<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Hi,<br>
<br>
I'm really stuck trying to get kerberized NFS configured via IPA and
would be very grateful for any comments or advice based on the info
I've provided below. I'm sure this is a very popular kerberized
service configured under IPA and I must be missing something
obvious.<br>
<br>
Thanks, Paul<br>
<br>
### Background ###<br>
I've configured IPA (3.0.0-37.el6) on CentOS 6.5
(2.6.32-431.3.1.el6.x86_64) and have an NFS server and an NFS client
(both also CentOS 6.5) configured and working as IPA clients, e.g.
can login as an IPA LDAP user.<br>
<br>
I have tested plain NFSv4 and that works fine:<br>
<br>
<div style="margin:20px; margin-top:5px">
<div class="smallfont" style="margin-bottom:2px">Code:</div>
<hr><code style="margin:0px" dir="ltr"><b>Testing Non-Kerberized
NFS v4:</b><br>
<b>#####<br>
#####<br>
Client:</b><br>
[root@nfs-client ~]# mount -v -t nfs4 -o rw,sec=sys
nfs-server.example.local:/ /mnt<br>
mount.nfs4: timeout set for Sat Feb 15 23:58:23 2014<br>
mount.nfs4: trying text-based options
'sec=sys,addr=10.50.0.18,clientaddr=10.50.0.11'<br>
nfs-server.example.local:/ on /mnt type nfs4 (rw,sec=sys)<br>
[root@nfs-client ~]# df -h /mnt<br>
Filesystem Size Used Avail Use% Mounted on<br>
nfs-server.example.local:/ 50G 14G 33G 30% /mnt<br>
[root@nfs-client ~]# mount|grep nfs<br>
sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw)<br>
nfsd on /proc/fs/nfsd type nfsd (rw)<br>
nfs-server.example.local:/ on /mnt type nfs4
(rw,sec=sys,addr=10.50.0.18,clientaddr=10.50.0.11)<br>
<br>
<b>#####<br>
#####<br>
Server:</b><br>
[root@nfs-server ~]# cat /etc/exports<br>
/pmtest 10.50.0.0/24(rw,sec=sys,fsid=0)<br>
<br>
[root@nfs-server ~]# exportfs -v<br>
/pmtest
10.50.0.0/24(rw,wdelay,root_squash,no_subtree_check,fsid=0,sec=sys,rw,root_squash,no_all_squash)</code>
<hr> </div>
When I try to mount using kerberos it fails. I've searched for a
number of days and tried many things, but am still stuck. The key
error I think is in the NFS server syslog:<br>
<br>
<div style="margin:20px; margin-top:5px">
<div class="smallfont" style="margin-bottom:2px">Code:</div>
<hr><code style="margin:0px" dir="ltr">Feb 15 23:43:24 nfs-server
rpc.svcgssd[6446]: ERROR: GSS-API: error in handle_nullreq:
gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS
failure. Minor code may provide more information) - Wrong
principal in request<br>
Feb 15 23:43:24 nfs-server rpc.svcgssd[6446]: ERROR: GSS-API:
error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE
(Unspecified GSS failure. Minor code may provide more
information) - Wrong principal in request</code>
<hr> </div>
I don't understand how I have the wrong principal in the
krb5.keytab. The various guides I've seen all have a similar keytab
config as me, but I really hoped my first attempt using kerberos was
going to be very easy as IPA would do all the hard stuff :-)<br>
<br>
###########################################################<br>
<b>Output and Config Info From Failed Kerberized NFS mount:</b><br>
<br>
Both client and server have secure NFS set to yes and name
resolution is fine:<br>
<br>
<div style="margin:20px; margin-top:5px">
<div class="smallfont" style="margin-bottom:2px">Code:</div>
<hr><code style="margin:0px" dir="ltr">[root@nfs-client ~]#
nslookup nfs-server<br>
Server: 10.50.0.20<br>
Address: 10.50.0.20#53<br>
<br>
Name: nfs-server.example.local<br>
Address: 10.50.0.18<br>
<br>
[root@nfs-client ~]# nslookup nfs-client<br>
Server: 10.50.0.20<br>
Address: 10.50.0.20#53<br>
<br>
Name: nfs-client.example.local<br>
Address: 10.50.0.11<br>
<br>
<br>
[root@nfs-server ~]# nslookup nfs-server<br>
Server: 10.50.0.20<br>
Address: 10.50.0.20#53<br>
<br>
Name: nfs-server.example.local<br>
Address: 10.50.0.18<br>
<br>
[root@nfs-server ~]# nslookup nfs-client<br>
Server: 10.50.0.20<br>
Address: 10.50.0.20#53<br>
<br>
Name: nfs-client.example.local<br>
Address: 10.50.0.11</code>
<hr> </div>
<div class="smallfont" style="margin-bottom:2px">Code:</div>
<hr><code style="margin:0px" dir="ltr"><b>#####<br>
#####<br>
Client:</b><br>
[root@nfs-client ~]# service iptables status;getenforce<br>
iptables: Firewall is not running.<br>
Disabled<br>
<br>
Attempted mount:<br>
[root@nfs-client ~]# mount -v -t nfs4 -o rw,sec=krb5
nfs-server.example.local:/ /mnt<br>
mount.nfs4: timeout set for Sat Feb 15 23:45:23 2014<br>
mount.nfs4: trying text-based options
'sec=krb5,addr=10.50.0.18,clientaddr=10.50.0.11'<br>
mount.nfs4: mount(2): Permission denied<br>
mount.nfs4: access denied by server while mounting
nfs-server.example.local:/<br>
<br>
/var/log/messages:<br>
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: dir_notify_handler: sig
37 si 0x7fffaf4fac70 data 0x7fffaf4fab40<br>
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: dir_notify_handler: sig
37 si 0x7fffaf4fac70 data 0x7fffaf4fab40<br>
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: dir_notify_handler: sig
37 si 0x7fffaf4fac70 data 0x7fffaf4fab40<br>
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: dir_notify_handler: sig
37 si 0x7fffaf4fac70 data 0x7fffaf4fab40<br>
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: dir_notify_handler: sig
37 si 0x7fffaf4fac70 data 0x7fffaf4fab40<br>
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: handling gssd upcall
(/var/lib/nfs/rpc_pipefs/nfs/clnt0)<br>
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: handle_gssd_upcall:
'mech=krb5 uid=0 enctypes=18,17,16,23,3,1,2 '<br>
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: handling krb5 upcall
(/var/lib/nfs/rpc_pipefs/nfs/clnt0)<br>
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: process_krb5_upcall:
service is '<null>'<br>
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: Full hostname for
'nfs-server.example.local' is 'nfs-server.example.local'<br>
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: Full hostname for
'nfs-client.example.local' is 'nfs-client.example.local'<br>
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: No key table entry
found for <a class="moz-txt-link-abbreviated"
href="mailto:NFS-CLIENT.EXAMPLE.LOCAL$@EXAMPLE.LOCAL">NFS-CLIENT.EXAMPLE.LOCAL$@EXAMPLE.LOCAL</a>
while getting keytab entry for '<a
class="moz-txt-link-abbreviated"
href="mailto:NFS-CLIENT.EXAMPLE.LOCAL$@EXAMPLE.LOCAL">NFS-CLIENT.EXAMPLE.LOCAL$@EXAMPLE.LOCAL</a>'<br>
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: No key table entry
found for <a class="moz-txt-link-abbreviated"
href="mailto:root/nfs-client.example.local@EXAMPLE.LOCAL">root/nfs-client.example.local@EXAMPLE.LOCAL</a>
while getting keytab entry for '<a
class="moz-txt-link-abbreviated"
href="mailto:root/nfs-client.example.local@EXAMPLE.LOCAL">root/nfs-client.example.local@EXAMPLE.LOCAL</a>'<br>
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: Success getting keytab
entry for '<a class="moz-txt-link-abbreviated"
href="mailto:nfs/nfs-client.example.local@EXAMPLE.LOCAL">nfs/nfs-client.example.local@EXAMPLE.LOCAL</a>'<br>
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: Successfully obtained
machine credentials for principal '<a
class="moz-txt-link-abbreviated"
href="mailto:nfs/nfs-client.example.local@EXAMPLE.LOCAL">nfs/nfs-client.example.local@EXAMPLE.LOCAL</a>'
stored in ccache '<a class="moz-txt-link-freetext"
href="FILE:/tmp/krb5cc_machine_EXAMPLE.LOCAL">FILE:/tmp/krb5cc_machine_EXAMPLE.LOCAL</a>'<br>
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: INFO: Credentials in CC
'<a class="moz-txt-link-freetext"
href="FILE:/tmp/krb5cc_machine_EXAMPLE.LOCAL">FILE:/tmp/krb5cc_machine_EXAMPLE.LOCAL</a>'
are good until 1392594203<br>
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: using <a
class="moz-txt-link-freetext"
href="FILE:/tmp/krb5cc_machine_EXAMPLE.LOCAL">FILE:/tmp/krb5cc_machine_EXAMPLE.LOCAL</a>
as credentials cache for machine creds<br>
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: using environment
variable to select krb5 ccache <a class="moz-txt-link-freetext"
href="FILE:/tmp/krb5cc_machine_EXAMPLE.LOCAL">FILE:/tmp/krb5cc_machine_EXAMPLE.LOCAL</a><br>
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: creating context using
fsuid 0 (save_uid 0)<br>
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: creating tcp client for
server nfs-server.example.local<br>
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: DEBUG: port already set
to 2049<br>
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: creating context with
server <a class="moz-txt-link-abbreviated"
href="mailto:nfs@nfs-server.example.local">nfs@nfs-server.example.local</a><br>
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: WARNING: Failed to
create krb5 context for user with uid 0 for server
nfs-server.example.local<br>
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: WARNING: Failed to
create machine krb5 context with credentials cache <a
class="moz-txt-link-freetext"
href="FILE:/tmp/krb5cc_machine_EXAMPLE.LOCAL">FILE:/tmp/krb5cc_machine_EXAMPLE.LOCAL</a>
for server nfs-server.example.local<br>
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: WARNING: Machine cache
is prematurely expired or corrupted trying to recreate cache for
server nfs-server.example.local<br>
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: Full hostname for
'nfs-server.example.local' is 'nfs-server.example.local'<br>
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: Full hostname for
'nfs-client.example.local' is 'nfs-client.example.local'<br>
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: No key table entry
found for <a class="moz-txt-link-abbreviated"
href="mailto:NFS-CLIENT.EXAMPLE.LOCAL$@EXAMPLE.LOCAL">NFS-CLIENT.EXAMPLE.LOCAL$@EXAMPLE.LOCAL</a>
while getting keytab entry for '<a
class="moz-txt-link-abbreviated"
href="mailto:NFS-CLIENT.EXAMPLE.LOCAL$@EXAMPLE.LOCAL">NFS-CLIENT.EXAMPLE.LOCAL$@EXAMPLE.LOCAL</a>'<br>
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: No key table entry
found for <a class="moz-txt-link-abbreviated"
href="mailto:root/nfs-client.example.local@EXAMPLE.LOCAL">root/nfs-client.example.local@EXAMPLE.LOCAL</a>
while getting keytab entry for '<a
class="moz-txt-link-abbreviated"
href="mailto:root/nfs-client.example.local@EXAMPLE.LOCAL">root/nfs-client.example.local@EXAMPLE.LOCAL</a>'<br>
