Re: nsfs4 client with kerberos

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Thu, Apr 07, 2011 at 01:24:18PM -0300, fernando@xxxxxxxxxxxxx wrote:
>    Hi there,
>    I need to use OpenVPN to get to the company LAN and mount a NFS share.
>    We use NFS to secure access to NFS. I can connect to the PVN and access
>    web and ssh servers. Kinit to my own principal works fine. But root
>    cannot get a valid kerneros ticket to mount NFS shares. I already tried
>    doing the same on the local net (no VPN involved) with same results,
>    and tried disabling SELinux and flusing iptables rules to no effect.
>    Another notebook works fine and it looks to me both have the same
>    settings, except one has F13 (the one that works) and the other has F14
>    (the one that doesn't).
>    I added -v -v to rpcgssd and the logs show that:
>    Apr  7 09:36:29 lgx200 rpc.gssd[2947]: handling gssd upcall
>    (/var/lib/nfs/rpc_pipefs/nfs/clnt0)
>    Apr  7 09:36:29 lgx200 rpc.gssd[2947]: handle_gssd_upcall: 'mech=krb5
>    uid=0 enctypes=18,17,16,23,3,1,2 '
>    Apr  7 09:36:29 lgx200 rpc.gssd[2947]: handling krb5 upcall
>    (/var/lib/nfs/rpc_pipefs/nfs/clnt0)
>    Apr  7 09:36:29 lgx200 rpc.gssd[2947]: process_krb5_upcall: service is
>    '<null>'
>    Apr  7 09:36:40 lgx200 rpc.gssd[2947]: WARNING: Key table entry not
>    found while getting initial ticket for principal
>    'nfs/lg.example.com@USERS' using keytab 'WRFILE:/etc/krb5.keytab'
>    Apr  7 09:36:40 lgx200 rpc.gssd[2947]: ERROR: No credentials found for
>    connection to server filesystem.example.com
>    Apr  7 09:36:40 lgx200 rpc.gssd[2947]: doing error downcall
>    [all output was edted to change my employee dns domain name to
>    example.com]
>    But the correct ticket (certificate?) is on the keytab, as shown by
>    klist:
>    [root@lg etc]# hostname
>    lg
>    [root@lg etc]# klist -k
>    Keytab name: WRFILE:/etc/krb5.keytab
>    KVNO Principal
>    ----
>    -----------------------------------------------------------------------
>    ---
>       2 nfs/lg.example.com@USERS
>    Any idea one notebook can mount and authenticate root/the computer
>    itself using kerberos, but the other, older Fedora can't, using the
>    same configs?

Use "klist -k -e" to check the type of key you have.  If it's DES, and
you don't have "allow_weak_crypto" enabled in the [libdefaults] section
of your /etc/krb5.conf, the key will be skipped over.

This is something that changed between the versions included in F13 and
F14, so from what I can tell, it fits.

HTH,

Nalin
-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux