<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Hi Bryce,<br>
<br>
Much appreciate your response.<br>
<br>
In regard to idmapd - this is one of the things I had looked at. As
both systems are in the same DNS domain it shouldn't be required
according to:<br>
<br>
<a class="moz-txt-link-freetext" href="https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Storage_Administration_Guide/ch-nfs.html">https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Storage_Administration_Guide/ch-nfs.html</a><br>
<br>
But just in cased I set "Domain = example.local" in /etc/idmapd.conf
on both NFS server and client. I also added ensured the FQDN for
both NFS server and client is in /etc/hosts and
/etc/sysconfig/network on both servers. rpc.idmapd is running on
both client and server.<br>
<br>
I'm really not sure whether the following "warnings" are an issue or
not?<br>
<br>
<pre wrap="">Feb 15 23:43:23 nfs-client rpc.gssd[1123]: WARNING: Failed to create krb5 context for user with uid 0 for server nfs-server.example.local
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: WARNING: Failed to create machine krb5 context with credentials cache</pre>
<br>
You raise a good point regarding kinit - do I have to be kinit'ed in
as anybody before trying to mount the share? I thought as the host
and service principals are in the /etc/krb5.keytab I didn't need to
specifically authenticate against the IPA server? - I might be
showing a fundamental lack of knowledge on how this all works, so
would be good if someone could confirm or clarify this.<br>
<br>
As I'd used ipa-getkeytab to refresh the krb5.keytab files I would
have had a ticket for the admin IPA user. I re-tested anyway after
specifically running kinit on both client (and server just for the
hell of it): <br>
<br>
<font size="-1" face="Courier New">[root@nfs-client ~]# kinit<br>
Password for <a class="moz-txt-link-abbreviated" href="mailto:admin@EXAMPLE.LOCAL">admin@EXAMPLE.LOCAL</a>:<br>
<br>
[root@nfs-client ~]# klist<br>
Ticket cache: <a class="moz-txt-link-freetext" href="FILE:/tmp/krb5cc_0">FILE:/tmp/krb5cc_0</a><br>
Default principal: <a class="moz-txt-link-abbreviated" href="mailto:admin@EXAMPLE.LOCAL">admin@EXAMPLE.LOCAL</a><br>
<br>
Valid starting Expires Service principal<br>
02/16/14 20:14:03 02/17/14 20:13:58
<a class="moz-txt-link-abbreviated" href="mailto:krbtgt/EXAMPLE.LOCAL@EXAMPLE.LOCAL">krbtgt/EXAMPLE.LOCAL@EXAMPLE.LOCAL</a><br>
<br>
[root@nfs-server ~]# kinit<br>
Password for <a class="moz-txt-link-abbreviated" href="mailto:admin@EXAMPLE.LOCAL">admin@EXAMPLE.LOCAL</a>:<br>
<br>
[root@nfs-server ~]# klist<br>
Ticket cache: <a class="moz-txt-link-freetext" href="FILE:/tmp/krb5cc_0">FILE:/tmp/krb5cc_0</a><br>
Default principal: <a class="moz-txt-link-abbreviated" href="mailto:admin@EXAMPLE.LOCAL">admin@EXAMPLE.LOCAL</a><br>
<br>
Valid starting Expires Service principal<br>
02/16/14 20:18:40 02/17/14 20:18:38
<a class="moz-txt-link-abbreviated" href="mailto:krbtgt/EXAMPLE.LOCAL@EXAMPLE.LOCAL">krbtgt/EXAMPLE.LOCAL@EXAMPLE.LOCAL</a></font><br>
<br>
I tried the mount again and it still doesn't work; same error in the
nfs-server log (and as per other output I put in my first message):<br>
<br>
<font size="-1" face="Courier New">Feb 16 20:28:53 bdsvn001
rpc.svcgssd[12405]: ERROR: GSS-API: error in handle_nullreq:
gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure.
