Pardon me for barging in on a kernel-oriented list, but I'm hoping some of the NFS wizards here can shed some light on something... We have Active Directory-bound/ID mapping working and Kerberized NFSv4 shares on CentOS 6.3. World-readable and -executable directories are readily accessed, but private directories fail: ID mapping works identically on the server and the client: [joeuser@nfsclient ~]$ id joeuser uid=56055(joeuser) gid=6502(domain users) groups=6502(domain users),1000001(BUILTIN\users) ... and we can mount directories with -o sec=none/krb5/krb5i/krb5p: [joeuser@nfsclient ~]$ sudo mount -t nfs4 -o proto=tcp,port=2049 -o sec=krb5p nfsserver.example.com:/testdir /mnt [joeuser@nfsclient ~]$ ls -l /mnt drwx------ 2 user1 domain users 4096 Aug 3 11:43 user1 drwx------ 2 adbinder domain users 4096 Aug 17 15:20 adbinder drwx------ 2 joeuser domain users 4096 Aug 3 11:43 joeuser ... but we hit the wall here: [joeuser@nfsclient ~]$ cd /mnt/joeuser bash: cd: joeuser: Permission denied At this point, we get a warning from rpc.gssd: nfsclient rpc.gssd[10256]: using FILE:/tmp/krb5cc_56055_od8D5s as credentials cache for client with uid 56055 for server nfsserver.example.com nfsclient rpc.gssd[10256]: using environment variable to select krb5 ccache FILE:/tmp/krb5cc_56055_od8D5s nfsclient rpc.gssd[10256]: creating context using fsuid 56055 (save_uid 0) nfsclient rpc.gssd[10256]: creating tcp client for server nfsserver.example.com nfsclient rpc.gssd[10256]: creating context with server nfs@xxxxxxxxxxxxxxxxxxxxx nfsclient rpc.gssd[10256]: WARNING: Failed to create krb5 context for user with uid 56055 for server nfsserver.example.com nfsclient rpc.gssd[10256]: WARNING: Failed to create krb5 context for user with uid 56055 for server nfsserver.example.com nfsclient rpc.gssd[10256]: doing error downcall Can anyone tell me why this mount succeeds but accessing non-world-readable/executable directories would fail? Kerberos appears to be working up to this point: we can kinit -k NFSCLIENT$ and do a `net ads keytab nfs` without entering a password... and since Kerberos appears to be fine, I'm turning to the linux-nfs list. :-) I've tried making the share user-mountable and calling `mount` as an ordinary user (i.e., without using machine credentials) but this fails with the same error. Details about our setup and more debug output is available in this post: http://mailman.mit.edu/pipermail/kerberos/2012-August/018351.html Random guesses and suggestions from those more experienced than me would be more than welcome at this point. :-) Many thanks, -- Derek Warren, IT Services, Research Computing Group, SFU -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
