<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>So I have two test machines that I set up because of this same
problem on my secure offline network. One of the test machines is
a server that has FreeIPA and NFS running on it, the other test
machine is a client that mounts two NFS shares from the server
using krb5i sec.
<br>
<br>
Upon initial install, everything works as it is supposed to. The
domain users can log in just fine, the mount mounts perfectly.
<br>
<br>
If I remove the client from the domain using:
<br>
<br>
ipa-client-automount --uninstall
<br>
<br>
ipa-client-install --uninstall
<br>
<br>
<br>
And then on the server:
<br>
<br>
ipa-client-automount --uninstall
<br>
<br>
ipa-server-install --uninstall
<br>
<br>
then delete the ca.crt, run sss -E (to clear the sssd caches),
rm /tmp/krb5*
<br>
<br>
<br>
and then reinstall the server:
<br>
<br>
ipa-server-install
<br>
<br>
service sshd restart
<br>
<br>
kinit admin
<br>
<br>
ipa service-add nfs/server.dar.lan
<br>
<br>
ipa-getkeytab -s server.dar.lan -p host/server.dar.lan -k
/etc/krb5.keytab
<br>
<br>
ipa-getkeytab -s server.dar.lan -p nfs/server.dar.lan -k
/etc/krb5.keytab
<br>
<br>
ipa-client-automount
<br>
<br>
<br>
and reinstall on the client:
<br>
<br>
ipa-client-install
<br>
<br>
ipa-client-automount
<br>
<br>
<br>
I believe I now have the same setup as I had before.
<br>
<br>
I can kinit and get a ticket:
<br>
<br>
Ticket cache: <a class="moz-txt-link-freetext"
href="FILE:/tmp/krb5cc_615200000_TinxaO">FILE:/tmp/krb5cc_615200000_TinxaO</a>
<br>
Default principal: <a class="moz-txt-link-abbreviated"
href="mailto:admin@DAR.LAN">admin@DAR.LAN</a>
<br>
<br>
Valid starting Expires Service principal
<br>
02/03/17 12:54:02 02/04/17 12:53:59 <a
class="moz-txt-link-abbreviated"
href="mailto:krbtgt/DAR.LAN@DAR.LAN"><a class="moz-txt-link-abbreviated" href="mailto:krbtgt/DAR.LAN@DAR.LAN">krbtgt/DAR.LAN@DAR.LAN</a></a>
<br>
<br>
My domain users can log in to their desktops.
<br>
<br>
But I can't mount the shares.
<br>
<br>
I get:
<br>
<br>
mount.nfs4: timeout set for Fri Feb 3 12:58:36 2017
<br>
mount.nfs4: trying text-based options
'sec=krb5i,proto=tcp,port=2049,rsize=8192,wsize=8192,timeo=14,intr,addr=137.67.205.1,clientaddr=137.67.205.11'<br>
mount.nfs4: mount(2): Permission denied
<br>
mount.nfs4: access denied by server while mounting
server:/NFS_SHARE/USERS
<br>
mount.nfs4: timeout set for Fri Feb 3 12:58:36 2017
<br>
mount.nfs4: trying text-based options
'sec=krb5i,proto=tcp,port=2049,rsize=8192,wsize=8192,timeo=14,intr,addr=137.67.205.1,clientaddr=137.67.205.11'<br>
mount.nfs4: mount(2): Permission denied
<br>
mount.nfs4: access denied by server while mounting
server:/NFS_SHARE/admin
<br>
<br>
<br>
Originally I chased permissions, but when I started looking at
/var/log/messages on the server, I noticed that rpcgssd was
complaining about a wrong principal.
