nsfs4 client with kerberos

fernando at lozano.eti.br fernando at lozano.eti.br
Thu Apr 7 16:24:18 UTC 2011 

Hi there,

I need to use OpenVPN to get to the company LAN and mount a NFS share. We
use NFS to secure access to NFS. I can connect to the PVN and access web
and ssh servers. Kinit to my own principal works fine. But root cannot get
a valid kerneros ticket to mount NFS shares. I already tried doing the same
on the local net (no VPN involved) with same results, and tried disabling
SELinux and flusing iptables rules to no effect.

Another notebook works fine and it looks to me both have the same settings,
except one has F13 (the one that works) and the other has F14 (the one that
doesn't).

I added -v -v to rpcgssd and the logs show that:

Apr  7 09:36:29 lgx200 rpc.gssd[2947]: handling gssd upcall
(/var/lib/nfs/rpc_pipefs/nfs/clnt0)
Apr  7 09:36:29 lgx200 rpc.gssd[2947]: handle_gssd_upcall: 'mech=krb5 uid=0
enctypes=18,17,16,23,3,1,2 '
Apr  7 09:36:29 lgx200 rpc.gssd[2947]: handling krb5 upcall
(/var/lib/nfs/rpc_pipefs/nfs/clnt0)
Apr  7 09:36:29 lgx200 rpc.gssd[2947]: process_krb5_upcall: service is ''
Apr  7 09:36:40 lgx200 rpc.gssd[2947]: WARNING: Key table entry not found
while getting initial ticket for principal 'nfs/lg.example.com at USERS' using
keytab 'WRFILE:/etc/krb5.keytab'
Apr  7 09:36:40 lgx200 rpc.gssd[2947]: ERROR: No credentials found for
connection to server filesystem.example.com
Apr  7 09:36:40 lgx200 rpc.gssd[2947]: doing error downcall

[all output was edted to change my employee dns domain name to example.com]

But the correct ticket (certificate?) is on the keytab, as shown by klist:

[root at lg etc]# hostname
lg

[root at lg etc]# klist -k
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
   2 nfs/lg.example.com at USERS

Any idea one notebook can mount and authenticate root/the computer itself
using kerberos, but the other, older Fedora can't, using the same configs?

I already tried moving the certificate from one computer to the other (and
of course changing the hostname) and requesting a new certificate from the
company sysadmin. Same results. I guess it should be something local to the
netbook, like name resolution, but all network settings are the same for
both notebooks. One works, other don't, whatever keytab I use.
[]s, Fernando Lozano

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/users/attachments/20110407/84841534/attachment.html

More information about the users mailing list