Minor code may provide more information) - Wrong principal in
request<br>
Feb 16 20:28:53 bdsvn001 rpc.svcgssd[12405]: ERROR: GSS-API: error
in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE
(Unspecified GSS failure. Minor code may provide more
information) - Wrong principal in request</font><br>
<br>
Thanks, Paul<br>
<br>
<div class="moz-cite-prefix">On 16/02/2014 19:14,
<a class="moz-txt-link-abbreviated" href="mailto:freeipa-users-request@redhat.com">freeipa-users-request@redhat.com</a> wrote:<br>
</div>
<blockquote
cite="mid:mailman.15148.1392578058.18909.freeipa-users@redhat.com"
type="cite">
<pre wrap="">Send Freeipa-users mailing list submissions to
<a class="moz-txt-link-abbreviated" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a>
To subscribe or unsubscribe via the World Wide Web, visit
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a>
or, via email, send a message with subject or body 'help' to
<a class="moz-txt-link-abbreviated" href="mailto:freeipa-users-request@redhat.com">freeipa-users-request@redhat.com</a>
You can reach the person managing the list at
<a class="moz-txt-link-abbreviated" href="mailto:freeipa-users-owner@redhat.com">freeipa-users-owner@redhat.com</a>
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Freeipa-users digest..."
Today's Topics:
1. Re: Kerberized NFS Mount Issues (Nordgren, Bryce L -FS)
----------------------------------------------------------------------
Message: 1
Date: Sun, 16 Feb 2014 19:14:03 +0000
From: "Nordgren, Bryce L -FS" <a class="moz-txt-link-rfc2396E" href="mailto:bnordgren@fs.fed.us"><bnordgren@fs.fed.us></a>
To: <a class="moz-txt-link-rfc2396E" href="mailto:regpm@mccleary.me.uk">"regpm@mccleary.me.uk"</a> <a class="moz-txt-link-rfc2396E" href="mailto:regpm@mccleary.me.uk"><regpm@mccleary.me.uk></a>,
<a class="moz-txt-link-rfc2396E" href="mailto:freeipa-users@redhat.com">"freeipa-users@redhat.com"</a> <a class="moz-txt-link-rfc2396E" href="mailto:freeipa-users@redhat.com"><freeipa-users@redhat.com></a>
Subject: Re: [Freeipa-users] Kerberized NFS Mount Issues
Message-ID:
<a class="moz-txt-link-rfc2396E" href="mailto:82E7C9A01FD0764CACDD35D10F5DFB6E68DFFA@001FSN2MPN1-045.001f.mgd2.msft.net"><82E7C9A01FD0764CACDD35D10F5DFB6E68DFFA@001FSN2MPN1-045.001f.mgd2.msft.net></a>
Content-Type: text/plain; charset="us-ascii"
I don't know if this is your issue, but I noticed this:
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: WARNING: Failed to create krb5 context for user with uid 0 for server nfs-server.example.local
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: WARNING: Failed to create machine krb5 context with credentials cache
Who are you "kinit"ed as? Is your idmapper working on both client and server?
Bryce
From: <a class="moz-txt-link-abbreviated" href="mailto:freeipa-users-bounces@redhat.com">freeipa-users-bounces@redhat.com</a> [<a class="moz-txt-link-freetext" href="mailto:freeipa-users-bounces@redhat.com">mailto:freeipa-users-bounces@redhat.com</a>] On Behalf Of <a class="moz-txt-link-abbreviated" href="mailto:regpm@mccleary.me.uk">regpm@mccleary.me.uk</a>
Sent: Sunday, February 16, 2014 4:49 AM
To: <a class="moz-txt-link-abbreviated" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a>
Cc: <a class="moz-txt-link-abbreviated" href="mailto:regpm@mccleary.me.uk">regpm@mccleary.me.uk</a>
Subject: [Freeipa-users] Kerberized NFS Mount Issues
Hi,
I'm really stuck trying to get kerberized NFS configured via IPA and would be very grateful for any comments or advice based on the info I've provided below. I'm sure this is a very popular kerberized service configured under IPA and I must be missing something obvious.
Thanks, Paul
### Background ###
I've configured IPA (3.0.0-37.el6) on CentOS 6.5 (2.6.32-431.3.1.el6.x86_64) and have an NFS server and an NFS client (both also CentOS 6.5) configured and working as IPA clients, e.g. can login as an IPA LDAP user.
