From: Kevin Coffman Subject: Re: problem mounting using NFSv4 when using -o sec=krb5 option Date: Tue, 22 Mar 2005 09:18:13 -0500 Message-ID: <20050322141813.CC1CE1BBA5@citi.umich.edu> References: <20050322080637.79883.qmail@web51607.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: nfs@lists.sourceforge.net Received: from sc8-sf-mx1-b.sourceforge.net ([10.3.1.11] helo=sc8-sf-mx1.sourceforge.net) by sc8-sf-list2.sourceforge.net with esmtp (Exim 4.30) id 1DDkDK-0004ZC-Sd for nfs@lists.sourceforge.net; Tue, 22 Mar 2005 06:18:34 -0800 Received: from citi.umich.edu ([141.211.133.111]) by sc8-sf-mx1.sourceforge.net with esmtp (TLSv1:AES256-SHA:256) (Exim 4.41) id 1DDkD0-000719-U8 for nfs@lists.sourceforge.net; Tue, 22 Mar 2005 06:18:34 -0800 To: mehta kiran In-reply-to: <20050322080637.79883.qmail@web51607.mail.yahoo.com> Sender: nfs-admin@lists.sourceforge.net Errors-To: nfs-admin@lists.sourceforge.net List-Unsubscribe: , List-Id: Discussion of NFS under Linux development, interoperability, and testing. List-Post: List-Help: List-Subscribe: , List-Archive: I'm happy to hear the normal case is working. The Kerberos library code does a reverse lookup of the host it is trying to connect to in order to obtain the "real" host name. It uses that name to determine what principal it needs a ticket for. It would help to see the exact messages from rpc.gssd, rpc.svcgssd, and from the KDC. > Hi Kevin , > God knows how , but everyting is working fine now. > I could not figure out why was it failing earlier. > > I have one question. > Is is possible to use common ip to access > machines when kerberos is running .i:e > I want to access system1 with an ip say IP. > when system1 crashes , i want to start services > of system1 on system2 but want to access system2 > with same IP. > > what is tried was > create keys (on machine running KDC) for > for all machines in my subnet. > > After this take an ip and register it with DNS > with some name say NFS.domain. > Create key (on machine running kdc) for > NFS.domain > For machines those which will run nfs server , > ktadd respective machine key + ktadd NFS.domain > key and copy keytab file to respective machines. > For all other machines just ktadd respective > machine key and copy keytab file to respective > machines. > In short , > on machine running nfs server, > #klist -k /etc/krb5.keytab > 2 nfs/@ > 2 nfs/NFS.domainname@ > > for other machines(nfs clients) > #klist -k /etc/krb5.keytab > 2 nfs/@ > > but when i try to mount exported filesystems > from nfs client , > using > #mount -t nfs4 -osec=krb5 NFS.doaminname:/ /share > > Failed to create krb5 context for user with uid > 0 > with any credential cache for server > NFS.domainname > > Everything works well if genuine server name is > used for mounting.Problem arises only when > (virtual ip) NFS.domainname is used. > > thanks, > --kiran > > > > --- mehta kiran wrote: > > > Missed one thing. > > I used kadmin.local to create principals(on machine > > runnnig KDC) > > > > thanks, > > --kiran > > --- mehta kiran wrote: > > > Hi Kevin , > > > I created new database and new principal and > > > keytab files. > > > > > > Kinit does not accept passowrd for principals > > > nfs/vcslinux5.vxindia.veritas.com > > > and > > > nfs/vcslinux6.vxindia.veritas.com > > > > > > Please let me know if i can provide some > > > info(and > > > how) (logs) which can point out the problem > > > > > > thanks, > > > --kiran > > > > > > > > > > > > > > > --- Kevin Coffman wrote: > > > > > > > > > > Hi , > > > > > I tried things as directed by > > Trond > > > > in > > > > > his previous mail and everything seemed to > > > > work > > > > > fine initally. but when i rebooted system > > , > > > > > it started giving error whenever i start > > > > rpc.gssd > > > > > on client machine. > > > > > Error is : > > > > > > > > > > [root@vcslinux6 ~]# Mar 21 14:47:27 vcslinux6 > > > > > rpc.gssd[3487]: WARNING: Key table entry not > > > found > > > > > while getting initial ticket for principal > > > > > > > > > > > > > > > 'nfs/vcslinux6.vxindia.veritas.com@VXINDIA.VERITAS.COM' > > > > > from keytab 'FILE:/etc/krb5.keytab' > > > > > Mar 21 14:47:27 vcslinux6 rpc.gssd[3487]: > > ERROR: > > > > No > > > > > usable machine credentials obtained > > > > > > > > > > > > > > > while #klist -k /etc/krb5.keytab gives > > > > > 2 > > > > > > > > > > > > > > > nfs/vcslinux6.vxindia.veritas.com@VXINDIA.VERITAS.COM > > > > > > > > > > > > I'm confused by this, but I do not know what to > > > look > > > > for. > > > > > > > > > > > > > I even tried by recreating kerberos database > > but > > > > in > > > > > vain. I still get the same error. > > > > > > > > If you recreated the Kerberos database, you need > > > to > > > > create new principals and keytab files. Did you > > > do > > > > this? > > > > > > > > > I observed one more thing. > > > > > Whenver i create principal(other then > > > root/admin) > > > > , > > > > > passwords i enter for them during their > > creation > > > > > are not accepted by kinit. > > > > > > > > This is also strange and _might_ be related. > > How > > > > are > > > > you creating the principals -- using kadmin or > > > > kadmin.local? > > > > Which principals are you referring to here? > > > > > > > > > > > > > > Please let me know where i went wrong. > > > > > > > > > > --thanks, > > > > > --kiran > > > > > > > > > > > > > > __________________________________________________ > > > Do You Yahoo!? > > > Tired of spam? Yahoo! Mail has the best spam > > > protection around > > > http://mail.yahoo.com > > > > > > > > > > > > ------------------------------------------------------- > > > SF email is sponsored by - The IT Product Guide > > > Read honest & candid reviews on hundreds of IT > > > Products from real users. > > > Discover which products truly live up to the hype. > > > Start reading now. > > > > > > http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click > > > _______________________________________________ > > > NFS maillist - NFS@lists.sourceforge.net > > > https://lists.sourceforge.net/lists/listinfo/nfs > > > > > > > __________________________________________________ > > Do You Yahoo!? > > Tired of spam? Yahoo! Mail has the best spam > > protection around > > http://mail.yahoo.com > > > > > > > ------------------------------------------------------- > > SF email is sponsored by - The IT Product Guide > > Read honest & candid reviews on hundreds of IT > > Products from real users. > > Discover which products truly live up to the hype. > > Start reading now. > > > http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click > > _______________________________________________ > > NFS maillist - NFS@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/nfs > > > > > > > __________________________________ > Do you Yahoo!? > Yahoo! Small Business - Try our new resources site! > http://smallbusiness.yahoo.com/resources/ > > > ------------------------------------------------------- > SF email is sponsored by - The IT Product Guide > Read honest & candid reviews on hundreds of IT Products from real users. > Discover which products truly live up to the hype. Start reading now. > http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click > _______________________________________________ > NFS maillist - NFS@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/nfs ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ NFS maillist - NFS@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nfs