Hello everyone,
I'm having difficulty configuring GSS Proxy with NFS4.2 on Fedora 23. My set up is
fairly minimal (details below): all machines run Fedora 23. I have also tested using a
CentOS 7 NFS4 client, which was previously connected to a different FreeIPA domain and a
FreeNAS NFS server (GSS Proxy worked in this case). When joined to the new domain and
Fedora NFS server however, it displayed the same behaviour as the Fedora 23 clients.
Using the current Fedora 23 configuration, NFS seems to work correctly. I'm able to
mount all shares, and kinit to access them as expected. Groups and users are mapped
correctly on both client and server.
Unfortunately, gssproxy and rpc.gssd are generating errors as soon as I mount these shares
on the NFS client:
gssproxy[594]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. Minor code may
provide more information, No credentials cache found
gssproxy[587]: gssproxy[594]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure.
Minor code may provide more information, No credentials cache found
On the NFS client, strace of gssproxy during mount shows:
strace -p $(pidof rpc.gssd) -s4096 -f
[...]
[pid 599] open("/var/lib/gssproxy/clients/krb5cc_0", O_RDONLY|O_CLOEXEC) = -1
ENOENT (No such file or directory)
[pid 599] open("/var/lib/gssproxy/clients/0.keytab", O_RDONLY) = -1 ENOENT (No
such file or directory)
[pid 599] writev(2, [{"gssproxy[594]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified
GSS failure. Minor code may provide more information, No credentials cache found\n",
141}], 1) = 141
[pid 599] sendto(3, "<83>Feb 7 00:09:44 gssproxy[594]: (OID: { 1 2 840
113554 1 2 2 }) Unspecified GSS failure. Minor code may provide more information, No
credentials cache found\n", 161, MSG_NOSIGNAL, NULL, 0) = 161
Note: this also occurs during file access.
On the NFS client, the journal shows this on mount (RPCGSSDARGS="-vvv"):
CHILD forked pid 19084
rpc.gssd[607]: Full hostname for 'nfs-server.example.com' is
'nfs-server.example.com'
rpc.gssd[607]: Full hostname for 'nfs-client.example.com' is
'nfs-client.example.com'
rpc.gssd[607]: No key table entry found for nfs-client$(a)EXAMPLE.COM while getting keytab
entry for 'nfs-client$(a)EXAMPLE.COM'
rpc.gssd[607]: No key table entry found for NFS-CLIENT$(a)EXAMPLE.COM while getting keytab
entry for 'NFS-CLIENT$(a)EXAMPLE.COM'
rpc.gssd[607]: No key table entry found for root/nfs-client.example.com(a)EXAMPLE.COM while
getting keytab entry for 'root/nfs-client.example.com(a)EXAMPLE.COM'
rpc.gssd[607]: No key table entry found for nfs/nfs-client.example.com(a)EXAMPLE.COM while
getting keytab entry for 'nfs/nfs-client.example.com(a)EXAMPLE.COM'
rpc.gssd[607]: Success getting keytab entry for
'host/nfs-client.example.com(a)EXAMPLE.COM'
rpc.gssd[607]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_EXAMPLE.COM' are
good until 1454848445
rpc.gssd[607]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_EXAMPLE.COM' are
good until 1454848445
rpc.gssd[607]: using
FILE:/tmp/krb5ccmachine_EXAMPLE.COM as credentials cache for machine
creds
rpc.gssd[607]: using environment variable to select krb5 ccache
FILE:/tmp/krb5ccmachine_EXAMPLE.COM
rpc.gssd[607]: creating tcp client for server
nfs-server.example.com
rpc.gssd[607]: creating context with server nfs(a)nfs-server.example.com
rpc.gssd[607]: doing downcall: lifetime_rec=83766 acceptor=nfs(a)nfs-server.example.com
And this when UID 40058920 accesses its share:
rpc.gssd[607]: handle_gssd_upcall: 'mech=krb5 uid=40058920 enctypes=18,17,16,23,3,1,2
' (nfs/clntb)
rpc.gssd[3914]: CHILD forked pid 3914
rpc.gssd[3914]: krb5_not_machine_creds: uid 40058920 tgtname (null)
gssproxy[594]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. Minor code may
provide more information, No credentials cache found
rpc.gssd[3914]: ERROR: GSS-API: error in gss_acquire_cred(): GSS_S_FAILURE (Unspecified
GSS failure. Minor code may provide more information) - No Kerberos credentials available
(default cache: KEYRING:persistent:40058920)
rpc.gssd[3914]: looking for client creds with uid 40058920 for server
nfs-server.example.com in /tmp
rpc.gssd[3914]: CC '/tmp/krb5ccmachine_EXAMPLE.COM' being considered, with
preferred realm 'EXAMPLE.COM'
rpc.gssd[3914]: CC '/tmp/krb5ccmachine_EXAMPLE.COM' owned by 0, not 40058920
rpc.gssd[3914]: looking for client creds with uid 40058920 for server
nfs-server.example.com in /run/user/%U
rpc.gssd[3914]: doing error downcall
gssproxy[594]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. Minor code may
provide more information, No credentials cache found
gssproxy[587]: gssproxy[594]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure.
