[prev in list] [next in list] [prev in thread] [next in thread]
List: linux-nfsv4
Subject: Help needed on Kerberos and NFS 4 - for article in Linux Magazine
From: Markus Feilner <lists () feilner-it ! net>
Date: 2008-09-12 9:59:57
Message-ID: 200809120959.57632.lists () feilner-it ! net
[Download RAW message or body]
Hello List,
I am an editor at the german Linux Magazine and I together with a colleague I
am trying to get NFS4 running with Kerberos support. We have setup a KDC and
the NFS server and client on Ubuntu, but we are constantly running into
problems.
The article will be on Performance tests of NFSv4, but at the moment we are
stuck in the middle because the Kerberos setup fails.
We have successfully installed and configured Kerberos and NFS4, the kernel
supports it, and Modules load fine.
A first principal has been generated, and a TGT for the user is created,
machine credentials and keys have been created and placed on the servers.
The keytab files look fine, and the NFS config looks like this:
#######
Server:
/etc/default/nfs-common:
NEED_IDMAPD=yes
/etc/default/nfs-kernel-server:
NEED_SVCGSSD=yes
#######
Client:
/etc/default/nfs-common:
# Do you want to start the idmapd daemon? It is only needed for NFSv4.
NEED_IDMAPD=yes
# Do you want to start the gssd daemon? It is required for Kerberos mounts.
NEED_GSSD=yes
Server:
/etc/exports:
/export gss/krb5(rw,fsid=0,insecure, \
no_subtree_check,async,anonuid=65534,anongid=65534)
#####
However, a mount command like this fails:
root@lab5:~# mount -t nfs4 -o sec=krb5,proto=tcp,port=2049
lab8.linux-magazin.de:/ /mnt
mount.nfs4: access denied by server while mounting lab8.linux-magazin.de:/
and we still get the follwoing error messages:
Sep 10 11:21:16 lab5 rpc.gssd[4514]: handling krb5 upcall
Sep 10 11:21:16 lab5 rpc.gssd[4514]: Full hostname for 'lab8.linux-magazin.de'
is 'lab8.linux-magazin.de'
Sep 10 11:21:16 lab5 rpc.gssd[4514]: Full hostname for 'lab5.linux-magazin.de'
is 'lab5.linux-magazin.de'
Sep 10 11:21:16 lab5 rpc.gssd[4514]: Key table entry not found while getting
keytab entry for 'root/lab5.linux-magazin.de@LINUX-MAGAZIN.DE'
Sep 10 11:21:16 lab5 rpc.gssd[4514]: Key table entry not found while getting
keytab entry for 'nfs/lab5.linux-magazin.de@LINUX-MAGAZIN.DE'
Sep 10 11:21:16 lab5 rpc.gssd[4514]: Key table entry not found while getting
keytab entry for 'host/lab5.linux-magazin.de@LINUX-MAGAZIN.DE'
Sep 10 11:21:16 lab5 rpc.gssd[4514]: Success getting keytab entry for
nfs/*@LINUX-MAGAZIN.DE
Sep 10 11:21:16 lab5 rpc.gssd[4514]: Successfully obtained machine credentials
for principal 'nfs/lab8.linux-magazin.de@LINUX-MAGAZIN.DE' stored in
ccache 'FILE:/tmp/krb5cc_machine_LINUX-MAGAZIN.DE'
Sep 10 11:21:16 lab5 rpc.gssd[4514]: INFO: Credentials in
CC 'FILE:/tmp/krb5cc_machine_LINUX-MAGAZIN.DE' are good until 1221074476
Sep 10 11:21:16 lab5 rpc.gssd[4514]: using
FILE:/tmp/krb5cc_machine_LINUX-MAGAZIN.DE as credentials cache for machine
creds
Sep 10 11:21:16 lab5 rpc.gssd[4514]: using environment variable to select krb5
ccache FILE:/tmp/krb5cc_machine_LINUX-MAGAZIN.DE
Sep 10 11:21:16 lab5 rpc.gssd[4514]: creating context using fsuid 0 (save_uid
0)
Sep 10 11:21:16 lab5 rpc.gssd[4514]: creating tcp client for server
lab8.linux-magazin.de
Sep 10 11:21:16 lab5 rpc.gssd[4514]: creating context with server
nfs@lab8.linux-magazin.de
Sep 10 11:21:16 lab5 rpc.gssd[4514]: in authgss_create_default()
Sep 10 11:21:16 lab5 rpc.gssd[4514]: in authgss_create()
Sep 10 11:21:16 lab5 rpc.gssd[4514]: authgss_create: name is 0x805a190
Sep 10 11:21:16 lab5 rpc.gssd[4514]: authgss_create: gd->name is 0x80590f0
Sep 10 11:21:16 lab5 rpc.gssd[4514]: in authgss_refresh()
Sep 10 11:21:16 lab5 rpc.gssd[4514]: struct rpc_gss_sec:
Sep 10 11:21:16 lab5 rpc.gssd[4514]: mechanism_OID: { 1 2 134 72 134 247
18 1 2 2 }
Sep 10 11:21:16 lab5 rpc.gssd[4514]: qop: 0
Sep 10 11:21:16 lab5 rpc.gssd[4514]: service: 1
Sep 10 11:21:16 lab5 rpc.gssd[4514]: cred: 0x805b070
Sep 10 11:21:16 lab5 rpc.gssd[4514]: req_flags: 00000002
Sep 10 11:21:16 lab5 rpc.gssd[4514]: in authgss_marshal()
Sep 10 11:21:16 lab5 rpc.gssd[4514]: xdr_rpc_gss_buf: encode success ((nil):0)
Sep 10 11:21:16 lab5 rpc.gssd[4514]: xdr_rpc_gss_cred: encode success (v 1,
proc 1, seq 0, svc 1, ctx (nil):0)
Sep 10 11:21:16 lab5 rpc.gssd[4514]: in authgss_wrap()
Sep 10 11:21:16 lab5 rpc.gssd[4514]: xdr_rpc_gss_buf: encode success
(0x806c068:529)
Sep 10 11:21:16 lab5 rpc.gssd[4514]: xdr_rpc_gss_init_args: encode success
(token 0x806c068:529)
Sep 10 11:21:41 lab5 rpc.gssd[4514]: authgss_create_default: freeing name
0x805a190
Sep 10 11:21:41 lab5 rpc.gssd[4514]: WARNING: Failed to create krb5 context
for user with uid 0 for server lab8.linux-magazin.de
Sep 10 11:21:41 lab5 rpc.gssd[4514]: WARNING: Failed to create krb5 context
for user with uid 0 with credentials cache
FILE:/tmp/krb5cc_machine_LINUX-MAGAZIN.DE for server lab8.linux-magazin.de
Sep 10 11:21:41 lab5 rpc.gssd[4514]: WARNING: Failed to create krb5 context
for user with uid 0 with any credentials cache for server
lab8.linux-magazin.de
Sep 10 11:21:41 lab5 rpc.gssd[4514]: doing error downcall
Sep 10 11:21:41 lab5 rpc.gssd[4514]: Failed to write error downcall!
Sep 10 11:21:41 lab5 rpc.gssd[4514]: destroying client clnt1
Sep 10 11:21:41 lab5 rpc.gssd[4514]: destroying client clnt0
===============================================================================
What did we miss? Anything obvious?
Please help, and feel free to send me PM to mfeilner@linuxnewmedia.de
I can provide more information if you need them.
Thanks a lot in Advance!
--
Best Regards - Mit freundlichen Gruessen
Markus Feilner
-------------------------
Feilner IT Linux & GIS
Linux Solutions, Training, Seminare und Workshops - auch Inhouse
Koetztingerstr 6c 93057 Regensburg
Telefon: +49 941 8 10 79 89
Mobil: +49 170 3 02 70 92
WWW: www.feilner-it.net mail: mfeilner@feilner-it.net
--------------------------------------
OPENVPN : Building and Integrating Virtual Private Networks
http://www.packtpub.com/openvpn/book
SCALIX Linux Administrator's Guide
My new book - Out now: http://www.packtpub.com/scalix/book
_______________________________________________
NFSv4 mailing list
NFSv4@linux-nfs.org
http://linux-nfs.org/cgi-bin/mailman/listinfo/nfsv4
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic