NFS4 + Kerberos through AD

Grover, Justin N. jgrover at mitre.org
Tue May 13 13:57:30 EDT 2008 

Hey all,
 
I was wondering if any folks out there have any experience setting up
an NFS server/client to authenticate through Active Directory.  
 
Can't seem to get NFS to mount.  I receive an 'mount.nfs4: Permission
denied' error on the client.
 
--------------------General Info-------------------------
Here's my setup:
- Ubuntu 6.04 NFS4 server
- Ubuntu 6.04 NFS4 client
- Windows 2003 Server w/Services for Unix 
 
My Progress:
- Used 'ktpass' command on Windows server to create keytab files for
both the nfs server and client.  
- Used the DES-CBC-MD5 encryption type.
- Distributed keytab files accordingly to each machine's /etc
directory.
- Setup file export on NFS server: /files gss/krb5(rw,sync)
- Attempting to mount from client using 'sudo mount -t nfs4 -o sec=krb5
nfs-server:/files /mnt/files'
 
Snags:
- After talking to the AD server to get a ticket, the client machine
receives a null reply from the nfs server.  As a side note, the server
rpc.svcgssd
 
-------------------Specifics---------------------------
 
ktpass command used (on Windows Server 2003 server) to create nfs
server keytab:
ktpass -princ nfs/nfsserver.example.com at EXAMPLE.COM -mapuser nfsadmin
-pass password -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -out
krb5server.keytab
 
ktpass command used (on Windows Server 2003 server) to create nfs
client keytab:
ktpass -princ nfs/nfsclient.example.com at EXAMPLE.COM -mapuser nfsuser
-pass password -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -out
krb5client.keytab
 
Each keytab file was then moved to their respective machine and renamed
to /etc/krb5.keytab.
 
NFS server is properly running rpc.svcgssd, NFS client is running gssd.
I set up these according to an Ubuntu HOWTO document.  I can give more
details on this if anyone needs it.
 
/etc/export server file:
/files gss/krb5(rw,sync)
 
Command executed from client: sudo mount -t nfs4 -o sec=krb5
nfs-server:/files /mnt/files
 
NFS Client Log Output:
 
nfsclient rpc.gssd[17114]: handling krb5 upcall
nfsclient rpc.gssd[17114]: Full hostname for 'nfsserver.example.com' is
'nfsserver.example.com'
nfsclient rpc.gssd[17114]: Full hostname for 'nfsclient.example.com' is
'nfsclient.example.com'
nfsclient rpc.gssd[17114]: Key table entry not found while getting
keytab entry for 'root/nfsclient.example.com at EXAMPLE.COM'
<mailto:'root/nfsclient.example.com at EXAMPLE.COM'> 
nfsclient rpc.gssd[17114]: Success getting keytab entry for
'nfs/nfsclient.example.com at EXAMPLE.COM'
<mailto:'nfs/nfsclient.example.com at EXAMPLE.COM'> 
nfsclient rpc.gssd[17114]: INFO: Credentials in CC
'FILE:/tmp/krb5cc_machine_EXAMPLE.COM' are good until 1210709497
nfsclient rpc.gssd[17114]: INFO: Credentials in CC
'FILE:/tmp/krb5cc_machine_EXAMPLE.COM' are good until 1210709497
nfsclient rpc.gssd[17114]: using FILE:/tmp/krb5cc_machine_EXAMPLE.COM
as credentials cache for machine creds
nfsclient rpc.gssd[17114]: using environment variable to select krb5
ccache FILE:/tmp.krb5cc_machine_EXAMPLE.COM
nfsclient rpc.gssd[17114]: creating context using fsuid 0 (save_uid 0)
nfsclient rpc.gssd[17114]: creating tcp client for server
nfsserver.example.com
nfsclient rpc.gssd[17114]: creating context with server
nfs at nfsserver.example.com <mailto:nfs at nfsserver.example.com> 
nfsclient rpc.gssd[17114]: WARNING: failed to create krb5 context for
user with uid 0 for server nfsserver.example.com
nfsclient rpc.gssd[17114]: WARNING: failed to create krb5 context for
user with uid 0 with credentials cache
FILE:/tmp/krb5cc_machine_EXAMPLE.COM for server nfsserver.example.com
nfsclient rpc.gssd[17114]: WARNING: failed to create krb5 context for
user with uid 0 with any credentials cache for server
nfsserver.example.com
nfsclient rpc.gssd[17114]: doing error downcall
nfsclient rpc.gssd[17114]: destroying client clnt41
nfsclient rpc.gssd[17114]: destroying client clnt40
 
NFS Server Log Output:
 
nfsserver rpc.svcgssd[3320]: leaving poll
nfsserver rpc.svcgssd[3320]: handling null request
nfsserver rpc.svcgssd[3320]: 
nfsserver rpc.svcgssd[3320]: in_handle:
nfsserver rpc.svcgssd[3320]: length 0
nfsserver rpc.svcgssd[3320]: 
nfsserver rpc.svcgssd[3320]: in_tok:
nfsserver rpc.svcgssd[3320]: length -1
nfsserver rpc.svcgssd[3320]: 
nfsserver rpc.svcgssd[3320]: WARNING: gss_accept_sec_context failed
nfsserver rpc.svcgssd[3320]: ERROR: GSS-API: error in handle_nullreq:
gss_accept_sec_context(): A token was invalid - Tokane header is
malformed or corrupt
nfsserver rpc.svcgssd[3320]: sending null reply
 
--------------------------------------------------
 
Help!!!  :)
Again if anyone has any knowledge or experience with this, and can
offer any troubleshooting insights, I would be greatly appreciative.
 
 
Justin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://linux-nfs.org/pipermail/nfsv4/attachments/20080513/1b9860c4/attachment.htm

More information about the NFSv4 mailing list