From: Kevin Coffman Subject: Re: problem mounting using NFSv4 when using -o sec=krb5 option Date: Wed, 16 Mar 2005 11:12:23 -0500 Message-ID: <20050316161223.0C5A31BADE@citi.umich.edu> References: <20050316154052.19953.qmail@web51602.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: Trond Myklebust , nfs@lists.sourceforge.net Received: from sc8-sf-mx1-b.sourceforge.net ([10.3.1.11] helo=sc8-sf-mx1.sourceforge.net) by sc8-sf-list2.sourceforge.net with esmtp (Exim 4.30) id 1DBb8D-0006qp-TF for nfs@lists.sourceforge.net; Wed, 16 Mar 2005 08:12:25 -0800 Received: from citi.umich.edu ([141.211.133.111]) by sc8-sf-mx1.sourceforge.net with esmtp (TLSv1:AES256-SHA:256) (Exim 4.41) id 1DBb8C-0002vx-2E for nfs@lists.sourceforge.net; Wed, 16 Mar 2005 08:12:25 -0800 To: mehta kiran In-reply-to: <20050316154052.19953.qmail@web51602.mail.yahoo.com> Sender: nfs-admin@lists.sourceforge.net Errors-To: nfs-admin@lists.sourceforge.net List-Unsubscribe: , List-Id: Discussion of NFS under Linux development, interoperability, and testing. List-Post: List-Help: List-Subscribe: , List-Archive: A keytab hold's a machine's keys. Not keys to talk to other servers. (Those are obtained from the KDC.) The client machine, vcslinux5, should have a keytab entry for: nfs/vcslinux5.veritas.com@VXINDIA.VERITAS.COM The server machine, vcslinux1, should have a keytab entry for: nfs/vcslinux1.veritas.com@VXINDIA.VERITAS.COM The key version number of the key in the keytab (the number listed in the output of klist -k) must match the key version number of the entry in the Kerberos database. > Hi , > Client machine is vcslinux5 . I added entry for > nfs/vcslinux5.... to /etc/krb5.keytab on server. > > I copied same keytab file to client side.Is this ok? > > output of klist -k /etc/krb5.keytab on server > 3 nfs/vcslinux5.veritas.com@VXINDIA.VERITAS.COM > 3 > nfs/vcslinux1.vxindia.veritas.com@VXINDIA.VERITAS.COM > 2 root/admin@VXINDIA.VERITAS.COM > 2 > root/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM > 3 > root/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM > 2 > ftp/vcslinux1.vxindia.veritas.com@VXINDIA.VERITAS.COM > 3 > nfs/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM > > > > Error in log file on mount > Mar 16 14:58:43 vcslinux5 rpc.gssd[4258]: WARNING: > failed reading uid from krb5 upcall pipe: Success > Mar 16 14:58:43 vcslinux5 rpc.gssd[4405]: WARNING: Key > table entry not found while getting initial ticket for > principal > 'nfs/vcslinux1.vxindia.veritas.com@VXINDIA.VERITAS.COM' > from keytab 'FILE:/etc/krb5.keytab' > Mar 16 14:58:43 vcslinux5 rpc.gssd[4405]: ERROR: No > usable machine credentials obtained > Mar 16 14:58:43 vcslinux5 rpc.gssd[4405]: WARNING: > Failed to obtain machine credentials for connection to > server vcslinux1.vxindia.veritas.com > Mar 16 14:59:08 vcslinux5 rpc.gssd[2760]: WARNING: > Failed to create krb5 context for user with uid 0 with > any credentials cache for server > vcslinux1.vxindia.veritas.com > Mar 16 14:59:08 vcslinux5 rpc.gssd[2760]: Failed to > write error downcall! > > thanks, > --kiran > > --- Trond Myklebust > wrote: > > > on den 16.03.2005 Klokka 06:47 (-0800) skreiv mehta > > kiran: > > > I rebooted the machine due to some problem. > > > That problem has vanished but i get following > > message > > > > > > Mar 16 14:04:02 vcslinux5 rpc.gssd[2760]: WARNING: > > > Failed to obtain machine credentials for > > connection to > > > server vcslinux1.vxindia.veritas.com > > > Mar 16 14:04:02 vcslinux5 rpc.gssd[2760]: WARNING: > > > failed reading uid from krb5 upcall pipe: Success > > > Mar 16 14:04:02 vcslinux5 rpc.gssd[4405]: WARNING: > > Key > > > table entry not found while getting initial ticket > > for > > > principal > > > > > > 'nfs/vcslinux1.vxindia.veritas.com@VXINDIA.VERITAS.COM' > > > from keytab 'FILE:/etc/krb5.keytab' > > > Mar 16 14:04:02 vcslinux5 rpc.gssd[4405]: ERROR: > > No > > > usable machine credentials obtained > > > > So what is the name of your client? It looks like > > your keytab file has a > > credential for nfs/vcslinux1, but the syslog entries > > above appear to > > refer to vcslinux5. > > > > If the client name is vcslinux5, then the credential > > in the keytab > > should be > > > nfs/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM > > > > > > Cheers, > > Trond > > > > > > > --- mehta kiran wrote: > > > > Hi , > > > > Yes , module rpcsec_gss_krb5 is loaded. > > > > RHEL GA is installed on my machines > > > > thanks, > > > > --kiran > > > > --- Kevin Coffman wrote: > > > > > Is your server's kernel built with > > > > > CONFIG_RPCSEC_GSS_KRB5? > > > > > If it is built as a module, is the module > > loaded? > > > > > > > > > > > > > > > > Hi , > > > > > > I have exported filesystems to client > > but > > > > > > when client mounts using > > > > > > mount -t nfs4 -o sec=krb5 vcslinux1:/ > > > > /share > > > > > > > > > > > it gets error : > > > > > > ------------- > > > > > > kernel: RPC: Couldn't create auth > > handle > > > > > (flavor > > > > > > 390003) > > > > > > kernel: NFS: cannot create RPC client. > > > > > > rpc.idmapd: open > > > > > > (/var/lib/nfs/rpc_pipefs/nfs/clnt23) > > > > > > -------------- > > > > > > > > > > > > nfs sevver is runnnig on vcslinux1 > > system > > > > and > > > > > > > > > > > client on vcslinux5 > > > > > > > > > > > > Ouput of klist -k /etc/krb5.keytab on > > server > > > > > > > > > > > > 3 > > > > > > > > > > > > > > > > > > > > > nfs/vcslinux1.vxindia.veritas.com@VXINDIA.VERITAS.COM > > > > > > 2 root/admin@VXINDIA.VERITAS.COM > > > > > > 2 > > > > > > > > > > > > > > > > > > > > > root/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM > > > > > > 3 > > > > > > > > > > > > > > > > > > > > > ftp/vcslinux1.vxindia.veritas.com@VXINDIA.VERITAS.COM > > > > > > > > > > > > > > > > > > All nfs daemons are running. rpc.svcgssd and > > > > > > rpc.idmapd is also runnnig. > > > > > > > > > > > > On client side rpc.gssd is runnnig with -m > > > > option. > > > > > > > > > > > > > > > > > > thanks, > > > > > > --kiran > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > __________________________________ > > > > > > Do you Yahoo!? > > > > > > Yahoo! Small Business - Try our new > > resources > > > > > site! > > > > > > http://smallbusiness.yahoo.com/resources/ > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------- > > > > > > SF email is sponsored by - The IT Product > > Guide > > > > > > Read honest & candid reviews on hundreds of > > IT > > > > > Products from real users. > > > > > > Discover which products truly live up to the > > > > hype. > > > > > Start reading now. > > > > > > > > > > > > > > > > > > > > > http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click > > > > > > > > _______________________________________________ > > > > > > NFS maillist - NFS@lists.sourceforge.net > > > > > > > > https://lists.sourceforge.net/lists/listinfo/nfs > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > __________________________________ > > > > Do you Yahoo!? > > > > Yahoo! Small Business - Try our new resources > > site! > > > > http://smallbusiness.yahoo.com/resources/ > > > > > > > > > > > > > > > > > > ------------------------------------------------------- > > > > SF email is sponsored by - The IT Product Guide > > > > Read honest & candid reviews on hundreds of IT > > > > Products from real users. > > > > Discover which products truly live up to the > > hype. > > > > Start reading now. > > > > > > > > > > http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click > > > > _______________________________________________ > > > > NFS maillist - NFS@lists.sourceforge.net > > > > https://lists.sourceforge.net/lists/listinfo/nfs > > > > > > > > > > __________________________________________________ > > > Do You Yahoo!? > > > Tired of spam? Yahoo! Mail has the best spam > > protection around > > > http://mail.yahoo.com > > > > > > > > > > > > ------------------------------------------------------- > > > SF email is sponsored by - The IT Product Guide > > > Read honest & candid reviews on hundreds of IT > > Products from real users. > > > Discover which products truly live up to the hype. > > Start reading now. > > > > > > http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click > > > _______________________________________________ > > > NFS maillist - NFS@lists.sourceforge.net > > > https://lists.sourceforge.net/lists/listinfo/nfs > > -- > > Trond Myklebust > > > > > > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ NFS maillist - NFS@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nfs