nfs client kerberos cache

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



Greetings,

Not sure if this is the correct mail list.

I have the following test environment set up:
- 1x ipa master = ipa1.example.com
- 1x nfs server = nfs1.example.com
- 1x nfs client = nfsclient1.example.com

NFS version 4 is used and the appropriate Kerberos principal has been
created in IPA:

[root@nfs1 ~]# ipa service-show nfs/nfs1.example.com@xxxxxxxxxxx

Principal: nfs/nfs1.example.com@xxxxxxxxxxx
Keytab: True
Managed by: nfs1.example.com


Mounting using krb5p works: 

[root@nfsclient1 ~]# mount -v -t nfs -o sec=krb5p
nfs1.example.com:/exports/homes/ /mnt

mount.nfs: timeout set for Mon Jan  6 21:25:56 2014
mount.nfs: trying text-based options
'sec=krb5p,vers=4,addr=192.168.12.172,clientaddr=192.168.12.173'
nfs1.example.com:/exports/homes/ on /mnt type nfs (rw,sec=krb5p)

rpcgssd created the Kerberos cache file as indicated
in /var/log/messages:
rpc.gssd[2473]: INFO: Credentials in CC
'FILE:/tmp/krb5cc_machine_EXAMPLE.COM' are good until 1389125973


So far so good, but then:

1) I unmount everything from nfs1, remove the nfs1.example.host, its DNS
record(s) and service principcals.
2) I redeploy the nfs1.example.com and re-create the
nfs/nfs1.example.com@xxxxxxxxxxx principal

3) I try to mount the same NFS share from nfs1 on nfsclient1 I get an
error:
mount.nfs: trying text-based options
'sec=krb5p,vers=4,addr=192.168.12.172,clientaddr=192.168.12.173'
mount.nfs: mount(2): Operation not permitted

Now I'm not an IPA or Kerberos expert but I am guessing that this
happens because the nfsclient1 still has, and uses,
the /tmp/krb5cc_machine_EXAMPLE.COM cache file?
This file would have the “old” Kerberos credentials?...

On the NFS server in /var/log/messages this error message is displayed:
"rpc.svcgssd[5983]: ERROR: GSS-API: error in handle_nullreq:
gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure.  Minor
code may provide more information) - Wrong principal in request"

On the NFS client in /var/log/messages these messages are displayed:
"creating context with server nfs@xxxxxxxxxxxxxxxx"

"WARNING: Failed to create machine krb5 context with credentials cache
FILE:/tmp/krb5cc_machine_EXAMPLE.COM for server nfs1.example.com"

"WARNING: Machine cache is prematurely expired or corrupted trying to
recreate cache for server nfs1.example.com"

Restarting the rpcgssd daemon works, this action removes
the /tmp/krb5cc_machine_EXAMPLE.COM file and upon a mount command it is
recreated.
However restarting the rpcgssd daemon on all NFS clients every time an
NFS server is redeployed doesn't feel right.

Anyone perhaps have an idea on what I might be doing wrong?
Or is this by design?


_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos





[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux