NFS + Kerberos can't mount

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi there,

Here I am again with problem mouting a remote NFS share using NFS. The server is deban but the client is Fedora 15. It used to work using Fedora 14 but after a F15 fresh install I can't mount the remote share. My F15 box has all updates so far.

I do have connectivity to the kerberos server because kinit my_principal works fine:

[teste@lgx200 ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: my_principal@USERS

Valid starting     Expires            Service principal
10/06/11 16:23:35  10/07/11 16:23:12  krbtgt/USERS@USERS
    renew until 10/13/11 16:23:12

The host certificate (/etc/krb5.keytab) also looks fine:

[teste@lgx200 ~]$ klist -k
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   2 nfs/lgx200.example.com.br@USERS
[teste@lgx200 ~]$ klist -k -e
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   2 nfs/lgx200.example.com.br@USERS (des-cbc-crc)

I start rpcgssd (with -vvv) and rpcidmapd

[root@lgx200 ~]# ps ax | grep rpc
 1066 ?        S<     0:00 [rpciod]
 2878 ?        Ss     0:00 rpc.idmapd
 3747 ?        Ss     0:00 rpc.gssd -v -v -v
 3847 pts/0    S+     0:00 grep --color=auto rpc


but when I try to mount:

mount -t nfs -o sec=krb5 192.168.0.3:/FILES /media/FILES
mount.nfs: access denied by server while mounting 192.168.0.3:/FILES

/var/log/messages show:

Oct  6 17:56:16 lgx200 rpc.gssd[3747]: beginning poll
Oct  6 17:57:12 lgx200 rpc.gssd[3747]: dir_notify_handler: sig 37 si 0xbfe6fbac data 0xbfe6fc2c
Oct  6 17:57:12 lgx200 rpc.gssd[3747]: dir_notify_handler: sig 37 si 0xbfe6c4fc data 0xbfe6c57c
Oct  6 17:57:12 lgx200 rpc.gssd[3747]: dir_notify_handler: sig 37 si 0xbfe6c3ec data 0xbfe6c46c
Oct  6 17:57:21 lgx200 rpc.gssd[3747]: dir_notify_handler: sig 37 si 0xbfe6fbac data 0xbfe6fc2c
Oct  6 17:57:21 lgx200 rpc.gssd[3747]: dir_notify_handler: sig 37 si 0xbfe6faec data 0xbfe6fb6c
Oct  6 17:57:21 lgx200 rpc.gssd[3747]: handling gssd upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt8)
Oct  6 17:57:21 lgx200 rpc.gssd[3747]: handle_gssd_upcall: 'mech=krb5 uid=0 enctypes=18,17,16,23,3,1,2 '
Oct  6 17:57:21 lgx200 rpc.gssd[3747]: handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt8)
Oct  6 17:57:21 lgx200 rpc.gssd[3747]: process_krb5_upcall: service is '<null>'
Oct  6 17:57:21 lgx200 rpc.gssd[3747]: Full hostname for 'filesystem.example.com.br' is 'filesystem.example.com.br'
Oct  6 17:57:21 lgx200 rpc.gssd[3747]: Name or service not known while getting full hostname for 'lgx200.example.com.br'
Oct  6 17:57:21 lgx200 rpc.gssd[3747]: ERROR: gssd_refresh_krb5_machine_credential: no usable keytab entry found in keytab /etc/krb5.keytab for connection with host filesystem.4linux.com.br
Oct  6 17:57:21 lgx200 rpc.gssd[3747]: ERROR: No credentials found for connection to server filesystem.4linux.com.br
Oct  6 17:57:21 lgx200 rpc.gssd[3747]: doing error downcall
Oct  6 17:57:21 lgx200 rpc.gssd[3747]: dir_notify_handler: sig 37 si 0xbfe6fbac data 0xbfe6fc2c
Oct  6 17:57:21 lgx200 rpc.gssd[3747]: dir_notify_handler: sig 37 si 0xbfe6fbac data 0xbfe6fc2c
Oct  6 17:57:21 lgx200 rpc.gssd[3747]: dir_notify_handler: sig 37 si 0xbfe6fbac data 0xbfe6fc2c
Oct  6 17:57:21 lgx200 rpc.gssd[3747]: dir_notify_handler: sig 37 si 0xbfe6fbac data 0xbfe6fc2c
Oct  6 17:57:21 lgx200 rpc.gssd[3747]: dir_notify_handler: sig 37 si 0xbfe6fbac data 0xbfe6fc2c
Oct  6 17:57:21 lgx200 rpc.gssd[3747]: dir_notify_handler: sig 37 si 0xbfe6fbac data 0xbfe6fc2c
Oct  6 17:57:21 lgx200 rpc.gssd[3747]: dir_notify_handler: sig 37 si 0xbfe6fbac data 0xbfe6fc2c
Oct  6 17:57:21 lgx200 rpc.gssd[3747]: destroying client /var/lib/nfs/rpc_pipefs/nfs/clnt9
Oct  6 17:57:21 lgx200 rpc.gssd[3747]: destroying client /var/lib/nfs/rpc_pipefs/nfs/clnt8


It looks loke F15 doesn't like the keytab file that used to work on the same machine using F14.


/etc/sysconfig/nfs has:

SECURE_NFS="yes"

And /etc/krb5.conf has:

[libdefaults]
 default_realm = USERS
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 allow_weak_crypto = true

As I said it used to work and could not find a clue about what to change on google.


[]s, Fernando Lozano

-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux