Hi all,
I've been strugling to get NFS4 to work with my MIT Kerberos 5 infrastucture. I have a server and client with Centos 4.4. I'm using LDAP (Fedora Directory Server 1.4) for my POSIX accounts and KRB5 for the authentication. I am able to get the NFS mounts to work when kerberos is not enabled.
The error from the mount command # mount -t nfs4 -o sec=krb5 mynfsserver:/ /home/NFS4 is:
Warning: rpc.gssd appears not to be running.
mount: block device mynfsserver:/ is write-protected, mounting read-only
mount: cannot mount block device mynfsserver:/ read-only
When I run rpc.gssd -f vvvvvvv from the client, the error I'm seeing is:
WARNING: Failed to create krb5 context for user with uid 0 with any credentials cache for server mynfsserver.mydomain.com
On the server, in /var/log/messages:
mountd[2517]: mount request from unknown host myclientipaddress for /home/NFS4 (/home/NFS4)
I've got portmap, rpcidmapd, nfs, rpcgssd, and rpcsvcgssd services running on both client and server (but I'm not sure all are required on both).
I have created a host and nfs principal and have ktadded them to both the client and server:
#ktlist -k /etc/krb5.keytab
server:
nfs/[email protected]
host/[email protected]
client:
nfs/[email protected]
host/[email protected]
note: mydomain.com = MYREALM.COM (but realm is all uppercase)
I only found one other post referencing this, but it recommended the error be in the /etc/krb5.conf. I have:
.mydomain.com = MYREALM.COM
mydomain.com = MYREALM.COM
.mydomain.com = myrealm.com
I've also turned off nfslock and iptables services (latter for testing).
nfs server:
-----------
/etc/exports
/home/NFS4 gss/krb5(rw,fsid=0,insecure,no_subtree_check)
/etc/fstab:
/dev/VolGroup00/LogVol02 /home ext3 rw,acl 1 2
/etc/sysconfig/nfs
SECURE_NFS=yes
RPCNFSDCOUNT=8
/etc/idmapd.conf
Pipefs-Directory = /var/lib/nfs/rpc_pipefs
Domain = mydomain.com
Nobody-User = nfsnobody
Nobody-Group = nfsnobody
Method = nsswitch
nfs client:
-----------
/etc/sysconfig/nfs
SECURE_NFS=yes
RPCNFSDCOUNT=8
/etc/idmapd.conf
Pipefs-Directory = /var/lib/nfs/rpc_pipefs
Domain = mydomain.com
Nobody-User = nfsnobody
Nobody-Group = nfsnobody
Method = nsswitch
Can anyone please point me in the correct direction?
Many thanks!
Jonathan
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
NFS maillist - [email protected]
https://lists.sourceforge.net/lists/listinfo/nfs
Sorry, I noticed a typo, the client kerberos keyfile has:
client:
nfs/[email protected]
host/[email protected]
Jonathan
----- Original Message ----
From: Jonathan Schreiter <[email protected]>
To: [email protected]
Sent: Wednesday, March 14, 2007 11:15:05 PM
Subject: [NFS] nfs4 with kerberos troubles
Hi all,
I've been strugling to get NFS4 to work with my MIT Kerberos 5 infrastucture. I have a server and client with Centos 4.4. I'm using LDAP (Fedora Directory Server 1.4) for my POSIX accounts and KRB5 for the authentication. I am able to get the NFS mounts to work when kerberos is not enabled.
The error from the mount command # mount -t nfs4 -o sec=krb5 mynfsserver:/ /home/NFS4 is:
Warning: rpc.gssd appears not to be running.
mount: block device mynfsserver:/ is write-protected, mounting read-only
mount: cannot mount block device mynfsserver:/ read-only
When I run rpc.gssd -f vvvvvvv from the client, the error I'm seeing is:
WARNING: Failed to create krb5 context for user with uid 0 with any credentials cache for server mynfsserver.mydomain.com
On the server, in /var/log/messages:
mountd[2517]: mount request from unknown host myclientipaddress for /home/NFS4 (/home/NFS4)
I've got portmap, rpcidmapd, nfs, rpcgssd, and rpcsvcgssd services running on both client and server (but I'm not sure all are required on both).
I have created a host and nfs principal and have ktadded them to both the client and server:
#ktlist -k /etc/krb5.keytab
server:
nfs/[email protected]
host/[email protected]
client:
nfs/[email protected]
host/[email protected]
note: mydomain.com = MYREALM.COM (but realm is all uppercase)
I only found one other post referencing this, but it recommended the error be in the /etc/krb5.conf. I have:
.mydomain.com = MYREALM.COM
mydomain.com = MYREALM.COM
.mydomain.com = myrealm.com
I've also turned off nfslock and iptables services (latter for testing).
nfs server:
-----------
/etc/exports
/home/NFS4 gss/krb5(rw,fsid=0,insecure,no_subtree_check)
/etc/fstab:
/dev/VolGroup00/LogVol02 /home ext3 rw,acl 1 2
/etc/sysconfig/nfs
SECURE_NFS=yes
RPCNFSDCOUNT=8
/etc/idmapd.conf
Pipefs-Directory = /var/lib/nfs/rpc_pipefs
Domain = mydomain.com
Nobody-User = nfsnobody
Nobody-Group = nfsnobody
Method = nsswitch
nfs client:
-----------
/etc/sysconfig/nfs
SECURE_NFS=yes
RPCNFSDCOUNT=8
/etc/idmapd.conf
Pipefs-Directory = /var/lib/nfs/rpc_pipefs
Domain = mydomain.com
Nobody-User = nfsnobody
Nobody-Group = nfsnobody
Method = nsswitch
Can anyone please point me in the correct direction?
Many thanks!
Jonathan
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
NFS maillist - [email protected]
https://lists.sourceforge.net/lists/listinfo/nfs
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
NFS maillist - [email protected]
https://lists.sourceforge.net/lists/listinfo/nfs
On 3/14/07, Jonathan Schreiter <[email protected]> wrote:
> Hi all,
> I've been strugling to get NFS4 to work with my MIT Kerberos 5 infrastucture. I have a server and client with Centos 4.4. I'm using LDAP (Fedora Directory Server 1.4) for my POSIX accounts and KRB5 for the authentication. I am able to get the NFS mounts to work when kerberos is not enabled.
>
>
> On the server, in /var/log/messages:
> mountd[2517]: mount request from unknown host myclientipaddress for /home/NFS4 (/home/NFS4)
I think it may be a dns issue, but I'm not sure why you wouldn't see
the error w/o Kerberos. What does your /etc/exports look like on the
server? Can you do a reverse dns lookup of the client's IP from the
server machine?
> I only found one other post referencing this, but it recommended the error be in
> the /etc/krb5.conf. I have:
> .mydomain.com = MYREALM.COM
> mydomain.com = MYREALM.COM
> .mydomain.com = myrealm.com
You don't want that last line. The first two are correct.
K.C.
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
NFS maillist - [email protected]
https://lists.sourceforge.net/lists/listinfo/nfs
On 3/15/07, Kevin Coffman <[email protected]> wrote:
> On 3/14/07, Jonathan Schreiter <[email protected]> wrote:
> > On the server, in /var/log/messages:
> > mountd[2517]: mount request from unknown host myclientipaddress for /home/NFS4 (/home/NFS4)
>
> I think it may be a dns issue, but I'm not sure why you wouldn't see
> the error w/o Kerberos. What does your /etc/exports look like on the
> server? Can you do a reverse dns lookup of the client's IP from the
> server machine?
Sorry, I know you had the /etc/exports in the original message. I
meant to remove that before sending the message :-/
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
NFS maillist - [email protected]
https://lists.sourceforge.net/lists/listinfo/nfs
Hi Kevin,
I am able to forward and reverse lookup the server and client via DNS from both machines. The only change required from my setup to make this work is to replace the gss/krb with * in the /etc/exports file (and a service nfs restart on the nfsserver).
Any other thoughts?
Thanks!