I have tested plain NFSv4 and that works fine:
Code:
________________________________
Testing Non-Kerberized NFS v4:
#####
#####
Client:
[root@nfs-client ~]# mount -v -t nfs4 -o rw,sec=sys nfs-server.example.local:/ /mnt
mount.nfs4: timeout set for Sat Feb 15 23:58:23 2014
mount.nfs4: trying text-based options 'sec=sys,addr=10.50.0.18,clientaddr=10.50.0.11'
nfs-server.example.local:/ on /mnt type nfs4 (rw,sec=sys)
[root@nfs-client ~]# df -h /mnt
Filesystem Size Used Avail Use% Mounted on
nfs-server.example.local:/ 50G 14G 33G 30% /mnt
[root@nfs-client ~]# mount|grep nfs
sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw)
nfsd on /proc/fs/nfsd type nfsd (rw)
nfs-server.example.local:/ on /mnt type nfs4 (rw,sec=sys,addr=10.50.0.18,clientaddr=10.50.0.11)
#####
#####
Server:
[root@nfs-server ~]# cat /etc/exports
/pmtest 10.50.0.0/24(rw,sec=sys,fsid=0)
[root@nfs-server ~]# exportfs -v
/pmtest 10.50.0.0/24(rw,wdelay,root_squash,no_subtree_check,fsid=0,sec=sys,rw,root_squash,no_all_squash)
________________________________
When I try to mount using kerberos it fails. I've searched for a number of days and tried many things, but am still stuck. The key error I think is in the NFS server syslog:
Code:
________________________________
Feb 15 23:43:24 nfs-server rpc.svcgssd[6446]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure. Minor code may provide more information) - Wrong principal in request
Feb 15 23:43:24 nfs-server rpc.svcgssd[6446]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure. Minor code may provide more information) - Wrong principal in request
________________________________
I don't understand how I have the wrong principal in the krb5.keytab. The various guides I've seen all have a similar keytab config as me, but I really hoped my first attempt using kerberos was going to be very easy as IPA would do all the hard stuff :-)
###########################################################
Output and Config Info From Failed Kerberized NFS mount:
Both client and server have secure NFS set to yes and name resolution is fine:
Code:
________________________________
[root@nfs-client ~]# nslookup nfs-server
Server: 10.50.0.20
Address: 10.50.0.20#53
Name: nfs-server.example.local
Address: 10.50.0.18
[root@nfs-client ~]# nslookup nfs-client
Server: 10.50.0.20
Address: 10.50.0.20#53
Name: nfs-client.example.local
Address: 10.50.0.11
[root@nfs-server ~]# nslookup nfs-server
Server: 10.50.0.20
Address: 10.50.0.20#53
Name: nfs-server.example.local
Address: 10.50.0.18
[root@nfs-server ~]# nslookup nfs-client
Server: 10.50.0.20
Address: 10.50.0.20#53
Name: nfs-client.example.local
Address: 10.50.0.11
________________________________
Code:
________________________________
#####
#####
Client:
[root@nfs-client ~]# service iptables status;getenforce
iptables: Firewall is not running.
Disabled
Attempted mount:
[root@nfs-client ~]# mount -v -t nfs4 -o rw,sec=krb5 nfs-server.example.local:/ /mnt
mount.nfs4: timeout set for Sat Feb 15 23:45:23 2014
mount.nfs4: trying text-based options 'sec=krb5,addr=10.50.0.18,clientaddr=10.50.0.11'
mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting nfs-server.example.local:/
/var/log/messages:
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: dir_notify_handler: sig 37 si 0x7fffaf4fac70 data 0x7fffaf4fab40
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: dir_notify_handler: sig 37 si 0x7fffaf4fac70 data 0x7fffaf4fab40
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: dir_notify_handler: sig 37 si 0x7fffaf4fac70 data 0x7fffaf4fab40
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: dir_notify_handler: sig 37 si 0x7fffaf4fac70 data 0x7fffaf4fab40
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: dir_notify_handler: sig 37 si 0x7fffaf4fac70 data 0x7fffaf4fab40
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: handling gssd upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt0)
