Ray via FreeIPA-users freeipa-users@lists.fedorahosted.org writes:
I run FreeIPA across a few sites with five replicted servers. The IPA version is the current CentOS one: 4.5.0-21
At two of those sites a kerberized NFS service is offered to the client machines. All clients and servers involved in the are CentOS 7.4 boxes.
Unfortunately a lot of this code changes in 7.5, but let me check if anything obvious is wrong.
For both NFS servers I configured NFS service pricipals and when I click my way in the GUI Identity -> Services -> nfs.server1 resp. nfs.server2 I get to see "Kerberos Key Present, Service Provisioned" for both. So far things seem ok.
However, mounting works only from server1, for clients at both sites (site1 to site2 mounting and vice versa is allowed). Mounting anything from server2 keeps failing:
Site 2: local mount attempt: root@client.at.site2:~# mount -vv -t nfs4 -osec=krb5p server.at.site2:/local/test /mnt mount.nfs4: timeout set for Sat Dec 9 17:03:02 2017 mount.nfs4: trying text-based options 'sec=krb5p,vers=4.1,addr=xx.xx.xx.xx,clientaddr=yy.yy.yy.yy' mount.nfs4: mount(2): Permission denied mount.nfs4: access denied by server while mounting server.at.site2:/local/test root@client.at.site2:~#
How long does this failure take? Is it immediate, or does it take more than a minute or so?
Site 2: remote mount attempt: root@client.at.site2:~# mount -vv -t nfs4 -osec=krb5p server.at.site1:/local/test /mnt mount.nfs4: timeout set for Sat Dec 9 17:03:10 2017 mount.nfs4: trying text-based options 'sec=krb5p,vers=4.1,addr=zz.zz.zz.zz,clientaddr=yy.yy.yy.yy' root@client.at.site2:~#
Can you check rpc-gssd logs on the machine you're mounting from?
At site2's server I disabled:
- the firewall
- selinux
If you turn on selinux, do things change?
I did restart nfs with systemctl restart nfs-server, but neither there's not much happening in tail -f /var/log/messages not journalctl -f show anything new on failing mount attemppts as shown above.
Can you post gssproxy logs during the failed mount attempt from site2?
The fact that I can mount anything at all on the client indicates that the client is ok. In desparation, I reinstalled the NFS server at site2 last weekend from scratch. But now I run into the same issue as before. Might there be something wrong with the service principals after all?
`klist -ek` the keytab on both sites. Also check kvno for all principals involved.
Thanks, --Robbie