Hello all,
I cannot get Kerberos security working on an NFSv4 server I'm setting up on RHEL7, using sssd with Microsoft Active Directory. The problem seems to lie with gssproxy. But I'm having a very difficult time with debugging.
gssproxy has a "-d" flag that enables debugging. But it is pretty much useless. :-( The only additional information it syslogs is:
Nov 13 15:00:08 server gssproxy: gp_rpc_execute: executing 9 (GSSX_ACCEPT_SEC_CONTEXT) for service "nfs-server", euid: 0, socket: /run/gssproxy.sock Nov 13 15:00:08 server rpc.gssd[4921]: destroying client /var/lib/nfs/rpc_pipefs/nfsd4_cb/clnt2
If I strace the gssproxy daemon, I see error messages like this:
2464 open("/var/lib/nfs/rpc_pipefs/nfsd4_cb/clnta/krb5", O_RDWR) = -1 ENOENT (No such file or directory) 2464 open("/var/lib/nfs/rpc_pipefs/nfsd4_cb/clnta/gssd", O_RDWR) = -1 ENOENT (No such file or directory)
But I'm not sure if these errors are important.
If I tcpdump the connection between the client and the server, I see that the server responds to the client's AP-REQ attempts by simply closing the TCP connection.
We already have RHEL7 NFSv4 clients that use sec=krb5 with a commercial NAS NFSv4 server, so I know the basics of configuring NFSv4 with krb5 security. The same client configuration works perfectly with the NAS server using krb5/krb5i/krb5p security. And I can mount the Linux NFS server as long as I use sec=sys; it only fails when I use sec=krb5 as a mount option. So it's very clearly the Kerberos piece that's failing on the server.
But I have no idea where to go from here, because the debugging information that gssproxy emits gives me no clues as to what's wrong on the server.
There has to be some way to get more debugging information than this. Help?