We are starting to add some EL9 clients into the mix on our network. Autofs
mounts are working fine when initiated by a regular user, but they are failing
when initiated by root. This works fine from our EL8 clients.
Client:
kernel 5.14.0-362.18.1.el9_3.x86_64
nfs-utils-2.5.4-20.el9.x86_64
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
1 host/client.fqdn@xxxxxxxx (aes256-cts-hmac-sha1-96)
1 host/client.fqdn@xxxxxxxx (aes128-cts-hmac-sha1-96)
Server:
kernel 4.18.0-513.18.1.el8_9.x86_64
nfs-utils-2.3.3-59.el8.x86_64
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
1 host/server.fqdn@xxxxxxxx (aes256-cts-hmac-sha1-96)
1 host/server.fqdn@xxxxxxxx (aes128-cts-hmac-sha1-96)
1 nfs/server.fqdn@xxxxxxxx (aes256-cts-hmac-sha1-96)
1 nfs/server.fqdn@xxxxxxxx (aes128-cts-hmac-sha1-96)
Client rpc.gssd:
rpc.gssd[778]:
handle_gssd_upcall(0x7f15a0299840): 'mech=krb5
uid=0 enctypes=20,19,26,25,18,17' (nfs/clnt3)
rpc.gssd[778]: start_upcall_thread(0x7f15a0299840): created thread id
0x7f159f1fe640
rpc.gssd[778]: krb5_use_machine_creds(0x7f159f1fe640): uid 0 tgtname (null)
rpc.gssd[778]: No key table entry found for client$@NWRA.COM while getting
keytab entry for 'client$@NWRA.COM'
rpc.gssd[778]: No key table entry found for CLIENT$@NWRA.COM while getting
keytab entry for 'SRV-MRY01$@NWRA.COM'
rpc.gssd[778]: No key table entry found for root/client.fqdn@xxxxxxxx while
getting keytab entry for 'root/client.fqdn@xxxxxxxx'
rpc.gssd[778]: No key table entry found for nfs/client.fqdn@xxxxxxxx while
getting keytab entry for 'nfs/client.fqdn@xxxxxxxx'
rpc.gssd[778]: find_keytab_entry(0x7f159f1fe640): Success getting keytab entry
for 'host/client.fqdn@xxxxxxxx'
rpc.gssd[778]: gssd_get_single_krb5_cred(0x7f159f1fe640): Credentials in CC
'FILE:/tmp/krb5ccmachine_NWRA.COM' are good until Fri Mar 1 10:39:34 2024
rpc.gssd[778]: gssd_get_single_krb5_cred(0x7f159f1fe640): Credentials in CC
'FILE:/tmp/krb5ccmachine_NWRA.COM' are good until Fri Mar 1 10:39:34 2024
rpc.gssd[778]: create_auth_rpc_client(0x7f159f1fe640): creating tcp client for
server server.fqdn
rpc.gssd[778]: create_auth_rpc_client(0x7f159f1fe640): creating context with
server nfs@xxxxxxxxxxx
rpc.gssd[778]: WARNING: Failed to create krb5 context for user with uid 0 for
server nfs@xxxxxxxxxxx
rpc.gssd[778]: WARNING: Failed to create machine krb5 context with cred cache
FILE:/tmp/krb5ccmachine_NWRA.COM for server server.fqdn
rpc.gssd[778]: WARNING: Machine cache prematurely expired or corrupted trying
to recreate cache for server server.fqdn
rpc.gssd[778]: No key table entry found for client$@NWRA.COM while getting
keytab entry for 'client$@NWRA.COM'
rpc.gssd[778]: No key table entry found for CLIENT$@NWRA.COM while getting
keytab entry for 'SRV-MRY01$@NWRA.COM'
rpc.gssd[778]: No key table entry found for root/client.fqdn@xxxxxxxx while
getting keytab entry for 'root/client.fqdn@xxxxxxxx'
rpc.gssd[778]: No key table entry found for nfs/client.fqdn@xxxxxxxx while
getting keytab entry for 'nfs/client.fqdn@xxxxxxxx'
rpc.gssd[778]: find_keytab_entry(0x7f159f1fe640): Success getting keytab entry
for 'host/client.fqdn@xxxxxxxx'
rpc.gssd[778]: gssd_get_single_krb5_cred(0x7f159f1fe640): Credentials in CC
'FILE:/tmp/krb5ccmachine_NWRA.COM' are good until Fri Mar 1 10:39:34 2024
rpc.gssd[778]: gssd_get_single_krb5_cred(0x7f159f1fe640): Credentials in CC
'FILE:/tmp/krb5ccmachine_NWRA.COM' are good until Fri Mar 1 10:39:34 2024
rpc.gssd[778]: create_auth_rpc_client(0x7f159f1fe640): creating tcp client for
server server.fqdn
rpc.gssd[778]: create_auth_rpc_client(0x7f159f1fe640): creating context with
server nfs@xxxxxxxxxxx
rpc.gssd[778]: WARNING: Failed to create krb5 context for user with uid 0 for
server nfs@xxxxxxxxxxx
rpc.gssd[778]: WARNING: Failed to create machine krb5 context with cred cache
FILE:/tmp/krb5ccmachine_NWRA.COM for server server.fqdn
rpc.gssd[778]: ERROR: Failed to create machine krb5 context with any
credentials cache for server server.fqdn
rpc.gssd[778]: do_error_downcall(0x7f159f1fe640): uid 0 err -13
mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting
I don't seem to be getting any useful information from rpc.gssd on the server.
Please include me in replies.
--
Orion Poplawski
he/him/his - surely the least important thing about me
Manager of IT Systems 720-772-5637
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane orion@xxxxxxxx
Boulder, CO 80301 https://www.nwra.com/
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