Jonathan
----- Original Message ----
From: Kevin Coffman <[email protected]>
To: Jonathan Schreiter <[email protected]>
Cc: [email protected]
Sent: Thursday, March 15, 2007 10:06:29 AM
Subject: Re: [NFS] nfs4 with kerberos troubles
On 3/15/07, Kevin Coffman <[email protected]> wrote:
> On 3/14/07, Jonathan Schreiter <[email protected]> wrote:
> > On the server, in /var/log/messages:
> > mountd[2517]: mount request from unknown host myclientipaddress for /home/NFS4 (/home/NFS4)
>
> I think it may be a dns issue, but I'm not sure why you wouldn't see
> the error w/o Kerberos. What does your /etc/exports look like on the
> server? Can you do a reverse dns lookup of the client's IP from the
> server machine?
Sorry, I know you had the /etc/exports in the original message. I
meant to remove that before sending the message :-/
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
NFS maillist - [email protected]
https://lists.sourceforge.net/lists/listinfo/nfs
I've not ever seen this error personally. I'm still stumped on why
you only see it with Kerberos.
What kernel and nfs-utils versions are involved here?
On 3/15/07, Jonathan Schreiter <[email protected]> wrote:
> Hi Kevin,
> I am able to forward and reverse lookup the server and client via DNS from both machines. The only change required from my setup to make this work is to replace the gss/krb with * in the /etc/exports file (and a service nfs restart on the nfsserver).
>
> Any other thoughts?
>
> Thanks!
> Jonathan
>
> ----- Original Message ----
> From: Kevin Coffman <[email protected]>
> To: Jonathan Schreiter <[email protected]>
> Cc: [email protected]
> Sent: Thursday, March 15, 2007 10:06:29 AM
> Subject: Re: [NFS] nfs4 with kerberos troubles
>
>
> On 3/15/07, Kevin Coffman <[email protected]> wrote:
> > On 3/14/07, Jonathan Schreiter <[email protected]> wrote:
> > > On the server, in /var/log/messages:
> > > mountd[2517]: mount request from unknown host myclientipaddress for /home/NFS4 (/home/NFS4)
> >
> > I think it may be a dns issue, but I'm not sure why you wouldn't see
> > the error w/o Kerberos. What does your /etc/exports look like on the
> > server? Can you do a reverse dns lookup of the client's IP from the
> > server machine?
>
> Sorry, I know you had the /etc/exports in the original message. I
> meant to remove that before sending the message :-/
>
>
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
NFS maillist - [email protected]
https://lists.sourceforge.net/lists/listinfo/nfs
it's centos 4.4 (rhel 4) and
kernel: 2.6.9-42.0.3.EL
nfs-utils-lib-1.0.6-3
nfs-utils-1.0.6-70.EL4
----- Original Message ----
From: Kevin Coffman <[email protected]>
To: Jonathan Schreiter <[email protected]>
Cc: [email protected]
Sent: Thursday, March 15, 2007 6:32:52 PM
Subject: Re: [NFS] nfs4 with kerberos troubles
I've not ever seen this error personally. I'm still stumped on why
you only see it with Kerberos.
What kernel and nfs-utils versions are involved here?
On 3/15/07, Jonathan Schreiter <[email protected]> wrote:
> Hi Kevin,
> I am able to forward and reverse lookup the server and client via DNS from both machines. The only change required from my setup to make this work is to replace the gss/krb with * in the /etc/exports file (and a service nfs restart on the nfsserver).
>
> Any other thoughts?
>
> Thanks!
> Jonathan
>
> ----- Original Message ----
> From: Kevin Coffman <[email protected]>
> To: Jonathan Schreiter <[email protected]>
> Cc: [email protected]
> Sent: Thursday, March 15, 2007 10:06:29 AM
> Subject: Re: [NFS] nfs4 with kerberos troubles
>
>
> On 3/15/07, Kevin Coffman <[email protected]> wrote:
> > On 3/14/07, Jonathan Schreiter <[email protected]> wrote:
> > > On the server, in /var/log/messages:
> > > mountd[2517]: mount request from unknown host myclientipaddress for /home/NFS4 (/home/NFS4)
> >
> > I think it may be a dns issue, but I'm not sure why you wouldn't see
> > the error w/o Kerberos. What does your /etc/exports look like on the
> > server? Can you do a reverse dns lookup of the client's IP from the
> > server machine?
>
> Sorry, I know you had the /etc/exports in the original message. I
> meant to remove that before sending the message :-/
>
>
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
NFS maillist - [email protected]
https://lists.sourceforge.net/lists/listinfo/nfs