Minor code may provide more information, No credentials cache found
I can't figure out why GSS Proxy isn't looking for the daemon's keytabs in
/var/lib/gssproxy/clients/. I note though that the error message occurs even before
accessing files on the mount. I would really appreciate any advice on checking my
configuration, and troubleshooting the issue.
Thank you very much,
James
-----------------------
CONFIGURATION
-----------------------
FREEIPA SERVER:
10.0.40.2
ipaserver.example.com (Fedora 23)
uname -a
Linux
ipaserver.example.com 4.3.4-300.fc23.x86_64
ipa-server-install --domain=example.com --hostname=example.example.com
--realm=EXAMPLE.COM --ip-address=10.0.40.2 --http-cert-file ipa-server.example.com.pfx
--dirsrv-cert-file ipa-server.example.com.pfx
Note: external DNS server
Default /etc/gssproxy/gssproxy.conf
-----------------------
NFS SERVER
10.0.40.10
nfs-server.example.com (Fedora 23)
uname -a
Linux
nfs-server.example.com 4.3.4-300.fc23.x86_64
ipa-client-install
kinit admin(a)EXAMPLE.COM
ipa-getkeytab --server
ipa-server.example.com --principal
nfs/nfs-server.example.com(a)EXAMPLE.COM --keytab /etc/krb5.keytab
cat /etc/exports
/srv/raid
*(fsid=0,sec=krb5p:krb5i,sync)
/srv/raid/download *(sec=krb5i,sync)
/srv/raid/media *(sec=krb5i,sync)
/srv/raid/user *(sec=krb5p,sync)
Note: setting the security to "sys" only does not prevent the gssproxy errors,
nor does sharing directories owned by unmapped UID/GID.
firewall-cmd --list-all-zones
[...]
user (active)
[...]
services: mdns nfs
[...]
dnf list installed
freeipa-client.x86_64 4.2.3-2.fc23
gssproxy.x86_64 0.4.1-4.fc23
nfs-utils.x86_64 1:1.3.3-6.rc3.fc23
Default /etc/gssproxy/gssproxy.conf
-----------------------
FEDORA NFS CLIENT
10.0.40.5
nfs-client.example.com (Fedora 23)
uname -a
Linux
nfs-client.example.com 4.3.4-300.fc23.x86_64
ipa-client-install
kinit admin(a)EXAMPLE.COM
ipa-getkeytab --server
ipa-server.example.com --principal emby(a)EXAMPLE.COM --keytab
/var/lib/gssproxy/clients/40058920.keytab
Note: 40058920 is the correct UID of
emby(a)EXAMPLE.COM
dnf list installed
freeipa-client.x86_64 4.2.3-2.fc23
gssproxy.x86_64 0.4.1-4.fc23
nfs-utils.x86_64 1:1.3.3-6.rc3.fc23
Default /etc/gssproxy/gssproxy.conf
-----------------------
CENTOS NFS CLIENT (known working client configuration, but not working with current IPA
domain and NFS server)
10.0.40.7
nfs-client2.example.com (CentOS 7)
uname -a
Linux
nfs-client2.example.com 3.10.0-327.el7.x86_64
ipa-client-install
dnf list installed
ipa-client.x86_64
4.2.0-15.el7.centos.3
gssproxy.x86_64 0.4.1-7.el7
nfs-utils.x86_64 1:1.3.0-0.21.el7
Default /etc/gssproxy/gssproxy.conf
-----------------------