[Freeipa-users] problems with NFS service principal
jcnt at use.startmail.com
jcnt at use.startmail.com
Thu Nov 5 16:44:02 UTC 2015
Hello everyone,
I initially followed freeipa NFS documentation for setting up external stand alone NFS server
ipa host-add mickey.corp.example.org
ipa service-add nfs/mickey.corp.example.org
ipa-getkeytab -s razoul.corp.example.org -p nfs/mickey.corp.example.org -k /tmp/nfs.keytab
uploaded keytab to NFS server and all appeared to work just fine:
mickey> export KRB5_CONFIG=/etc/nfs/krb5.conf
mickey> kinit admin
Password for admin at CORP.EXAMPLE.ORG: XXXXXXX
mickey> klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin at CORP.EXAMPLE.ORG
Valid starting Expires Service principal
05/16/2015 18:17:00 05/17/2015 18:16:50 krbtgt/CORP.EXAMPLE.ORG at CORP.EXAMPLE.ORG
mickey> kinit -k -t /etc/nfs/krb5.keytab nfs/mickey.corp.example.org at CORP.EXAMPLE.ORG
mickey> klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: nfs/mickey.corp.example.org at CORP.EXAMPLE.ORG
Valid starting Expires Service principal
05/16/2015 23:48:14 05/17/2015 23:48:13 krbtgt/CORP.EXAMPLE.ORG at CORP.EXAMPLE.ORG
mickey>
However, I learned hard way (NFS stopped working) that ipa-getkeytab issues ticket with a default timeout of 3 months.
I repeated ipa-getkeytab and got:
mickey> kinit -k -t /etc/nfs/krb5.keytab
kinit: Keytab contains no suitable keys for host/mickey.corp.example.org at CORP.EXAMPLE.ORG while getting initial credentials
mickey> klist -k -t /etc/nfs/krb5.keytab
Keytab name: FILE:/etc/nfs/krb5.keytab
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
5 11/03/2015 10:50:10 nfs/mickey.corp.example.org at CORP.EXAMPLE.ORG
5 11/03/2015 10:50:10 nfs/mickey.corp.example.org at CORP.EXAMPLE.ORG
5 11/03/2015 10:50:10 nfs/mickey.corp.example.org at CORP.EXAMPLE.ORG
5 11/03/2015 10:50:10 nfs/mickey.corp.example.org at CORP.EXAMPLE.ORG
When client tries to mount:
# mount -vvv -o sec=krb5 mickey:/volume1/homes /mnt
mount.nfs: timeout set for Thu Nov 5 11:41:39 2015
mount.nfs: trying text-based options 'sec=krb5,vers=4,addr=192.168.26.2,clientaddr=192.168.26.31'
mount.nfs: mount(2): Invalid argument
mount.nfs: an incorrect mount option was specified
Not much information available...
Any NFS experts out here?
Thanks,
Josh.
More information about the Freeipa-users
mailing list