[Freeipa-users] Kerberized NFS with Synology NAS

Roberto Cornacchia roberto.cornacchia at gmail.com
Wed Aug 12 11:33:25 UTC 2015 

Enabled verbose output for rpc.idmapd as well, and now I see:

nfsidmap[5034]: nss_getpwnam: name 'test1_l at localdomain' does not map into
domain 'hq.spinque.com'


On 12 August 2015 at 12:28, Roberto Cornacchia <roberto.cornacchia at gmail.com
> wrote:

> I have used
>
> RPCGSSDARGS="-vvv"
> RPCSVCGSSDARGS="-vvv"
>
> in /etc/sysconfig/nfs , as suggested in http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/Installing_the_IPA_Client_on_Linux.html
>
> In the excerpt below, taken during the mount, meson is the client, spinque03 is the nfs server (synology).
>
> It still doesn't tell me much, perhaps I'm missing something?
>
>
> rpc.gssd[838]: handling gssd upcall (nfs/clnt19)
> rpc.gssd[838]: handle_gssd_upcall: 'mech=krb5 uid=0
> enctypes=18,17,16,23,3,1,2 '
> rpc.gssd[3328]: handling krb5 upcall (nfs/clnt19)
> rpc.gssd[3328]: process_krb5_upcall: service is '<null>'
> rpc.gssd[3328]: Full hostname for 'spinque03.hq.spinque.com' is '
> spinque03.hq.spinque.com'
> rpc.gssd[3328]: Full hostname for 'meson.hq.spinque.com' is '
> meson.hq.spinque.com'
> rpc.gssd[3328]: No key table entry found for MESON$@HQ.SPINQUE.COM while
> getting keytab entry for 'MESON$@HQ.SPINQUE.COM'
> rpc.gssd[3328]: No key table entry found for root/
> meson.hq.spinque.com at HQ.SPINQUE.COM while getting keytab entry for 'root/
> meson.hq.spinque.com at HQ.SPINQUE.COM'
> rpc.gssd[3328]: No key table entry found for nfs/
> meson.hq.spinque.com at HQ.SPINQUE.COM while getting keytab entry for 'nfs/
> meson.hq.spinque.com at HQ.SPINQUE.COM'
> rpc.gssd[3328]: Success getting keytab entry for 'host/
> meson.hq.spinque.com at HQ.SPINQUE.COM'
> rpc.gssd[3328]: Successfully obtained machine credentials for principal
> 'host/meson.hq.spinque.com at HQ.SPINQUE.COM' stored in ccache 'FILE:/tmp/
> krb5ccmachine_HQ.SPINQUE.COM'
> rpc.gssd[3328]: INFO: Credentials in CC 'FILE:/tmp/
> krb5ccmachine_HQ.SPINQUE.COM' are good until 1439461246
> rpc.gssd[3328]: using FILE:/tmp/krb5ccmachine_HQ.SPINQUE.COM as
> credentials cache for machine creds
> rpc.gssd[3328]: using environment variable to select krb5 ccache FILE:/tmp/
> krb5ccmachine_HQ.SPINQUE.COM
> gssproxy[809]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure.
> Minor code may provide more information, No credentials cache found
> gssproxy[798]: gssproxy[809]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified
> GSS failure.  Minor code may provide more information, No credentials cache
> found
> rpc.gssd[3328]: creating tcp client for server spinque03.hq.spinque.com
> rpc.gssd[3328]: DEBUG: port already set to 2049
> rpc.gssd[3328]: creating context with server nfs at spinque03.hq.spinque.com
> rpc.gssd[3328]: DEBUG: serialize_krb5_ctx: lucid version!
> rpc.gssd[3328]: prepare_krb5_rfc4121_buffer: protocol 1
> rpc.gssd[3328]: prepare_krb5_rfc4121_buffer: serializing key with enctype
> 18 and size 32
> rpc.gssd[3328]: doing downcall: lifetime_rec=86399 acceptor=
> nfs at spinque03.hq.spinque.com
> rpc.gssd[838]: handling gssd upcall (nfs/clnt19)
> rpc.gssd[838]: handle_gssd_upcall: 'mech=krb5 uid=1005
> enctypes=18,17,16,23,3,1,2 '
> rpc.gssd[3337]: handling krb5 upcall (nfs/clnt19)
> rpc.gssd[3337]: process_krb5_upcall: service is '<null>'
> gssproxy[809]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure.
> Minor code may provide more information, No credentials cache found
> gssproxy[798]: gssproxy[809]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified
> GSS failure.  Minor code may provide more information, No credentials cache
> found
> rpc.gssd[3337]: creating tcp client for server spinque03.hq.spinque.com
> rpc.gssd[3337]: DEBUG: port already set to 2049
> rpc.gssd[3337]: creating context with server nfs at spinque03.hq.spinque.com
> rpc.gssd[3337]: DEBUG: serialize_krb5_ctx: lucid version!
> rpc.gssd[3337]: prepare_krb5_rfc4121_buffer: protocol 1
> rpc.gssd[3337]: prepare_krb5_rfc4121_buffer: serializing key with enctype
> 18 and size 32
> rpc.gssd[3337]: doing downcall: lifetime_rec=85675 acceptor=
> nfs at spinque03.hq.spinque.com
>
>
> On 12 August 2015 at 02:46, Roberto Cornacchia <
> roberto.cornacchia at gmail.com> wrote:
>
>> Hi,
>>
>> I am trying to use a Synology NAS station in my FreeIPA domain to host
>> automounted home directories (not created automatically for now).
>>
>> I got almost everything working, but I seem to have a problem with
>> kerberized nfs.
>>
>> The NAS logs in the LDAP domain and seems happy with the kerberos
>> principal that I uploaded.
>>
>>
>>
>> * If I use plain nfs4 without krb5
>>
>> - /etc/exports -
>> /volume1/shared_homes
>> 192.168.0.0/24(rw,async,no_wdelay,all_squash,insecure_locks,sec=sys,anonuid=1025,anongid=100)
>>
>> then I can mount it and use it (it even works with automount). But only
>> using all_squash. Not useful:
>>
>>
>> * If I use krb5
>>
>> - /etc/exports -
>> /volume1/shared_homes
>> 192.168.0.0/24(rw,async,no_wdelay,no_root_squash,insecure_locks,sec=krb5,anonuid=1025,anongid=100)
>>
>> then I can kinit with an LDAP user, mount it with sec=krb5, but I get
>> "nobody" as file owner.
>>
>> This is done from a FC22 client, perfectly enrolled in freeIPA.
>>
>> The client's log contains several of such errors:
>>
>> gssproxy[807]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure.
>> Minor code may provide more information, No credentials cache found
>>
>>
>> Any tip to help me understand what the problem is?
>> Roberto
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150812/14f94bb8/attachment.htm>

More information about the Freeipa-users mailing list