NFS + Kerberos can't mount
fernando at lozano.eti.br
fernando at lozano.eti.br
Thu Oct 6 21:11:28 UTC 2011
Hi there,
Here I am again with problem mouting a remote NFS share using NFS. The
server is deban but the client is Fedora 15. It used to work using Fedora
14 but after a F15 fresh install I can't mount the remote share. My F15 box
has all updates so far.
I do have connectivity to the kerberos server because kinit my_principal
works fine:
[teste at lgx200 ~]S klist
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: my_principal at USERS
Valid starting Expires Service principal
10/06/11 16:23:35 10/07/11 16:23:12 krbtgt/USERS at USERS
renew until 10/13/11 16:23:12
The host certificate (/etc/krb5.keytab) also looks fine:
[teste at lgx200 ~]S klist -k
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
2 nfs/lgx200.example.com.br at USERS
[teste at lgx200 ~]S klist -k -e
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
2 nfs/lgx200.example.com.br at USERS (des-cbc-crc)
I start rpcgssd (with -vvv) and rpcidmapd
[root at lgx200 ~]# ps ax | grep rpc
1066 ? S< 0:00 [rpciod]
2878 ? Ss 0:00 rpc.idmapd
3747 ? Ss 0:00 rpc.gssd -v -v -v
3847 pts/0 S+ 0:00 grep --color=auto rpc
but when I try to mount:
mount -t nfs -o sec=krb5 192.168.0.3:/FILES /media/FILES
mount.nfs: access denied by server while mounting 192.168.0.3:/FILES
/var/log/messages show:
Oct 6 17:56:16 lgx200 rpc.gssd[3747]: beginning poll
Oct 6 17:57:12 lgx200 rpc.gssd[3747]: dir_notify_handler: sig 37 si
0xbfe6fbac data 0xbfe6fc2c
Oct 6 17:57:12 lgx200 rpc.gssd[3747]: dir_notify_handler: sig 37 si
0xbfe6c4fc data 0xbfe6c57c
Oct 6 17:57:12 lgx200 rpc.gssd[3747]: dir_notify_handler: sig 37 si
0xbfe6c3ec data 0xbfe6c46c
Oct 6 17:57:21 lgx200 rpc.gssd[3747]: dir_notify_handler: sig 37 si
0xbfe6fbac data 0xbfe6fc2c
Oct 6 17:57:21 lgx200 rpc.gssd[3747]: dir_notify_handler: sig 37 si
0xbfe6faec data 0xbfe6fb6c
Oct 6 17:57:21 lgx200 rpc.gssd[3747]: handling gssd upcall
(/var/lib/nfs/rpc_pipefs/nfs/clnt8)
Oct 6 17:57:21 lgx200 rpc.gssd[3747]: handle_gssd_upcall: 'mech=krb5 uid=0
enctypes=18,17,16,23,3,1,2 '
Oct 6 17:57:21 lgx200 rpc.gssd[3747]: handling krb5 upcall
(/var/lib/nfs/rpc_pipefs/nfs/clnt8)
Oct 6 17:57:21 lgx200 rpc.gssd[3747]: process_krb5_upcall: service is ''
Oct 6 17:57:21 lgx200 rpc.gssd[3747]: Full hostname for
'filesystem.example.com.br' is 'filesystem.example.com.br'
Oct 6 17:57:21 lgx200 rpc.gssd[3747]: Name or service not known while
getting full hostname for 'lgx200.example.com.br'
Oct 6 17:57:21 lgx200 rpc.gssd[3747]: ERROR:
gssd_refresh_krb5_machine_credential: no usable keytab entry found in
keytab /etc/krb5.keytab for connection with host filesystem.4linux.com.br
Oct 6 17:57:21 lgx200 rpc.gssd[3747]: ERROR: No credentials found for
connection to server filesystem.4linux.com.br
Oct 6 17:57:21 lgx200 rpc.gssd[3747]: doing error downcall
Oct 6 17:57:21 lgx200 rpc.gssd[3747]: dir_notify_handler: sig 37 si
0xbfe6fbac data 0xbfe6fc2c
Oct 6 17:57:21 lgx200 rpc.gssd[3747]: dir_notify_handler: sig 37 si
0xbfe6fbac data 0xbfe6fc2c
Oct 6 17:57:21 lgx200 rpc.gssd[3747]: dir_notify_handler: sig 37 si
0xbfe6fbac data 0xbfe6fc2c
Oct 6 17:57:21 lgx200 rpc.gssd[3747]: dir_notify_handler: sig 37 si
0xbfe6fbac data 0xbfe6fc2c
Oct 6 17:57:21 lgx200 rpc.gssd[3747]: dir_notify_handler: sig 37 si
0xbfe6fbac data 0xbfe6fc2c
Oct 6 17:57:21 lgx200 rpc.gssd[3747]: dir_notify_handler: sig 37 si
0xbfe6fbac data 0xbfe6fc2c
Oct 6 17:57:21 lgx200 rpc.gssd[3747]: dir_notify_handler: sig 37 si
0xbfe6fbac data 0xbfe6fc2c
Oct 6 17:57:21 lgx200 rpc.gssd[3747]: destroying client
/var/lib/nfs/rpc_pipefs/nfs/clnt9
Oct 6 17:57:21 lgx200 rpc.gssd[3747]: destroying client
/var/lib/nfs/rpc_pipefs/nfs/clnt8
It looks loke F15 doesn't like the keytab file that used to work on the
same machine using F14.
/etc/sysconfig/nfs has:
SECURE_NFS="yes"
And /etc/krb5.conf has:
[libdefaults]
default_realm = USERS
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
allow_weak_crypto = true
As I said it used to work and could not find a clue about what to change on
google.
[]s, Fernando Lozano
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/users/attachments/20111006/4ac3ad56/attachment-0001.html
More information about the users
mailing list