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: Success getting keytab
entry for '<a class="moz-txt-link-abbreviated"
href="mailto:nfs/nfs-client.example.local@EXAMPLE.LOCAL">nfs/nfs-client.example.local@EXAMPLE.LOCAL</a>'<br>
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: INFO: Credentials in CC
'<a class="moz-txt-link-freetext"
href="FILE:/tmp/krb5cc_machine_EXAMPLE.LOCAL">FILE:/tmp/krb5cc_machine_EXAMPLE.LOCAL</a>'
are good until 1392594203<br>
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: INFO: Credentials in CC
'<a class="moz-txt-link-freetext"
href="FILE:/tmp/krb5cc_machine_EXAMPLE.LOCAL">FILE:/tmp/krb5cc_machine_EXAMPLE.LOCAL</a>'
are good until 1392594203<br>
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: using <a
class="moz-txt-link-freetext"
href="FILE:/tmp/krb5cc_machine_EXAMPLE.LOCAL">FILE:/tmp/krb5cc_machine_EXAMPLE.LOCAL</a>
as credentials cache for machine creds<br>
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: using environment
variable to select krb5 ccache <a class="moz-txt-link-freetext"
href="FILE:/tmp/krb5cc_machine_EXAMPLE.LOCAL">FILE:/tmp/krb5cc_machine_EXAMPLE.LOCAL</a><br>
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: creating context using
fsuid 0 (save_uid 0)<br>
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: creating tcp client for
server nfs-server.example.local<br>
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: DEBUG: port already set
to 2049<br>
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: creating context with
server <a class="moz-txt-link-abbreviated"
href="mailto:nfs@nfs-server.example.local">nfs@nfs-server.example.local</a><br>
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: WARNING: Failed to
create krb5 context for user with uid 0 for server
nfs-server.example.local<br>
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: WARNING: Failed to
create machine krb5 context with credentials cache <a
class="moz-txt-link-freetext"
href="FILE:/tmp/krb5cc_machine_EXAMPLE.LOCAL">FILE:/tmp/krb5cc_machine_EXAMPLE.LOCAL</a>
for server nfs-server.example.local<br>
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: WARNING: Failed to
create machine krb5 context with any credentials cache for server
nfs-server.example.local<br>
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: doing error downcall<br>
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: dir_notify_handler: sig
37 si 0x7fffaf4fa770 data 0x7fffaf4fa640<br>
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: dir_notify_handler: sig
37 si 0x7fffaf4fa770 data 0x7fffaf4fa640<br>
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: dir_notify_handler: sig
37 si 0x7fffaf4fa770 data 0x7fffaf4fa640<br>
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: dir_notify_handler: sig
37 si 0x7fffaf4fa770 data 0x7fffaf4fa640<br>
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: dir_notify_handler: sig
37 si 0x7fffaf4fa770 data 0x7fffaf4fa640<br>
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: dir_notify_handler: sig
37 si 0x7fffaf4fa770 data 0x7fffaf4fa640<br>
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: destroying client
/var/lib/nfs/rpc_pipefs/nfs/clnt0<br>
<br>
/etc/krb5.conf<br>
includedir /var/lib/sss/pubconf/krb5.include.d/<br>
<br>
[libdefaults]<br>
default_realm = EXAMPLE.LOCAL<br>
dns_lookup_realm = false<br>
dns_lookup_kdc = true<br>
rdns = false<br>
ticket_lifetime = 24h<br>
forwardable = yes<br>
allow_weak_crypto = true<br>
permitted_enctypes = des3-cbc-sha1<br>
<br>
[realms]<br>
EXAMPLE.LOCAL = {<br>
kdc = ipa-server.example.local:88<br>
master_kdc = ipa-server.example.local:88<br>
admin_server = ipa-server.example.local:749<br>
default_domain = example.local<br>
pkinit_anchors = <a class="moz-txt-link-freetext"
href="FILE:/etc/ipa/ca.crt">FILE:/etc/ipa/ca.crt</a><br>
}<br>
<br>
[domain_realm]<br>
.example.local = EXAMPLE.LOCAL<br>
example.local = EXAMPLE.LOCAL<br>
<br>
/etc/krb5.keytab entries:<br>
[root@nfs-client ~]# klist -kte<br>
Keytab name: <a class="moz-txt-link-freetext"
href="FILE:/etc/krb5.keytab">FILE:/etc/krb5.keytab</a><br>
KVNO Timestamp Principal<br>
---- -----------------
--------------------------------------------------------<br>
4 02/15/14 23:27:51 <a class="moz-txt-link-abbreviated"
href="mailto:host/nfs-client.example.local@EXAMPLE.LOCAL">host/nfs-client.example.local@EXAMPLE.LOCAL</a>
(des3-cbc-sha1)<br>
3 02/15/14 23:27:58 <a class="moz-txt-link-abbreviated"
href="mailto:nfs/nfs-client.example.local@EXAMPLE.LOCAL">nfs/nfs-client.example.local@EXAMPLE.LOCAL</a>
(des3-cbc-sha1)<br>
<br>
<br>
<b>#####<br>
#####<br>
Server:</b><br>
[root@nfs-server ~]# cat /etc/exports<br>
/pmtest 10.50.0.0/24(rw,sec=krb5,fsid=0)<br>
<br>
[root@nfs-server ~]# exportfs -v<br>
/pmtest
10.50.0.0/24(rw,wdelay,root_squash,no_subtree_check,fsid=0,sec=krb5,rw,root_squash,no_all_squash)<br>
<br>
[root@nfs-server ~]# service iptables status;getenforce<br>
iptables: Firewall is not running.<br>
Disabled<br>
<br>
<br>
/var/log/messages:<br>
Feb 15 23:43:24 nfs-server rpc.svcgssd[6446]: ERROR: GSS-API:
error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE
(Unspecified GSS failure. Minor code may provide more
information) - Wrong principal in request<br>
Feb 15 23:43:24 nfs-server rpc.svcgssd[6446]: ERROR: GSS-API:
error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE
(Unspecified GSS failure. Minor code may provide more
information) - Wrong principal in request<br>
<br>
<br>
/etc/krb5.conf<br>
includedir /var/lib/sss/pubconf/krb5.include.d/<br>
<br>
[libdefaults]<br>
default_realm = EXAMPLE.LOCAL<br>
dns_lookup_realm = true<br>
dns_lookup_kdc = true<br>
rdns = false<br>
ticket_lifetime = 24h<br>
forwardable = yes<br>
allow_weak_crypto = true<br>
permitted_enctypes = des3-cbc-sha1<br>
<br>
[realms]<br>
EXAMPLE.LOCAL = {<br>
kdc = ipa-server.example.local:88<br>
master_kdc = ipa-server.example.local:88<br>
admin_server = ipa-server.example.local:749<br>
default_domain = example.local<br>
pkinit_anchors = <a class="moz-txt-link-freetext"
href="FILE:/etc/ipa/ca.crt">FILE:/etc/ipa/ca.crt</a><br>
}<br>
<br>
[domain_realm]<br>
.example.local = EXAMPLE.LOCAL<br>
example.local = EXAMPLE.LOCAL<br>
<br>
<br>
/etc/krb5.keytab entries:<br>
[root@nfs-server ~]# klist -kte<br>
Keytab name: <a class="moz-txt-link-freetext"
href="FILE:/etc/krb5.keytab">FILE:/etc/krb5.keytab</a><br>
KVNO Timestamp Principal<br>
---- -----------------
--------------------------------------------------------<br>
2 02/15/14 23:09:43 <a class="moz-txt-link-abbreviated"
href="mailto:host/nfs-server.example.local@EXAMPLE.LOCAL">host/nfs-server.example.local@EXAMPLE.LOCAL</a>
(des3-cbc-sha1)<br>
3 02/15/14 23:09:51 <a class="moz-txt-link-abbreviated"
href="mailto:nfs/nfs-server.example.local@EXAMPLE.LOCAL">nfs/nfs-server.example.local@EXAMPLE.LOCAL</a>
(des3-cbc-sha1)</code>
</body>
</html>