Re: Is nfs-ganesha + kerberos actually a thing?

John Mulligan <phlogistonjohn@xxxxxxxxxxxxx> · Fri, 13 Oct 2023 08:00:17 -0400

On Friday, October 13, 2023 6:11:18 AM EDT Torkil Svensgaard wrote:
> Hi
> 
> We have kerberos working with bare metal kernel NFS exporting RBDs. I 
> can see in the ceph documentation[1] that nfs-ganesha should work with 
> kerberos but I'm having little luck getting it to work.
> 

Could you clarify how you are deploying the ganesha instances?  I think you 
may be asking about cephadm deployed containers but it is not clear to me.

There are a couple of viable ways to deploy nfs-ganesha today: manually/"bare-
metal", cephadm, and rook. 

> This bit from the container log seems to suggest that some plumbing is 
> missing?
> 
> "
> 13/10/2023 08:09:12 : epoch 6528fb25 : ceph-flash1 : 
> ganesha.nfsd-2[main] nfs_rpc_cb_init_ccache :NFS STARTUP :EVENT 
> 
> :Callback creds directory (/var/run/ganesha) already exists
> 
> 13/10/2023 08:09:12 : epoch 6528fb25 : ceph-flash1 : 
> ganesha.nfsd-2[main] find_keytab_entry :NFS CB :WARN :Configuration file 
> does not specify default realm while getting default realm name
> 13/10/2023 08:09:12 : epoch 6528fb25 : ceph-flash1 : 
> ganesha.nfsd-2[main] gssd_refresh_krb5_machine_credential :NFS CB :CRIT 
> 
> :ERROR: gssd_refresh_krb5_machine_credential: no usable keytab entry 
> 
> found in keytab /etc/krb5.keytab for connection with host localhost
> 13/10/2023 08:09:12 : epoch 6528fb25 : ceph-flash1 : 
> ganesha.nfsd-2[main] nfs_rpc_cb_init_ccache :NFS STARTUP :WARN 
> 
> :gssd_refresh_krb5_machine_credential failed (-1765328160:0)
> 
> "
> 
> Thoughts?
> 
> Mvh.
> 
> Torkil
> 
> [1] https://docs.ceph.com/en/quincy/mgr/nfs/#create-cephfs-export
> 

Based on your mention of "container log" above I assume this is on either 
cephadm or rook.  The rook team has been actively working on adding kerberized 
nfs support and we added the `sectype` option for that work. Currently, 
cephadm doesn't have support for kerberos because it lacks the server side 
components needed to connect to krb5/ldap.

I would like to see this support eventually come to cephadm but it's not there 
today IMO. 

A manual deployment of nfs-ganesha ought to also be able to make use of this 
option. Ultimately, this generates ganesha config blocks and is mostly agnostic 
of the cluster/deployment method, but I have not tried it out myself.

_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx
To unsubscribe send an email to ceph-users-leave@xxxxxxx