<br>
<br>
On the server I executed kadmin.local and then listprincs
<br>
<br>
<a class="moz-txt-link-abbreviated" href="mailto:K/M@DAR.LAN">K/M@DAR.LAN</a>
<br>
<a class="moz-txt-link-abbreviated"
href="mailto:krbtgt/DAR.LAN@DAR.LAN">krbtgt/DAR.LAN@DAR.LAN</a>
<br>
<a class="moz-txt-link-abbreviated"
href="mailto:kadmin/server.dar.lan@DAR.LAN">kadmin/server.dar.lan@DAR.LAN</a>
<br>
<a class="moz-txt-link-abbreviated"
href="mailto:kadmin/admin@DAR.LAN">kadmin/admin@DAR.LAN</a>
<br>
<a class="moz-txt-link-abbreviated"
href="mailto:kadmin/changepw@DAR.LAN">kadmin/changepw@DAR.LAN</a>
<br>
<a class="moz-txt-link-abbreviated"
href="mailto:ldap/server.dar.lan@DAR.LAN">ldap/server.dar.lan@DAR.LAN</a>
<br>
<a class="moz-txt-link-abbreviated"
href="mailto:host/server.dar.lan@DAR.LAN">host/server.dar.lan@DAR.LAN</a>
<br>
<a class="moz-txt-link-abbreviated"
href="mailto:HTTP/server.dar.lan@DAR.LAN">HTTP/server.dar.lan@DAR.LAN</a>
<br>
<a class="moz-txt-link-abbreviated"
href="mailto:nfs/server.dar.lan@DAR.LAN">nfs/server.dar.lan@DAR.LAN</a>
<br>
<a class="moz-txt-link-abbreviated"
href="mailto:s_sharkey@DAR.LAN">s_sharkey@DAR.LAN</a>
<br>
<a class="moz-txt-link-abbreviated"
href="mailto:host/as1.dar.lan@DAR.LAN">host/as1.dar.lan@DAR.LAN</a>
<br>
<br>
and then a getprinc on <a class="moz-txt-link-abbreviated"
href="mailto:nfs/server.dar.lan@DAR.LAN">nfs/server.dar.lan@DAR.LAN</a>:
<br>
<br>
Principal: <a class="moz-txt-link-abbreviated"
href="mailto:nfs/server.dar.lan@DAR.LAN">nfs/server.dar.lan@DAR.LAN</a>
<br>
Expiration date: [never]
<br>
Last password change: Thu Feb 02 15:31:24 EST 2017
<br>
Password expiration date: [none]
<br>
Maximum ticket life: 1 day 00:00:00
<br>
Maximum renewable life: 7 days 00:00:00
<br>
Last modified: Thu Feb 02 15:31:24 EST 2017 (<a
class="moz-txt-link-abbreviated"
href="mailto:nfs/server.dar.lan@DAR.LAN"><a class="moz-txt-link-abbreviated" href="mailto:nfs/server.dar.lan@DAR.LAN">nfs/server.dar.lan@DAR.LAN</a></a>)
<br>
Last successful authentication: Thu Feb 02 16:52:16 EST 2017
<br>
Last failed authentication: Fri Feb 03 12:09:14 EST 2017
<br>
Failed password attempts: 1
<br>
Number of keys: 4
<br>
Key: vno 3, aes256-cts-hmac-sha1-96, no salt
<br>
Key: vno 3, aes128-cts-hmac-sha1-96, no salt
<br>
Key: vno 3, des3-cbc-sha1, no salt
<br>
Key: vno 3, arcfour-hmac, no salt
<br>
MKey: vno 1
<br>
Attributes: REQUIRES_PRE_AUTH
<br>
Policy: [none]
<br>
<br>
looking at my keytab, klist -ke /etc/krb5.keytab
<br>
<br>
1 2 <a class="moz-txt-link-abbreviated"
href="mailto:host/server.dar.lan@DAR.LAN">host/server.dar.lan@DAR.LAN</a>
<br>
2 1 <a class="moz-txt-link-abbreviated"
href="mailto:nfs/server.dar.lan@DAR.LAN">nfs/server.dar.lan@DAR.LAN</a>
<br>
3 3 <a class="moz-txt-link-abbreviated"
href="mailto:host/server.dar.lan@DAR.LAN">host/server.dar.lan@DAR.LAN</a>
<br>
4 3 <a class="moz-txt-link-abbreviated"
href="mailto:host/server.dar.lan@DAR.LAN">host/server.dar.lan@DAR.LAN</a>
<br>
5 3 <a class="moz-txt-link-abbreviated"
href="mailto:host/server.dar.lan@DAR.LAN">host/server.dar.lan@DAR.LAN</a>
<br>
6 3 <a class="moz-txt-link-abbreviated"
href="mailto:host/server.dar.lan@DAR.LAN">host/server.dar.lan@DAR.LAN</a>
<br>
7 2 <a class="moz-txt-link-abbreviated"
href="mailto:nfs/server.dar.lan@DAR.LAN">nfs/server.dar.lan@DAR.LAN</a>
<br>
8 2 <a class="moz-txt-link-abbreviated"
href="mailto:nfs/server.dar.lan@DAR.LAN">nfs/server.dar.lan@DAR.LAN</a>
<br>
9 2 <a class="moz-txt-link-abbreviated"
href="mailto:nfs/server.dar.lan@DAR.LAN">nfs/server.dar.lan@DAR.LAN</a>
<br>
10 2 <a class="moz-txt-link-abbreviated"
href="mailto:nfs/server.dar.lan@DAR.LAN">nfs/server.dar.lan@DAR.LAN</a>
<br>
<br>
I saw I had two extra older kt's so I used kadmin.local to remove
them with modprinc. Not sure where they came from. . .
