Hi,

I really struggle with “permission denied” while mounting NFS share with sec=krb5;

Both machines(Ubuntu 14.04) , NFS client and server are configured with SSSD, and authentication seems to work (only one test user for configuration with PoSIX ids ;)

‘getent passwd longina’ returns correct values on both.

I joined both machines to AD with ‘realmd’, and additionaly created SPN principal nfs/jota.nat.c.example.com@NAT.C.EXAMPLE.COM with setspn.exe on AD

and added keys to the /etc/krb5.keytab .

I expect to be able to mount NFS share with sec=krb5 as root on client using machine credentials.

HERE some debugging output

Output on client (jedi) from 'rpc.gssd' while mounting nfs share

-----------------

doing error downcall

handling gssd upcall (/run/rpc_pipefs/nfs/clnt9)

handle_gssd_upcall: 'mech=krb5 uid=0 enctypes=18,17,16,23,3,1,2 '

handling krb5 upcall (/run/rpc_pipefs/nfs/clnt9)

process_krb5_upcall: service is '<null>'

Full hostname for 'jota.nat.c.sdu.dk' is 'jota.nat.c.sdu.dk'

Full hostname for 'jedi.nat.c.sdu.dk' is 'jedi.nat.c.sdu.dk'

Success getting keytab entry for 'JEDI$@NAT.C.SDU.DK'

INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_NAT.C.SDU.DK' are good until 1407542806

using FILE:/tmp/krb5ccmachine_NAT.C.SDU.DK as credentials cache for machine creds

using environment variable to select krb5 ccache FILE:/tmp/krb5ccmachine_NAT.C.SDU.DK

creating context using fsuid 0 (save_uid 0)

creating tcp client for server jota.nat.c.sdu.dk

DEBUG: port already set to 2049

creating context with server nfs@jota.nat.c.sdu.dk

WARNING: Failed to create krb5 context for user with uid 0 for server jota.nat.c.sdu.dk

WARNING: Failed to create machine krb5 context with credentials cache FILE:/tmp/krb5ccmachine_NAT.C.SDU.DK for server jota.n\

at.c.sdu.dk

WARNING: Machine cache is prematurely expired or corrupted trying to recreate cache for server jota.nat.c.sdu.dk

Full hostname for 'jota.nat.c.sdu.dk' is 'jota.nat.c.sdu.dk'

Full hostname for 'jedi.nat.c.sdu.dk' is 'jedi.nat.c.sdu.dk'

Success getting keytab entry for 'JEDI$@NAT.C.SDU.DK'

INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_NAT.C.SDU.DK' are good until 1407542806

using FILE:/tmp/krb5ccmachine_NAT.C.SDU.DK as credentials cache for machine creds

using environment variable to select krb5 ccache FILE:/tmp/krb5ccmachine_NAT.C.SDU.DK

creating context using fsuid 0 (save_uid 0)

creating tcp client for server jota.nat.c.sdu.dk

DEBUG: port already set to 2049

creating context with server nfs@jota.nat.c.example.com

WARNING: Failed to create krb5 context for user with uid 0 for server jota.nat.c.example.com

WARNING: Failed to create machine krb5 context with credentials cache FILE:/tmp/krb5ccmachine_NAT.C.EXAMPLE.COM for server jota.n\

at.c.example.com

WARNING: Failed to create machine krb5 context with any credentials cache for server jota.nat.c.example.com

doing error downcall

destroying client /run/rpc_pipefs/nfs/clnta

destroying client /run/rpc_pipefs/nfs/clnt9

-----------

client(jedi):

hostname:

jedi

----------

root@jedi:/var/lib/sss/db# klist -c

klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)

root@jedi:/var/lib/sss/db# klist -c /tmp/krb5ccmachine_NAT.C.EXAMPLE.COM

Ticket cache: FILE:/tmp/krb5ccmachine_NAT.C.EXAMPLE.COM

Default principal: JEDI$@NAT.C.EXAMPLE.COM

Valid starting Expires Service principal

08/08/2014 16:06:46 08/09/2014 02:06:46 krbtgt/NAT.C.EXAMPLE.COM@NAT.C.EXAMPLE.COM

renew until 08/09/2014 16:06:46

08/08/2014 16:06:46 08/09/2014 02:06:46 nfs/jota.nat.c.example.com@NAT.C.EXAMPLE.COM

renew until 08/09/2014 16:06:46

root@jedi:/var/lib/sss/db# klist -ce /tmp/krb5ccmachine_NAT.C.EXAMPLE.COM

Ticket cache: FILE:/tmp/krb5ccmachine_NAT.C.EXAMPLE.COM

Default principal: JEDI$@NAT.C.EXAMPLE.COM

Valid starting Expires Service principal

08/08/2014 16:06:46 08/09/2014 02:06:46 krbtgt/NAT.C.EXAMPLE.COM@NAT.C.EXAMPLE.COM

renew until 08/09/2014 16:06:46, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96

08/08/2014 16:06:46 08/09/2014 02:06:46 nfs/jota.nat.c.example.com@NAT.C.EXAMPLE.COM

renew until 08/09/2014 16:06:46, Etype (skey, tkt): arcfour-hmac, arcfour-hmac

------------

root@jedi:/etc# klist -ek

Keytab name: FILE:/etc/krb5.keytab

KVNO Principal

---- --------------------------------------------------------------------------

6 host/jedi.nat.c.example.com@NAT.C.EXAMPLE.COM (des-cbc-crc)

6 host/jedi.nat.c.example.com@NAT.C.EXAMPLE.COM (des-cbc-md5)

6 host/jedi.nat.c.example.com@NAT.C.EXAMPLE.COM (aes128-cts-hmac-sha1-96)

6 host/jedi.nat.c.example.com@NAT.C.EXAMPLE.COM (aes256-cts-hmac-sha1-96)

6 host/jedi.nat.c.example.com@NAT.C.EXAMPLE.COM (arcfour-hmac)

6 host/JEDI@NAT.C.EXAMPLE.COM (des-cbc-crc)

6 host/JEDI@NAT.C.EXAMPLE.COM (des-cbc-md5)

6 host/JEDI@NAT.C.EXAMPLE.COM (aes128-cts-hmac-sha1-96)

6 host/JEDI@NAT.C.EXAMPLE.COM (aes256-cts-hmac-sha1-96)

6 host/JEDI@NAT.C.EXAMPLE.COM (arcfour-hmac)

6 JEDI$@NAT.C.EXAMPLE.COM (des-cbc-crc)

6 JEDI$@NAT.C.EXAMPLE.COM (des-cbc-md5)

6 JEDI$@NAT.C.EXAMPLE.COM (aes128-cts-hmac-sha1-96)

6 JEDI$@NAT.C.EXAMPLE.COM (aes256-cts-hmac-sha1-96)

6 JEDI$@NAT.C.EXAMPLE.COM (arcfour-hmac)

-------------------------

Server (jota):

---------------------

hostname:

jota.nat.c.example.com

-------

root@jota:/home/alongina# klist -ke

Keytab name: FILE:/etc/krb5.keytab

KVNO Principal

---- --------------------------------------------------------------------------

4 nfs/jota.nat.c.sdu.dk@NAT.C.SDU.DK (des-cbc-crc)

4 nfs/jota.nat.c.sdu.dk@NAT.C.SDU.DK (des-cbc-md5)

4 nfs/jota.nat.c.sdu.dk@NAT.C.SDU.DK (arcfour-hmac)

4 nfs/jota.nat.c.sdu.dk@NAT.C.SDU.DK (aes256-cts-hmac-sha1-96)

4 nfs/jota.nat.c.sdu.dk@NAT.C.SDU.DK (aes128-cts-hmac-sha1-96)

4 host/jota.nat.c.sdu.dk@NAT.C.SDU.DK (des-cbc-crc)

4 host/jota.nat.c.sdu.dk@NAT.C.SDU.DK (des-cbc-md5)

4 host/jota.nat.c.sdu.dk@NAT.C.SDU.DK (aes128-cts-hmac-sha1-96)

4 host/jota.nat.c.sdu.dk@NAT.C.SDU.DK (aes256-cts-hmac-sha1-96)

4 host/jota.nat.c.sdu.dk@NAT.C.SDU.DK (arcfour-hmac)

4 host/JOTA@NAT.C.SDU.DK (des-cbc-crc)

4 host/JOTA@NAT.C.SDU.DK (des-cbc-md5)

4 host/JOTA@NAT.C.SDU.DK (aes128-cts-hmac-sha1-96)

4 host/JOTA@NAT.C.SDU.DK (aes256-cts-hmac-sha1-96)

4 host/JOTA@NAT.C.SDU.DK (arcfour-hmac)

4 JOTA$@NAT.C.SDU.DK (des-cbc-crc)

4 JOTA$@NAT.C.SDU.DK (des-cbc-md5)

4 JOTA$@NAT.C.SDU.DK (aes128-cts-hmac-sha1-96)

4 JOTA$@NAT.C.SDU.DK (aes256-cts-hmac-sha1-96)

4 JOTA$@NAT.C.SDU.DK (arcfour-hmac)

root@jota:/# ps ax | grep rpc

512 ? Ss 0:00 rpcbind

625 ? Ss 0:00 rpc.statd -L

670 ? S< 0:00 [rpciod]

769 ? Ss 0:00 rpc.idmapd

850 ? Ss 0:00 rpc.gssd

2348 ? Ss 0:00 /usr/sbin/rpc.svcgssd -vvvvvvvvvv

2350 ? Ss 0:00 /usr/sbin/rpc.mountd --manage-gids

root@jota:/home/alongina# klist -c

klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)

--------------

root@jota:/home/alongina# cat /etc/exports

/nfs *(rw,crossmnt,no_subtree_check,sec=krb5:krb5p:krb5i)

----------------

root@jota:/home/alongina# kinit -k JOTA\$@NAT.C.EXAMPLE.COM

---------------

root@jota:/home/alongina# klist -c

Ticket cache: FILE:/tmp/krb5cc_0

Default principal: JOTA$@NAT.C.EXAMPLE.COM

Valid starting Expires Service principal

08/08/14 16:36:44 09/08/14 02:36:44 krbtgt/NAT.C.EXAMPLE.COM@NAT.C.EXAMPLE.COM

renew until 09/08/14 16:36:44

/var/log/syslog (rpc.svcgssd)

Aug 8 16:34:56 jota rpc.svcgssd[2348]: finished handling null request

Aug 8 16:34:56 jota rpc.svcgssd[2348]: entering poll

Aug 8 16:34:56 jota rpc.svcgssd[2348]: leaving poll

Aug 8 16:34:56 jota rpc.svcgssd[2348]: handling null request

Aug 8 16:34:56 jota rpc.svcgssd[2348]: svcgssd_limit_krb5_enctypes: Calling gss_set_allowable_enctypes with 7 enctypes from the kernel

Aug 8 16:34:56 jota rpc.svcgssd[2348]: WARNING: gss_accept_sec_context failed

Aug 8 16:34:56 jota rpc.svcgssd[2348]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure. Minor code may provide more information) - Wrong principal in request

Aug 8 16:34:56 jota rpc.svcgssd[2348]: sending null reply

Mange hilsner

Longina