>
> Justin
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> NFSv4 mailing list
> NFSv4 at linux-nfs.org
> http://linux-nfs.org/cgi-bin/mailman/listinfo/nfsv4