Cannot mount nfsv4 exports

General support questions
xq10907
Posts: 27
Joined: 2017/08/08 03:33:41

Cannot mount nfsv4 exports

Post by xq10907 » 2017/08/25 03:29:03

Hi guys
i tried to setup nfsv4 server and client on centos7.3,both server(ark-centos7-ker ),client(ark-centos-smb4) are joined to AD domain by realm command,AD domain users could log in to centos server
run kinit could get kerberos tickets,but mount nfsv4 export from client failed see following

Code: Select all

[arkadmin@QA.ARKIVIO.COM@ark-centos-smb4 ~]$ sudo mount -t nfs4 -o sec=krb5 ark-centos7-ker.qa.arkivio.com:/export/nfs1 /nfs4-mnt-dir
mount.nfs4: access denied by server while mounting ark-centos7-ker.qa.arkivio.com:/export/nfs1  
server side nfsv4 exports setting

Code: Select all

[root@ark-centos7-ker ~]# exportfs -v
/export/nfs1    <world>(rw,wdelay,no_root_squash,no_subtree_check,sec=sys:krb5:krb5i:krb5p,rw,secure,no_root_squash,no_all_squash)
/export/nfs2    <world>(rw,wdelay,no_root_squash,no_subtree_check,sec=sys:krb5:krb5i:krb5p,rw,secure,no_root_squash,no_all_squash)
please give some suggestion,i know it's complicated in Kerberos,nfsv4 settings

thanks

tunk
Posts: 1205
Joined: 2017/02/22 15:08:17

Re: Cannot mount nfsv4 exports

Post by tunk » 2017/08/25 09:44:07

I assume you have started nfsd?

hunter86_bg
Posts: 2019
Joined: 2015/02/17 15:14:33
Location: Bulgaria
Contact:

Re: Cannot mount nfsv4 exports

Post by hunter86_bg » 2017/08/25 18:35:00

Kerberos requires NTP and DNS to be properly configured.
Also check the nfs-secure.service (client) and nfs-secure-server.service and nfs-server.service (server) to be working.

Check the SELinux context and content of your keytabs:

Code: Select all

ls -lZ /etc/krb5.keytab && klist -kt /etc/krb5.keytab

xq10907
Posts: 27
Joined: 2017/08/08 03:33:41

Re: Cannot mount nfsv4 exports

Post by xq10907 » 2017/08/28 09:05:32

tunk wrote:I assume you have started nfsd?
yes since I could mount the export with sec=sys option

xq10907
Posts: 27
Joined: 2017/08/08 03:33:41

Re: Cannot mount nfsv4 exports

Post by xq10907 » 2017/08/28 09:46:54

hunter86_bg wrote:Kerberos requires NTP and DNS to be properly configured.
Also check the nfs-secure.service (client) and nfs-secure-server.service and nfs-server.service (server) to be working.

Check the SELinux context and content of your keytabs:

Code: Select all

ls -lZ /etc/krb5.keytab && klist -kt /etc/krb5.keytab
I didn't set ntp,set timezone as domain DC,checked both time of nfsv4 client,server are same as domain
tried lookup FQDN,IP of domain server,all working

noticed nfs-secure-server.service could not up(both nfsv4 client,server has the issue),did I missed some configuration?

Code: Select all

 [root@ark-centos-smb4 etc]# systemctl enable nfs-secure-server
[root@ark-centos-smb4 etc]# systemctl start nfs-secure-server
[root@ark-centos-smb4 etc]# systemctl status nfs-secure-server
● rpc-svcgssd.service - RPC security service for NFS server
   Loaded: loaded (/usr/lib/systemd/system/rpc-svcgssd.service; static; vendor preset: disabled)
   Active: inactive (dead)
Condition: start condition failed at Mon 2017-08-28 02:39:37 PDT; 6s ago
           none of the trigger conditions were met
selinux context(client)

Code: Select all

[root@ark-centos-smb4 etc]# ls -lZ /etc/krb5.keytab && klist -kt /etc/krb5.keytab
-rw-------. root root system_u:object_r:krb5_keytab_t:s0 /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   8 07/29/2017 01:09:46 host/ark-centos-smb4.qa.arkivio.com@QA.ARKIVIO.COM
   8 07/29/2017 01:09:46 host/ark-centos-smb4.qa.arkivio.com@QA.ARKIVIO.COM
   8 07/29/2017 01:09:46 host/ark-centos-smb4.qa.arkivio.com@QA.ARKIVIO.COM
   8 07/29/2017 01:09:46 host/ARK-CENTOS-SMB4@QA.ARKIVIO.COM
   8 07/29/2017 01:09:46 host/ARK-CENTOS-SMB4@QA.ARKIVIO.COM
   7 06/28/2017 20:11:43 ARK-CENTOS-SMB4$@QA.ARKIVIO.COM
   7 06/28/2017 20:11:43 ARK-CENTOS-SMB4$@QA.ARKIVIO.COM
   8 07/29/2017 01:09:46 host/ARK-CENTOS-SMB4@QA.ARKIVIO.COM
   7 06/28/2017 20:11:43 ARK-CENTOS-SMB4$@QA.ARKIVIO.COM
   7 06/28/2017 20:11:43 host/ARK-CENTOS-SMB4@QA.ARKIVIO.COM
   8 07/29/2017 01:09:46 ARK-CENTOS-SMB4$@QA.ARKIVIO.COM
   8 07/29/2017 01:09:46 ARK-CENTOS-SMB4$@QA.ARKIVIO.COM
   8 07/29/2017 01:09:46 ARK-CENTOS-SMB4$@QA.ARKIVIO.COM
   7 06/28/2017 20:11:43 host/ark-centos-smb4.qa.arkivio.com@QA.ARKIVIO.COM
   7 06/28/2017 20:11:43 host/ARK-CENTOS-SMB4@QA.ARKIVIO.COM
   7 08/04/2017 01:44:03 ARK-CENTOS-SMB4$@QA.ARKIVIO.COM
   7 08/04/2017 01:44:03 ARK-CENTOS-SMB4$@QA.ARKIVIO.COM
   8 08/04/2017 01:44:03 host/ARK-CENTOS-SMB4@QA.ARKIVIO.COM
   7 06/28/2017 20:11:43 host/ark-centos-smb4.qa.arkivio.com@QA.ARKIVIO.COM
   7 06/28/2017 20:11:43 host/ARK-CENTOS-SMB4@QA.ARKIVIO.COM
   7 06/28/2017 20:11:43 host/ark-centos-smb4.qa.arkivio.com@QA.ARKIVIO.COM
   8 08/04/2017 01:44:03 host/ARK-CENTOS-SMB4@QA.ARKIVIO.COM
   7 08/04/2017 01:44:03 host/ARK-CENTOS-SMB4@QA.ARKIVIO.COM
   8 08/04/2017 01:44:03 host/ARK-CENTOS-SMB4@QA.ARKIVIO.COM
   1 08/01/2017 00:36:17 arkadmin@QA.ARKIVIO.COM
   1 08/01/2017 00:37:54 arkadmin@QA.ARKIVIO.COM
   8 08/04/2017 01:44:03 host/ark-centos-smb4.qa.arkivio.com@QA.ARKIVIO.COM
   8 08/04/2017 01:44:03 host/ark-centos-smb4.qa.arkivio.com@QA.ARKIVIO.COM
   8 08/04/2017 01:44:03 host/ark-centos-smb4.qa.arkivio.com@QA.ARKIVIO.COM
   7 08/04/2017 01:44:03 ARK-CENTOS-SMB4$@QA.ARKIVIO.COM
   8 08/04/2017 01:44:03 ARK-CENTOS-SMB4$@QA.ARKIVIO.COM
   8 08/04/2017 01:44:03 ARK-CENTOS-SMB4$@QA.ARKIVIO.COM
   8 08/04/2017 01:44:03 ARK-CENTOS-SMB4$@QA.ARKIVIO.COM
   7 08/04/2017 01:44:03 host/ark-centos-smb4.qa.arkivio.com@QA.ARKIVIO.COM
   7 08/04/2017 01:44:03 host/ARK-CENTOS-SMB4@QA.ARKIVIO.COM
