[Freeipa-users] krb5 and nfsv4 not working right
Alexander Bokovoy
abokovoy at redhat.com
Mon Nov 21 09:45:48 UTC 2016
On ke, 16 marras 2016, Bjarne Blichfeldt wrote:
>Try inserting this in /etc/gssproxy/gssproxy.conf:
>cred_store = ccache:FILE:/tmp/krb5cc_%U
>
>
>/etc/gssproxy/gssproxy.conf:
>[service/nfs-client]
> mechs = krb5
> cred_store = keytab:/etc/krb5.keytab
> cred_store = ccache:FILE:/tmp/krb5cc_%U
> cred_store = ccache:FILE:/var/lib/gssproxy/clients/krb5cc_%U
> cred_store = client_keytab:/var/lib/gssproxy/clients/%U.keytab
> cred_usage = initiate
> allow_any_uid = yes
> trusted = yes
> euid = 0
Correct. There is an issue in NFS client utilities called by the kernel
to handle credentials via upcall interface that they cannot yet handle
kernel keyring-based ccaches.
>
>
>Regards,
>Bjarne Blichfeldt
>
>
>-----Original Message-----
>From: Tony Brian Albers [mailto:tba at statsbiblioteket.dk]
>Sent: 15. november 2016 13:18
>To: freeipa-users at redhat.com
>Subject: [Freeipa-users] krb5 and nfsv4 not working right
>
>Hi guys,
>
>I've followed every guide I can find on this subject. What I'm trying to is to get our home directories which are shared via NFS from the FreeIPA server mounted via autofs on the clients.
>
>The client is kact-man-001 and the FreeIPA server is kact-adm-001
>
>/etc/exports:
>
>
>I've done the ipa-client-install and the ipa-client-automount
>
>However, when I log in, my homedir is mounted as expected but what I get in the messages log is:
>
>Nov 15 12:52:25 kact-man-001 gssproxy: gssproxy[770]: (OID: { 1 2 840
>113554 1 2 2 }) Unspecified GSS failure. Minor code may provide more information, No credentials cache found
>
>A lot!
>
>/etc/krb5.conf is default from the FreeIPA installation:
>
> default_ccache_name = KEYRING:persistent:%{uid}
>
>
>The autofs setup looks like this:
>
>---------------------------------------------------------
>
>[root at kact-adm-001 log]# ipa automountmap-find
>Location: default
>------------------------
>3 automount maps matched
>------------------------
> Map: auto.direct
>
> Map: auto.home
>
> Map: auto.master
>----------------------------
>Number of entries returned 3
>----------------------------
>[root at kact-adm-001 log]#
>
>
>
>[root at kact-adm-001 log]# ipa automountkey-find
>Location: default
>Map: auto.home
>-----------------------
>1 automount key matched
>-----------------------
> Key: *
> Mount information: -fstype=nfs4,rw,sec=krb5,rsize=8192,wsize=8192
>kact-adm-001.kact.sblokalnet:/data/home/&
>----------------------------
>Number of entries returned 1
>----------------------------
>[root at kact-adm-001 log]#
>
>---------------------------------------------------------
>
>Now, the BAD thing is, trying to copy a large file to the automounted dir on the client just hangs:
>
>[tba at pc588 images]$ scp NAS4Free-x64-LiveUSB-10.3.0.3.2987.img.gz
>tba-sb at kact-man-001.kact.sblokalnet:.
>tba-sb at kact-man-001.kact.sblokalnet's password:
>NAS4Free-x64-LiveUSB-10.3.0.3.2987.img.gz
> 100% 281MB 93.6MB/s
>00:03
>[hangs]
>
>And my logged in session on the client hangs if I try to do ls in my
>homedir:
>[tba at pc588 ~]$ ssh tba-sb at kact-man-001.kact.sblokalnet
>tba-sb at kact-man-001.kact.sblokalnet's password:
>Last login: Tue Nov 15 13:07:12 2016 from pc588.sb.statsbiblioteket.dk -sh-4.2$ -sh-4.2$ -sh-4.2$ pwd /home/tba-sb -sh-4.2$ hostname
>kact-man-001
>-sh-4.2$
>-sh-4.2$ ls
>[hangs]
>
>
>And I see a huge amount of the GSS failures in the messages file on the
>client.
>
>
>Any suggestions?
>
>TIA
>
>
>
>
>--
>Best regards,
>
>Tony Albers
>Systems administrator, IT-development
>State and University Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark.
>Tel: +45 2566 2383 / +45 8946 2316
>
>
>
>--
>Manage your subscription for the Freeipa-users mailing list:
>https://www.redhat.com/mailman/listinfo/freeipa-users
>Go to http://freeipa.org for more info on the project
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list