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: handle_gssd_upcall: 'mech=krb5 uid=0 enctypes=18,17,16,23,3,1,2 '
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt0)
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: process_krb5_upcall: service is '<null>'
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: Full hostname for 'nfs-server.example.local' is 'nfs-server.example.local'
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: Full hostname for 'nfs-client.example.local' is 'nfs-client.example.local'
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: No key table entry found for <a class="moz-txt-link-abbreviated" href="mailto:NFS-CLIENT.EXAMPLE.LOCAL$@EXAMPLE.LOCAL">NFS-CLIENT.EXAMPLE.LOCAL$@EXAMPLE.LOCAL</a><a class="moz-txt-link-rfc2396E" href="mailto:NFS-CLIENT.EXAMPLE.LOCAL$@EXAMPLE.LOCAL"><mailto:NFS-CLIENT.EXAMPLE.LOCAL$@EXAMPLE.LOCAL></a> while getting keytab entry for '<a class="moz-txt-link-abbreviated" href="mailto:NFS-CLIENT.EXAMPLE.LOCAL$@EXAMPLE.LOCAL">NFS-CLIENT.EXAMPLE.LOCAL$@EXAMPLE.LOCAL</a><a class="moz-txt-link-rfc2396E" href="mailto:NFS-CLIENT.EXAMPLE.LOCAL$@EXAMPLE.LOCAL"><mailto:NFS-CLIENT.EXAMPLE.LOCAL$@EXAMPLE.LOCAL></a>'
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: No key table entry found for <a class="moz-txt-link-abbreviated" href="mailto:root/nfs-client.example.local@EXAMPLE.LOCAL">root/nfs-client.example.local@EXAMPLE.LOCAL</a><a class="moz-txt-link-rfc2396E" href="mailto:root/nfs-client.example.local@EXAMPLE.LOCAL"><mailto:root/nfs-client.example.local@EXAMPLE.LOCAL></a> while getting keytab entry for '<a class="moz-txt-link-abbreviated" href="mailto:root/nfs-client.example.local@EXAMPLE.LOCAL">root/nfs-client.example.local@EXAMPLE.LOCAL</a><a class="moz-txt-link-rfc2396E" href="mailto:root/nfs-client.example.local@EXAMPLE.LOCAL"><mailto:root/nfs-client.example.local@EXAMPLE.LOCAL></a>'
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: Success getting keytab entry for '<a class="moz-txt-link-abbreviated" href="mailto:nfs/nfs-client.example.local@EXAMPLE.LOCAL">nfs/nfs-client.example.local@EXAMPLE.LOCAL</a><a class="moz-txt-link-rfc2396E" href="mailto:nfs/nfs-client.example.local@EXAMPLE.LOCAL"><mailto:nfs/nfs-client.example.local@EXAMPLE.LOCAL></a>'
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: Successfully obtained machine credentials for principal '<a class="moz-txt-link-abbreviated" href="mailto:nfs/nfs-client.example.local@EXAMPLE.LOCAL">nfs/nfs-client.example.local@EXAMPLE.LOCAL</a><a class="moz-txt-link-rfc2396E" href="mailto:nfs/nfs-client.example.local@EXAMPLE.LOCAL"><mailto:nfs/nfs-client.example.local@EXAMPLE.LOCAL></a>' stored in ccache '<a class="moz-txt-link-freetext" href="FILE:/tmp/krb5cc_machine_EXAMPLE.LOCAL">FILE:/tmp/krb5cc_machine_EXAMPLE.LOCAL</a><a class="moz-txt-link-rfc2396E" href="FILE:///\\tmp\krb5cc_machine_EXAMPLE.LOCAL"><FILE:///\\tmp\krb5cc_machine_EXAMPLE.LOCAL></a>'
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: INFO: Credentials in CC '<a class="moz-txt-link-freetext" href="FILE:/tmp/krb5cc_machine_EXAMPLE.LOCAL">FILE:/tmp/krb5cc_machine_EXAMPLE.LOCAL</a><a class="moz-txt-link-rfc2396E" href="FILE:///\\tmp\krb5cc_machine_EXAMPLE.LOCAL"><FILE:///\\tmp\krb5cc_machine_EXAMPLE.LOCAL></a>' are good until 1392594203
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: using <a class="moz-txt-link-freetext" href="FILE:/tmp/krb5cc_machine_EXAMPLE.LOCAL">FILE:/tmp/krb5cc_machine_EXAMPLE.LOCAL</a><a class="moz-txt-link-rfc2396E" href="FILE:///\\tmp\krb5cc_machine_EXAMPLE.LOCAL"><FILE:///\\tmp\krb5cc_machine_EXAMPLE.LOCAL></a> as credentials cache for machine creds
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: using environment variable to select krb5 ccache <a class="moz-txt-link-freetext" href="FILE:/tmp/krb5cc_machine_EXAMPLE.LOCAL">FILE:/tmp/krb5cc_machine_EXAMPLE.LOCAL</a><a class="moz-txt-link-rfc2396E" href="FILE:///\\tmp\krb5cc_machine_EXAMPLE.LOCAL"><FILE:///\\tmp\krb5cc_machine_EXAMPLE.LOCAL></a>
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: creating context using fsuid 0 (save_uid 0)
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: creating tcp client for server nfs-server.example.local
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: DEBUG: port already set to 2049
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: creating context with server <a class="moz-txt-link-abbreviated" href="mailto:nfs@nfs-server.example.local">nfs@nfs-server.example.local</a><a class="moz-txt-link-rfc2396E" href="mailto:nfs@nfs-server.example.local"><mailto:nfs@nfs-server.example.local></a>
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: WARNING: Failed to create krb5 context for user with uid 0 for server nfs-server.example.local
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: WARNING: Failed to create machine krb5 context with credentials cache <a class="moz-txt-link-freetext" href="FILE:/tmp/krb5cc_machine_EXAMPLE.LOCAL">FILE:/tmp/krb5cc_machine_EXAMPLE.LOCAL</a><a class="moz-txt-link-rfc2396E" href="FILE:///\\tmp\krb5cc_machine_EXAMPLE.LOCAL"><FILE:///\\tmp\krb5cc_machine_EXAMPLE.LOCAL></a> for server nfs-server.example.local
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: WARNING: Machine cache is prematurely expired or corrupted trying to recreate cache for server nfs-server.example.local
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: Full hostname for 'nfs-server.example.local' is 'nfs-server.example.local'
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: Full hostname for 'nfs-client.example.local' is 'nfs-client.example.local'
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: No key table entry found for <a class="moz-txt-link-abbreviated" href="mailto:NFS-CLIENT.EXAMPLE.LOCAL$@EXAMPLE.LOCAL">NFS-CLIENT.EXAMPLE.LOCAL$@EXAMPLE.LOCAL</a><a class="moz-txt-link-rfc2396E" href="mailto:NFS-CLIENT.EXAMPLE.LOCAL$@EXAMPLE.LOCAL"><mailto:NFS-CLIENT.EXAMPLE.LOCAL$@EXAMPLE.LOCAL></a> while getting keytab entry for '<a class="moz-txt-link-abbreviated" href="mailto:NFS-CLIENT.EXAMPLE.LOCAL$@EXAMPLE.LOCAL">NFS-CLIENT.EXAMPLE.LOCAL$@EXAMPLE.LOCAL</a><a class="moz-txt-link-rfc2396E" href="mailto:NFS-CLIENT.EXAMPLE.LOCAL$@EXAMPLE.LOCAL"><mailto:NFS-CLIENT.EXAMPLE.LOCAL$@EXAMPLE.LOCAL></a>'
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: No key table entry found for <a class="moz-txt-link-abbreviated" href="mailto:root/nfs-client.example.local@EXAMPLE.LOCAL">root/nfs-client.example.local@EXAMPLE.LOCAL</a><a class="moz-txt-link-rfc2396E" href="mailto:root/nfs-client.example.local@EXAMPLE.LOCAL"><mailto:root/nfs-client.example.local@EXAMPLE.LOCAL></a> while getting keytab entry for '<a class="moz-txt-link-abbreviated" href="mailto:root/nfs-client.example.local@EXAMPLE.LOCAL">root/nfs-client.example.local@EXAMPLE.LOCAL</a><a class="moz-txt-link-rfc2396E" href="mailto:root/nfs-client.example.local@EXAMPLE.LOCAL"><mailto:root/nfs-client.example.local@EXAMPLE.LOCAL></a>'
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: Success getting keytab entry for '<a class="moz-txt-link-abbreviated" href="mailto:nfs/nfs-client.example.local@EXAMPLE.LOCAL">nfs/nfs-client.example.local@EXAMPLE.LOCAL</a><a class="moz-txt-link-rfc2396E" href="mailto:nfs/nfs-client.example.local@EXAMPLE.LOCAL"><mailto:nfs/nfs-client.example.local@EXAMPLE.LOCAL></a>'
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: INFO: Credentials in CC '<a class="moz-txt-link-freetext" href="FILE:/tmp/krb5cc_machine_EXAMPLE.LOCAL">FILE:/tmp/krb5cc_machine_EXAMPLE.LOCAL</a><a class="moz-txt-link-rfc2396E" href="FILE:///\\tmp\krb5cc_machine_EXAMPLE.LOCAL"><FILE:///\\tmp\krb5cc_machine_EXAMPLE.LOCAL></a>' are good until 1392594203
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: INFO: Credentials in CC '<a class="moz-txt-link-freetext" href="FILE:/tmp/krb5cc_machine_EXAMPLE.LOCAL">FILE:/tmp/krb5cc_machine_EXAMPLE.LOCAL</a><a class="moz-txt-link-rfc2396E" href="FILE:///\\tmp\krb5cc_machine_EXAMPLE.LOCAL"><FILE:///\\tmp\krb5cc_machine_EXAMPLE.LOCAL></a>' are good until 1392594203
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: using <a class="moz-txt-link-freetext" href="FILE:/tmp/krb5cc_machine_EXAMPLE.LOCAL">FILE:/tmp/krb5cc_machine_EXAMPLE.LOCAL</a><a class="moz-txt-link-rfc2396E" href="FILE:///\\tmp\krb5cc_machine_EXAMPLE.LOCAL"><FILE:///\\tmp\krb5cc_machine_EXAMPLE.LOCAL></a> as credentials cache for machine creds
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: using environment variable to select krb5 ccache <a class="moz-txt-link-freetext" href="FILE:/tmp/krb5cc_machine_EXAMPLE.LOCAL">FILE:/tmp/krb5cc_machine_EXAMPLE.LOCAL</a><a class="moz-txt-link-rfc2396E" href="FILE:///\\tmp\krb5cc_machine_EXAMPLE.LOCAL"><FILE:///\\tmp\krb5cc_machine_EXAMPLE.LOCAL></a>
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: creating context using fsuid 0 (save_uid 0)
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: creating tcp client for server nfs-server.example.local
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: DEBUG: port already set to 2049
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: creating context with server <a class="moz-txt-link-abbreviated" href="mailto:nfs@nfs-server.example.local">nfs@nfs-server.example.local</a><a class="moz-txt-link-rfc2396E" href="mailto:nfs@nfs-server.example.local"><mailto:nfs@nfs-server.example.local></a>
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: WARNING: Failed to create krb5 context for user with uid 0 for server nfs-server.example.local
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: WARNING: Failed to create machine krb5 context with credentials cache <a class="moz-txt-link-freetext" href="FILE:/tmp/krb5cc_machine_EXAMPLE.LOCAL">FILE:/tmp/krb5cc_machine_EXAMPLE.LOCAL</a><a class="moz-txt-link-rfc2396E" href="FILE:///\\tmp\krb5cc_machine_EXAMPLE.LOCAL"><FILE:///\\tmp\krb5cc_machine_EXAMPLE.LOCAL></a> for server nfs-server.example.local
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: WARNING: Failed to create machine krb5 context with any credentials cache for server nfs-server.example.local
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: doing error downcall
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: dir_notify_handler: sig 37 si 0x7fffaf4fa770 data 0x7fffaf4fa640
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: dir_notify_handler: sig 37 si 0x7fffaf4fa770 data 0x7fffaf4fa640
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: dir_notify_handler: sig 37 si 0x7fffaf4fa770 data 0x7fffaf4fa640
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: dir_notify_handler: sig 37 si 0x7fffaf4fa770 data 0x7fffaf4fa640
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: dir_notify_handler: sig 37 si 0x7fffaf4fa770 data 0x7fffaf4fa640
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: dir_notify_handler: sig 37 si 0x7fffaf4fa770 data 0x7fffaf4fa640
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: destroying client /var/lib/nfs/rpc_pipefs/nfs/clnt0
/etc/krb5.conf
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = EXAMPLE.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = yes
allow_weak_crypto = true
permitted_enctypes = des3-cbc-sha1
[realms]
EXAMPLE.LOCAL = {
kdc = ipa-server.example.local:88
master_kdc = ipa-server.example.local:88
admin_server = ipa-server.example.local:749
default_domain = example.local
pkinit_anchors = <a class="moz-txt-link-freetext" href="FILE:/etc/ipa/ca.crt">FILE:/etc/ipa/ca.crt</a><a class="moz-txt-link-rfc2396E" href="FILE:///\\etc\ipa\ca.crt"><FILE:///\\etc\ipa\ca.crt></a>
}
[domain_realm]
