nsfs4 client with kerberos

Nalin Dahyabhai nalin at redhat.com
Thu Apr 7 19:27:53 UTC 2011 

On Thu, Apr 07, 2011 at 01:24:18PM -0300, fernando at lozano.eti.br wrote:
>    Hi there,
>    I need to use OpenVPN to get to the company LAN and mount a NFS share.
>    We use NFS to secure access to NFS. I can connect to the PVN and access
>    web and ssh servers. Kinit to my own principal works fine. But root
>    cannot get a valid kerneros ticket to mount NFS shares. I already tried
>    doing the same on the local net (no VPN involved) with same results,
>    and tried disabling SELinux and flusing iptables rules to no effect.
>    Another notebook works fine and it looks to me both have the same
>    settings, except one has F13 (the one that works) and the other has F14
>    (the one that doesn't).
>    I added -v -v to rpcgssd and the logs show that:
>    Apr  7 09:36:29 lgx200 rpc.gssd[2947]: handling gssd upcall
>    (/var/lib/nfs/rpc_pipefs/nfs/clnt0)
>    Apr  7 09:36:29 lgx200 rpc.gssd[2947]: handle_gssd_upcall: 'mech=krb5
>    uid=0 enctypes=18,17,16,23,3,1,2 '
>    Apr  7 09:36:29 lgx200 rpc.gssd[2947]: handling krb5 upcall
>    (/var/lib/nfs/rpc_pipefs/nfs/clnt0)
>    Apr  7 09:36:29 lgx200 rpc.gssd[2947]: process_krb5_upcall: service is
>    '<null>'
>    Apr  7 09:36:40 lgx200 rpc.gssd[2947]: WARNING: Key table entry not
>    found while getting initial ticket for principal
>    'nfs/lg.example.com at USERS' using keytab 'WRFILE:/etc/krb5.keytab'
>    Apr  7 09:36:40 lgx200 rpc.gssd[2947]: ERROR: No credentials found for
>    connection to server filesystem.example.com
>    Apr  7 09:36:40 lgx200 rpc.gssd[2947]: doing error downcall
>    [all output was edted to change my employee dns domain name to
>    example.com]
>    But the correct ticket (certificate?) is on the keytab, as shown by
>    klist:
>    [root at lg etc]# hostname
>    lg
>    [root at lg etc]# klist -k
>    Keytab name: WRFILE:/etc/krb5.keytab
>    KVNO Principal
>    ----
>    -----------------------------------------------------------------------
>    ---
>       2 nfs/lg.example.com at USERS
>    Any idea one notebook can mount and authenticate root/the computer
>    itself using kerberos, but the other, older Fedora can't, using the
>    same configs?

Use "klist -k -e" to check the type of key you have.  If it's DES, and
you don't have "allow_weak_crypto" enabled in the [libdefaults] section
of your /etc/krb5.conf, the key will be skipped over.

This is something that changed between the versions included in F13 and
F14, so from what I can tell, it fits.

HTH,

Nalin

More information about the users mailing list