NFS + Kerberos can't mount

fernando at lozano.eti.br fernando at lozano.eti.br
Thu Oct 6 21:11:28 UTC 2011 

Hi there,

Here I am again with problem mouting a remote NFS share using NFS. The
server is deban but the client is Fedora 15. It used to work using Fedora
14 but after a F15 fresh install I can't mount the remote share. My F15 box
has all updates so far.

I do have connectivity to the kerberos server because kinit my_principal
works fine:

[teste at lgx200 ~]S klist
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: my_principal at USERS

Valid starting     Expires            Service principal
10/06/11 16:23:35  10/07/11 16:23:12  krbtgt/USERS at USERS
    renew until 10/13/11 16:23:12

The host certificate (/etc/krb5.keytab) also looks fine:

[teste at lgx200 ~]S klist -k
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
   2 nfs/lgx200.example.com.br at USERS
[teste at lgx200 ~]S klist -k -e
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
   2 nfs/lgx200.example.com.br at USERS (des-cbc-crc) 

I start rpcgssd (with -vvv) and rpcidmapd

[root at lgx200 ~]# ps ax | grep rpc
 1066 ?        S<     0:00 [rpciod]
 2878 ?        Ss     0:00 rpc.idmapd
 3747 ?        Ss     0:00 rpc.gssd -v -v -v
 3847 pts/0    S+     0:00 grep --color=auto rpc
but when I try to mount:

mount -t nfs -o sec=krb5 192.168.0.3:/FILES /media/FILES
mount.nfs: access denied by server while mounting 192.168.0.3:/FILES

/var/log/messages show:

Oct  6 17:56:16 lgx200 rpc.gssd[3747]: beginning poll
Oct  6 17:57:12 lgx200 rpc.gssd[3747]: dir_notify_handler: sig 37 si
0xbfe6fbac data 0xbfe6fc2c
Oct  6 17:57:12 lgx200 rpc.gssd[3747]: dir_notify_handler: sig 37 si
0xbfe6c4fc data 0xbfe6c57c
Oct  6 17:57:12 lgx200 rpc.gssd[3747]: dir_notify_handler: sig 37 si
0xbfe6c3ec data 0xbfe6c46c
Oct  6 17:57:21 lgx200 rpc.gssd[3747]: dir_notify_handler: sig 37 si
0xbfe6fbac data 0xbfe6fc2c
Oct  6 17:57:21 lgx200 rpc.gssd[3747]: dir_notify_handler: sig 37 si
0xbfe6faec data 0xbfe6fb6c
Oct  6 17:57:21 lgx200 rpc.gssd[3747]: handling gssd upcall
(/var/lib/nfs/rpc_pipefs/nfs/clnt8)
Oct  6 17:57:21 lgx200 rpc.gssd[3747]: handle_gssd_upcall: 'mech=krb5 uid=0
enctypes=18,17,16,23,3,1,2 '
Oct  6 17:57:21 lgx200 rpc.gssd[3747]: handling krb5 upcall
(/var/lib/nfs/rpc_pipefs/nfs/clnt8)
Oct  6 17:57:21 lgx200 rpc.gssd[3747]: process_krb5_upcall: service is ''
Oct  6 17:57:21 lgx200 rpc.gssd[3747]: Full hostname for
'filesystem.example.com.br' is 'filesystem.example.com.br'
Oct  6 17:57:21 lgx200 rpc.gssd[3747]: Name or service not known while
getting full hostname for 'lgx200.example.com.br'
Oct  6 17:57:21 lgx200 rpc.gssd[3747]: ERROR:
gssd_refresh_krb5_machine_credential: no usable keytab entry found in
keytab /etc/krb5.keytab for connection with host filesystem.4linux.com.br
Oct  6 17:57:21 lgx200 rpc.gssd[3747]: ERROR: No credentials found for
connection to server filesystem.4linux.com.br
Oct  6 17:57:21 lgx200 rpc.gssd[3747]: doing error downcall
Oct  6 17:57:21 lgx200 rpc.gssd[3747]: dir_notify_handler: sig 37 si
0xbfe6fbac data 0xbfe6fc2c
Oct  6 17:57:21 lgx200 rpc.gssd[3747]: dir_notify_handler: sig 37 si
0xbfe6fbac data 0xbfe6fc2c
Oct  6 17:57:21 lgx200 rpc.gssd[3747]: dir_notify_handler: sig 37 si
0xbfe6fbac data 0xbfe6fc2c
Oct  6 17:57:21 lgx200 rpc.gssd[3747]: dir_notify_handler: sig 37 si
0xbfe6fbac data 0xbfe6fc2c
Oct  6 17:57:21 lgx200 rpc.gssd[3747]: dir_notify_handler: sig 37 si
0xbfe6fbac data 0xbfe6fc2c
Oct  6 17:57:21 lgx200 rpc.gssd[3747]: dir_notify_handler: sig 37 si
0xbfe6fbac data 0xbfe6fc2c
Oct  6 17:57:21 lgx200 rpc.gssd[3747]: dir_notify_handler: sig 37 si
0xbfe6fbac data 0xbfe6fc2c
Oct  6 17:57:21 lgx200 rpc.gssd[3747]: destroying client
/var/lib/nfs/rpc_pipefs/nfs/clnt9
Oct  6 17:57:21 lgx200 rpc.gssd[3747]: destroying client
/var/lib/nfs/rpc_pipefs/nfs/clnt8
It looks loke F15 doesn't like the keytab file that used to work on the
same machine using F14.
/etc/sysconfig/nfs has:

SECURE_NFS="yes"

And /etc/krb5.conf has:

[libdefaults]
 default_realm = USERS
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 allow_weak_crypto = true

As I said it used to work and could not find a clue about what to change on
google.
[]s, Fernando Lozano


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/users/attachments/20111006/4ac3ad56/attachment-0001.html

More information about the users mailing list