   7 08/04/2017 01:44:03 host/ark-centos-smb4.qa.arkivio.com@QA.ARKIVIO.COM
   7 08/04/2017 01:44:03 host/ARK-CENTOS-SMB4@QA.ARKIVIO.COM
   7 08/04/2017 01:44:03 host/ark-centos-smb4.qa.arkivio.com@QA.ARKIVIO.COM
   1 08/04/2017 01:44:03 arkadmin@QA.ARKIVIO.COM
   1 08/04/2017 01:44:03 arkadmin@QA.ARKIVIO.COM
 123 08/04/2017 01:49:24 nfs/ark-centos-smb4.qa.arkivio.com@QA.ARKIVIO.COM
 123 08/04/2017 01:49:24 nfs/ark-centos7-ker.qa.arkivio.com@QA.ARKIVIO.COM
   8 08/04/2017 02:03:31 host/ark-centos-smb4.qa.arkivio.com@QA.ARKIVIO.COM
   8 08/04/2017 02:03:31 host/ark-centos-smb4.qa.arkivio.com@QA.ARKIVIO.COM
   8 08/04/2017 02:03:31 host/ark-centos-smb4.qa.arkivio.com@QA.ARKIVIO.COM
   8 08/04/2017 02:03:31 host/ARK-CENTOS-SMB4@QA.ARKIVIO.COM
   8 08/04/2017 02:03:31 host/ARK-CENTOS-SMB4@QA.ARKIVIO.COM
   7 08/04/2017 02:03:31 ARK-CENTOS-SMB4$@QA.ARKIVIO.COM
   7 08/04/2017 02:03:31 ARK-CENTOS-SMB4$@QA.ARKIVIO.COM
   8 08/04/2017 02:03:31 host/ARK-CENTOS-SMB4@QA.ARKIVIO.COM
   7 08/04/2017 02:03:31 ARK-CENTOS-SMB4$@QA.ARKIVIO.COM
   7 08/04/2017 02:03:31 host/ARK-CENTOS-SMB4@QA.ARKIVIO.COM
   8 08/04/2017 02:03:31 ARK-CENTOS-SMB4$@QA.ARKIVIO.COM
   8 08/04/2017 02:03:31 ARK-CENTOS-SMB4$@QA.ARKIVIO.COM
   8 08/04/2017 02:03:31 ARK-CENTOS-SMB4$@QA.ARKIVIO.COM
   7 08/04/2017 02:03:31 host/ark-centos-smb4.qa.arkivio.com@QA.ARKIVIO.COM
   7 08/04/2017 02:03:31 host/ARK-CENTOS-SMB4@QA.ARKIVIO.COM
   7 08/04/2017 02:03:31 ARK-CENTOS-SMB4$@QA.ARKIVIO.COM
   7 08/04/2017 02:03:31 ARK-CENTOS-SMB4$@QA.ARKIVIO.COM
   8 08/04/2017 02:03:31 host/ARK-CENTOS-SMB4@QA.ARKIVIO.COM
   7 08/04/2017 02:03:31 host/ark-centos-smb4.qa.arkivio.com@QA.ARKIVIO.COM
   7 08/04/2017 02:03:31 host/ARK-CENTOS-SMB4@QA.ARKIVIO.COM
   7 08/04/2017 02:03:31 host/ark-centos-smb4.qa.arkivio.com@QA.ARKIVIO.COM
   8 08/04/2017 02:03:31 host/ARK-CENTOS-SMB4@QA.ARKIVIO.COM
   7 08/04/2017 02:03:31 host/ARK-CENTOS-SMB4@QA.ARKIVIO.COM
   8 08/04/2017 02:03:31 host/ARK-CENTOS-SMB4@QA.ARKIVIO.COM
   1 08/04/2017 02:03:31 arkadmin@QA.ARKIVIO.COM
   1 08/04/2017 02:03:31 arkadmin@QA.ARKIVIO.COM
   8 08/04/2017 02:03:31 host/ark-centos-smb4.qa.arkivio.com@QA.ARKIVIO.COM
   8 08/04/2017 02:03:31 host/ark-centos-smb4.qa.arkivio.com@QA.ARKIVIO.COM
   8 08/04/2017 02:03:31 host/ark-centos-smb4.qa.arkivio.com@QA.ARKIVIO.COM
   7 08/04/2017 02:03:31 ARK-CENTOS-SMB4$@QA.ARKIVIO.COM
   8 08/04/2017 02:03:31 ARK-CENTOS-SMB4$@QA.ARKIVIO.COM
   8 08/04/2017 02:03:31 ARK-CENTOS-SMB4$@QA.ARKIVIO.COM
