[Freeipa-users] problems with NFS service principal

Rob Crittenden rcritten at redhat.com
Thu Nov 5 18:54:10 UTC 2015 

jcnt at use.startmail.com wrote:
> Hello everyone,
> 
> I initially followed freeipa NFS documentation for setting up external stand alone NFS server
> 
> ipa host-add mickey.corp.example.org
> ipa service-add nfs/mickey.corp.example.org
> ipa-getkeytab -s razoul.corp.example.org -p nfs/mickey.corp.example.org -k /tmp/nfs.keytab
> 
> uploaded keytab to NFS server and all appeared to work just fine:
> 
> mickey> export KRB5_CONFIG=/etc/nfs/krb5.conf

Why are you using a custom krb5.conf?

> mickey> kinit admin
> Password for admin at CORP.EXAMPLE.ORG: XXXXXXX
> mickey> klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: admin at CORP.EXAMPLE.ORG
> 
> Valid starting       Expires              Service principal
> 05/16/2015 18:17:00  05/17/2015 18:16:50  krbtgt/CORP.EXAMPLE.ORG at CORP.EXAMPLE.ORG
> mickey> kinit -k -t /etc/nfs/krb5.keytab nfs/mickey.corp.example.org at CORP.EXAMPLE.ORG
> mickey> klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: nfs/mickey.corp.example.org at CORP.EXAMPLE.ORG
> 
> Valid starting       Expires              Service principal
> 05/16/2015 23:48:14  05/17/2015 23:48:13  krbtgt/CORP.EXAMPLE.ORG at CORP.EXAMPLE.ORG
> mickey>
> 
> However, I learned hard way (NFS stopped working) that ipa-getkeytab issues ticket with a default timeout of 3 months.

keytabs don't time out. What made you think it has a 3-month validity
period?

> 
> I repeated ipa-getkeytab and got:
> 
> mickey> kinit -k -t /etc/nfs/krb5.keytab
> kinit: Keytab contains no suitable keys for host/mickey.corp.example.org at CORP.EXAMPLE.ORG while getting initial credentials
> mickey> klist -k -t /etc/nfs/krb5.keytab
> Keytab name: FILE:/etc/nfs/krb5.keytab
> KVNO Timestamp           Principal
> ---- ------------------- ------------------------------------------------------
>   5 11/03/2015 10:50:10 nfs/mickey.corp.example.org at CORP.EXAMPLE.ORG
>   5 11/03/2015 10:50:10 nfs/mickey.corp.example.org at CORP.EXAMPLE.ORG
>   5 11/03/2015 10:50:10 nfs/mickey.corp.example.org at CORP.EXAMPLE.ORG
>   5 11/03/2015 10:50:10 nfs/mickey.corp.example.org at CORP.EXAMPLE.ORG

You used the right command earlier:

# kinit -k -t /etc/nfs/krb5.keytab
nfs/mickey.corp.example.org at CORP.EXAMPLE.ORG

> When client tries to mount:
> 
> # mount -vvv -o sec=krb5 mickey:/volume1/homes /mnt
> mount.nfs: timeout set for Thu Nov  5 11:41:39 2015
> mount.nfs: trying text-based options 'sec=krb5,vers=4,addr=192.168.26.2,clientaddr=192.168.26.31'
> mount.nfs: mount(2): Invalid argument
> mount.nfs: an incorrect mount option was specified
> 
> Not much information available...
> 
> Any NFS experts out here?

The NFS server may have more info.

rob

More information about the Freeipa-users mailing list