.example.local = EXAMPLE.LOCAL
example.local = EXAMPLE.LOCAL
/etc/krb5.keytab entries:
[root@nfs-client ~]# klist -kte
Keytab name: <a class="moz-txt-link-freetext" href="FILE:/etc/krb5.keytab">FILE:/etc/krb5.keytab</a><a class="moz-txt-link-rfc2396E" href="FILE:///\\etc\krb5.keytab"><FILE:///\\etc\krb5.keytab></a>
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
4 02/15/14 23:27:51 <a class="moz-txt-link-abbreviated" href="mailto:host/nfs-client.example.local@EXAMPLE.LOCAL">host/nfs-client.example.local@EXAMPLE.LOCAL</a><a class="moz-txt-link-rfc2396E" href="mailto:host/nfs-client.example.local@EXAMPLE.LOCAL"><mailto:host/nfs-client.example.local@EXAMPLE.LOCAL></a> (des3-cbc-sha1)
3 02/15/14 23:27:58 <a class="moz-txt-link-abbreviated" href="mailto:nfs/nfs-client.example.local@EXAMPLE.LOCAL">nfs/nfs-client.example.local@EXAMPLE.LOCAL</a><a class="moz-txt-link-rfc2396E" href="mailto:nfs/nfs-client.example.local@EXAMPLE.LOCAL"><mailto:nfs/nfs-client.example.local@EXAMPLE.LOCAL></a> (des3-cbc-sha1)
#####
#####
Server:
[root@nfs-server ~]# cat /etc/exports
/pmtest 10.50.0.0/24(rw,sec=krb5,fsid=0)
[root@nfs-server ~]# exportfs -v
/pmtest 10.50.0.0/24(rw,wdelay,root_squash,no_subtree_check,fsid=0,sec=krb5,rw,root_squash,no_all_squash)
[root@nfs-server ~]# service iptables status;getenforce
iptables: Firewall is not running.
Disabled
/var/log/messages:
Feb 15 23:43:24 nfs-server rpc.svcgssd[6446]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure. Minor code may provide more information) - Wrong principal in request
Feb 15 23:43:24 nfs-server rpc.svcgssd[6446]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure. Minor code may provide more information) - Wrong principal in request
/etc/krb5.conf
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = EXAMPLE.LOCAL
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = yes
allow_weak_crypto = true
permitted_enctypes = des3-cbc-sha1
[realms]
EXAMPLE.LOCAL = {
kdc = ipa-server.example.local:88
master_kdc = ipa-server.example.local:88
admin_server = ipa-server.example.local:749
default_domain = example.local
pkinit_anchors = <a class="moz-txt-link-freetext" href="FILE:/etc/ipa/ca.crt">FILE:/etc/ipa/ca.crt</a><a class="moz-txt-link-rfc2396E" href="FILE:///\\etc\ipa\ca.crt"><FILE:///\\etc\ipa\ca.crt></a>
}
[domain_realm]
.example.local = EXAMPLE.LOCAL
example.local = EXAMPLE.LOCAL
/etc/krb5.keytab entries:
[root@nfs-server ~]# klist -kte
Keytab name: <a class="moz-txt-link-freetext" href="FILE:/etc/krb5.keytab">FILE:/etc/krb5.keytab</a><a class="moz-txt-link-rfc2396E" href="FILE:///\\etc\krb5.keytab"><FILE:///\\etc\krb5.keytab></a>
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
2 02/15/14 23:09:43 <a class="moz-txt-link-abbreviated" href="mailto:host/nfs-server.example.local@EXAMPLE.LOCAL">host/nfs-server.example.local@EXAMPLE.LOCAL</a><a class="moz-txt-link-rfc2396E" href="mailto:host/nfs-server.example.local@EXAMPLE.LOCAL"><mailto:host/nfs-server.example.local@EXAMPLE.LOCAL></a> (des3-cbc-sha1)
3 02/15/14 23:09:51 <a class="moz-txt-link-abbreviated" href="mailto:nfs/nfs-server.example.local@EXAMPLE.LOCAL">nfs/nfs-server.example.local@EXAMPLE.LOCAL</a><a class="moz-txt-link-rfc2396E" href="mailto:nfs/nfs-server.example.local@EXAMPLE.LOCAL"><mailto:nfs/nfs-server.example.local@EXAMPLE.LOCAL></a> (des3-cbc-sha1)
This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <a class="moz-txt-link-rfc2396E" href="https://www.redhat.com/archives/freeipa-users/attachments/20140216/dc4fe074/attachment.html"><https://www.redhat.com/archives/freeipa-users/attachments/20140216/dc4fe074/attachment.html></a>
------------------------------
_______________________________________________
Freeipa-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a>
End of Freeipa-users Digest, Vol 67, Issue 86
*********************************************
</pre>
</blockquote>
<br>
</body>
</html>