<br>
<br>
I again tried to mount, this time using -vvv in /etc/sysconfig/nfs
for rpcgssd, rpcsvcgssd, and rpcbind and /var/log/messages output
this on the server (I'll only paste the data from one mount
attempt as there is two mounts and they're complaining
identically.):
<br>
<br>
Feb 3 12:25:32 server rpc.svcgssd[4796]: leaving poll
<br>
Feb 3 12:25:32 server rpc.svcgssd[4796]: handling null request
<br>
Feb 3 12:25:32 server rpc.svcgssd[4796]:
svcgssd_limit_krb5_enctypes: Calling gss_set_allowable_enctypes
with 7 enctypes from the kernel
<br>
Feb 3 12:25:32 server rpc.svcgssd[4796]: WARNING:
gss_accept_sec_context failed
<br>
Feb 3 12:25:32 server rpc.svcgssd[4796]: ERROR: GSS-API: error in
handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE
(Unspecified GSS failure. Minor code may provide more
information) - Wrong principal in request
<br>
Feb 3 12:25:32 server rpc.svcgssd[4796]: sending null reply
<br>
Feb 3 12:25:32 server rpc.svcgssd[4796]: writing message: \x
\x6082025f06092a864886f71201020201006e82024e3082024aa003020105a10302010ea20703050020000000a382015a6182015630820152a003020105a1091b074441522e4c414ea220301ea003020103a11730151b036e66731b0e7365727665722e6461722e6c616ea382011c30820118a003020112a103020103a282010a048201063acb411e685126d45ffc67763e9d9fb3eaa42765e44ad17b924d930583f95f8169980758f7d7ac59b5668c40a6a4c0aadee0e4a655a29343e09b69922cf65e2bf639b30fa764d415d3e1207da584b0d3d4ffb668d0d6fbcf52a7eed73cf9f51dd777096647e13931c30a6929115f8d1244086a78fa35fbe4073c195be3f49ba34ffe04bd3ae0bba9f8d9713d931f129fa0087872514f5aa4b0f933549b27cd45bcda4460d562b9b9dec90e5d358d6824aad6e46f50bbd03b35ac80df8b65f771bacf3ab7c96336f3051833d11fe283506a20c3eeae9d7df743a634e9928443cafb088a2adb083d2fa32eec78934a27e7d3358a451dd5ba36a94a5fdeb255aa5e884230069bdda481d63081d3a003020112a281cb0481c802b37853075fe8f79de1d93289e493dd95e7724a050d44cc629521c0a1504d2a33589d4e13c4941a9451b4d2cfb74129ac2943664b9adb01b89d8746fd531c251fbe87660c9305d73a18fb3166907ac85a0c38fe59b475899f0f69b4193311cab6ed19ca0ce1f2a0dfc7b7a04d2bb1195406dc6d846f3535db5c083ade0a4dfa0c5d4466ee10fd04d72325192fd8473e05d0318b390d6c87c440ca5eabdc3017fec828c29543b3414fac312b597e0ea4726cb33fe825feef00527e14d5f426cc7781dcd3dd0a0969
1486142792 851968 2529639056 \x \x
<br>
REPEATED 3x . . .</p>
<p><br>
Feb 3 12:25:32 server rpc.svcgssd[4796]: finished handling null
request
<br>
Feb 3 12:25:32 server audispd: node=server type=SYSCALL
msg=audit(1486142732.066:592): arch=c000003e syscall=87
success=yes exit=0 a0=2110480 a1=c2 a2=1a a3=f items=2 ppid=1
pid=4525 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500
egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="gnome-terminal"
exe="/usr/bin/gnome-terminal"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
key="delete"
<br>
Feb 3 12:25:32 server audispd: node=server type=CWD
msg=audit(1486142732.066:592): cwd="/home/adminnt"
<br>
Feb 3 12:25:32 server rpc.svcgssd[4796]: entering poll
<br>
Feb 3 12:25:34 as1 audispd: node=as1 type=SYSCALL
msg=audit(1486142734.451:79839): arch=c000003e syscall=165
success=no exit=-13 a0=7ffcb5014564 a1=7f00d8823ea0
a2=7f00d72133f6 a3=0 items=17 ppid=7132 pid=7133 auid=615200000
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0
ses=2 comm="mount.nfs4" exe="/sbin/mount.nfs"
subj=unconfined_u:unconfined_r:unconfined_mount_t:s0-s0:c0.c1023
key="export"
<br>
Feb 3 12:25:34 as1 audispd: node=as1 type=CWD
msg=audit(1486142734.451:79839): cwd="/usr"
<br>
Feb 3 12:25:34 as1 audispd: node=as1 type=PATH
msg=audit(1486142734.451:79839): item=0 name="/NFS_SHARE"
inode=654083 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00
obj=unconfined_u:object_r:default_t:s0 nametype=NORMAL
<br>
Feb 3 12:25:34 as1 audispd: node=as1 type=PATH
msg=audit(1486142734.451:79839): item=1 name=(null) inode=103
dev=00:12 mode=040555 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:rpc_pipefs_t:s0 nametype=NORMAL
<br>
Feb 3 12:25:34 as1 audispd: node=as1 type=PATH
msg=audit(1486142734.451:79839): item=2 name=(null) inode=103
dev=00:12 mode=040555 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:rpc_pipefs_t:s0 nametype=PARENT
<br>
Feb 3 12:25:34 as1 audispd: node=as1 type=PATH
msg=audit(1486142734.451:79839): item=3 name=(null) inode=280
dev=00:12 mode=040555 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:rpc_pipefs_t:s0 nametype=CREATE
<br>
Feb 3 12:25:34 as1 audispd: node=as1 type=PATH
msg=audit(1486142734.451:79839): item=4 name=(null) inode=280
dev=00:12 mode=040555 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:rpc_pipefs_t:s0 nametype=PARENT
<br>
Feb 3 12:25:34 as1 audispd: node=as1 type=PATH
msg=audit(1486142734.451:79839): item=5 name=(null) inode=281
dev=00:12 mode=0100400 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:rpc_pipefs_t:s0 nametype=CREATE
<br>
Feb 3 12:25:34 as1 audispd: node=as1 type=PATH
msg=audit(1486142734.451:79839): item=6 name=(null) inode=280
dev=00:12 mode=040555 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:rpc_pipefs_t:s0 nametype=PARENT
<br>
Feb 3 12:25:34 as1 audispd: node=as1 type=PATH
msg=audit(1486142734.451:79839): item=7 name=(null) inode=282
dev=00:12 mode=010600 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:rpc_pipefs_t:s0 nametype=CREATE
<br>
Feb 3 12:25:34 as1 audispd: node=as1 type=PATH
msg=audit(1486142734.451:79839): item=8 name=(null) inode=280
dev=00:12 mode=040555 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:rpc_pipefs_t:s0 nametype=PARENT
<br>
Feb 3 12:25:34 as1 audispd: node=as1 type=PATH
msg=audit(1486142734.451:79839): item=9 name=(null) inode=283
dev=00:12 mode=010600 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:rpc_pipefs_t:s0 nametype=CREATE
<br>
Feb 3 12:25:34 as1 audispd: node=as1 type=PATH
msg=audit(1486142734.451:79839): item=10 name=(null) inode=280
dev=00:12 mode=040555 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:rpc_pipefs_t:s0 nametype=PARENT
<br>
Feb 3 12:25:34 as1 audispd: node=as1 type=PATH
msg=audit(1486142734.451:79839): item=11 name=(null) inode=284
dev=00:12 mode=010600 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:rpc_pipefs_t:s0 nametype=CREATE
<br>
Feb 3 12:25:34 as1 audispd: node=as1 type=PATH
msg=audit(1486142734.451:79839): item=12 name=(null) inode=103
dev=00:12 mode=040555 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:rpc_pipefs_t:s0 nametype=NORMAL
<br>
Feb 3 12:25:34 as1 audispd: node=as1 type=PATH
msg=audit(1486142734.451:79839): item=13 name=(null) inode=103
dev=00:12 mode=040555 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:rpc_pipefs_t:s0 nametype=PARENT
<br>
Feb 3 12:25:34 as1 audispd: node=as1 type=PATH
msg=audit(1486142734.451:79839): item=14 name=(null) inode=285
dev=00:12 mode=040555 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:rpc_pipefs_t:s0 nametype=CREATE
<br>
Feb 3 12:25:34 as1 audispd: node=as1 type=PATH
msg=audit(1486142734.451:79839): item=15 name=(null) inode=285
dev=00:12 mode=040555 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:rpc_pipefs_t:s0 nametype=PARENT
<br>
Feb 3 12:25:34 as1 audispd: node=as1 type=PATH
msg=audit(1486142734.451:79839): item=16 name=(null) inode=286
dev=00:12 mode=0100400 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:rpc_pipefs_t:s0 nametype=CREATE
<br>
<br>
<br>
I apoligize for the wall o' words, but you know how log files can
be.
<br>
<br>
So my setup naming conventions is exactly as during the initial
install which worked. The config files shouldn't have changed. It
seems as if the principal name, KVNO, and the keytab match up. Did
something not get cleaned properly?</p>
<p>Currently I can mount just fine without krb5i security, but my
Govt STIG requires it for NFS mounts and I'm stuck.<br>
</p>
<p><br>
</p>
<p>Thanks for any help!</p>
<p><br>
</p>
<p>Matt<br>
<br>
<br>
</p>
</body>
</html>