nsfs4 client with kerberos

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi there,

I need to use OpenVPN to get to the company LAN and mount a NFS share. We use NFS to secure access to NFS. I can connect to the PVN and access web and ssh servers. Kinit to my own principal works fine. But root cannot get a valid kerneros ticket to mount NFS shares. I already tried doing the same on the local net (no VPN involved) with same results, and tried disabling SELinux and flusing iptables rules to no effect.

Another notebook works fine and it looks to me both have the same settings, except one has F13 (the one that works) and the other has F14 (the one that doesn't).

I added -v -v to rpcgssd and the logs show that:

Apr  7 09:36:29 lgx200 rpc.gssd[2947]: handling gssd upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt0)
Apr  7 09:36:29 lgx200 rpc.gssd[2947]: handle_gssd_upcall: 'mech=krb5 uid=0 enctypes=18,17,16,23,3,1,2 '
Apr  7 09:36:29 lgx200 rpc.gssd[2947]: handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt0)
Apr  7 09:36:29 lgx200 rpc.gssd[2947]: process_krb5_upcall: service is '<null>'
Apr  7 09:36:40 lgx200 rpc.gssd[2947]: WARNING: Key table entry not found while getting initial ticket for principal 'nfs/lg.example.com@USERS' using keytab 'WRFILE:/etc/krb5.keytab'
Apr  7 09:36:40 lgx200 rpc.gssd[2947]: ERROR: No credentials found for connection to server filesystem.example.com
Apr  7 09:36:40 lgx200 rpc.gssd[2947]: doing error downcall

[all output was edted to change my employee dns domain name to example.com]

But the correct ticket (certificate?) is on the keytab, as shown by klist:

[root@lg etc]# hostname
lg

[root@lg etc]# klist -k
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   2 nfs/lg.example.com@USERS

Any idea one notebook can mount and authenticate root/the computer itself using kerberos, but the other, older Fedora can't, using the same configs?

I already tried moving the certificate from one computer to the other (and of course changing the hostname) and requesting a new certificate from the company sysadmin. Same results. I guess it should be something local to the netbook, like name resolution, but all network settings are the same for both notebooks. One works, other don't, whatever keytab I use.


[]s, Fernando Lozano
-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux