nsfs4 client with kerberos
Nalin Dahyabhai
nalin at redhat.com
Thu Apr 7 19:27:53 UTC 2011
On Thu, Apr 07, 2011 at 01:24:18PM -0300, fernando at lozano.eti.br wrote:
> Hi there,
> I need to use OpenVPN to get to the company LAN and mount a NFS share.
> We use NFS to secure access to NFS. I can connect to the PVN and access
> web and ssh servers. Kinit to my own principal works fine. But root
> cannot get a valid kerneros ticket to mount NFS shares. I already tried
> doing the same on the local net (no VPN involved) with same results,
> and tried disabling SELinux and flusing iptables rules to no effect.
> Another notebook works fine and it looks to me both have the same
> settings, except one has F13 (the one that works) and the other has F14
> (the one that doesn't).
> I added -v -v to rpcgssd and the logs show that:
> Apr 7 09:36:29 lgx200 rpc.gssd[2947]: handling gssd upcall
> (/var/lib/nfs/rpc_pipefs/nfs/clnt0)
> Apr 7 09:36:29 lgx200 rpc.gssd[2947]: handle_gssd_upcall: 'mech=krb5
> uid=0 enctypes=18,17,16,23,3,1,2 '
> Apr 7 09:36:29 lgx200 rpc.gssd[2947]: handling krb5 upcall
> (/var/lib/nfs/rpc_pipefs/nfs/clnt0)
> Apr 7 09:36:29 lgx200 rpc.gssd[2947]: process_krb5_upcall: service is
> '<null>'
> Apr 7 09:36:40 lgx200 rpc.gssd[2947]: WARNING: Key table entry not
> found while getting initial ticket for principal
> 'nfs/lg.example.com at USERS' using keytab 'WRFILE:/etc/krb5.keytab'
> Apr 7 09:36:40 lgx200 rpc.gssd[2947]: ERROR: No credentials found for
> connection to server filesystem.example.com
> Apr 7 09:36:40 lgx200 rpc.gssd[2947]: doing error downcall
> [all output was edted to change my employee dns domain name to
> example.com]
> But the correct ticket (certificate?) is on the keytab, as shown by
> klist:
> [root at lg etc]# hostname
> lg
> [root at lg etc]# klist -k
> Keytab name: WRFILE:/etc/krb5.keytab
> KVNO Principal
> ----
> -----------------------------------------------------------------------
> ---
> 2 nfs/lg.example.com at USERS
> Any idea one notebook can mount and authenticate root/the computer
> itself using kerberos, but the other, older Fedora can't, using the
> same configs?
Use "klist -k -e" to check the type of key you have. If it's DES, and
you don't have "allow_weak_crypto" enabled in the [libdefaults] section
of your /etc/krb5.conf, the key will be skipped over.
This is something that changed between the versions included in F13 and
F14, so from what I can tell, it fits.
HTH,
Nalin
More information about the users
mailing list