   8 08/04/2017 02:03:31 ARK-CENTOS-SMB4$@QA.ARKIVIO.COM
   7 08/04/2017 02:03:31 host/ark-centos-smb4.qa.arkivio.com@QA.ARKIVIO.COM
   7 08/04/2017 02:03:31 host/ARK-CENTOS-SMB4@QA.ARKIVIO.COM
   7 08/04/2017 02:03:31 host/ark-centos-smb4.qa.arkivio.com@QA.ARKIVIO.COM
   7 08/04/2017 02:03:31 host/ARK-CENTOS-SMB4@QA.ARKIVIO.COM
   7 08/04/2017 02:03:31 host/ark-centos-smb4.qa.arkivio.com@QA.ARKIVIO.COM
   1 08/04/2017 02:03:31 arkadmin@QA.ARKIVIO.COM
   1 08/04/2017 02:03:31 arkadmin@QA.ARKIVIO.COM
   8 08/04/2017 02:28:41 host/ark-centos-smb4.qa.arkivio.com@QA.ARKIVIO.COM
   8 08/04/2017 02:28:41 host/ark-centos-smb4.qa.arkivio.com@QA.ARKIVIO.COM
   8 08/04/2017 02:28:41 host/ark-centos-smb4.qa.arkivio.com@QA.ARKIVIO.COM
   8 08/04/2017 02:28:41 host/ARK-CENTOS-SMB4@QA.ARKIVIO.COM
   8 08/04/2017 02:28:41 host/ARK-CENTOS-SMB4@QA.ARKIVIO.COM
   7 08/04/2017 02:28:41 ARK-CENTOS-SMB4$@QA.ARKIVIO.COM
   7 08/04/2017 02:28:41 ARK-CENTOS-SMB4$@QA.ARKIVIO.COM
   8 08/04/2017 02:28:41 host/ARK-CENTOS-SMB4@QA.ARKIVIO.COM
   7 08/04/2017 02:28:41 ARK-CENTOS-SMB4$@QA.ARKIVIO.COM
   7 08/04/2017 02:28:41 host/ARK-CENTOS-SMB4@QA.ARKIVIO.COM
   8 08/04/2017 02:28:41 ARK-CENTOS-SMB4$@QA.ARKIVIO.COM
   8 08/04/2017 02:28:41 ARK-CENTOS-SMB4$@QA.ARKIVIO.COM
   8 08/04/2017 02:28:41 ARK-CENTOS-SMB4$@QA.ARKIVIO.COM
   7 08/04/2017 02:28:41 host/ark-centos-smb4.qa.arkivio.com@QA.ARKIVIO.COM
   7 08/04/2017 02:28:41 host/ARK-CENTOS-SMB4@QA.ARKIVIO.COM
   7 08/04/2017 02:28:41 ARK-CENTOS-SMB4$@QA.ARKIVIO.COM
   7 08/04/2017 02:28:41 ARK-CENTOS-SMB4$@QA.ARKIVIO.COM
   8 08/04/2017 02:28:41 host/ARK-CENTOS-SMB4@QA.ARKIVIO.COM
   7 08/04/2017 02:28:41 host/ark-centos-smb4.qa.arkivio.com@QA.ARKIVIO.COM
   7 08/04/2017 02:28:41 host/ARK-CENTOS-SMB4@QA.ARKIVIO.COM
   7 08/04/2017 02:28:41 host/ark-centos-smb4.qa.arkivio.com@QA.ARKIVIO.COM
   8 08/04/2017 02:28:41 host/ARK-CENTOS-SMB4@QA.ARKIVIO.COM
   7 08/04/2017 02:28:41 host/ARK-CENTOS-SMB4@QA.ARKIVIO.COM
   8 08/04/2017 02:28:41 host/ARK-CENTOS-SMB4@QA.ARKIVIO.COM
   1 08/04/2017 02:28:41 arkadmin@QA.ARKIVIO.COM
   1 08/04/2017 02:28:41 arkadmin@QA.ARKIVIO.COM
   8 08/04/2017 02:28:41 host/ark-centos-smb4.qa.arkivio.com@QA.ARKIVIO.COM
   8 08/04/2017 02:28:41 host/ark-centos-smb4.qa.arkivio.com@QA.ARKIVIO.COM
   8 08/04/2017 02:28:41 host/ark-centos-smb4.qa.arkivio.com@QA.ARKIVIO.COM
   7 08/04/2017 02:28:41 ARK-CENTOS-SMB4$@QA.ARKIVIO.COM
   8 08/04/2017 02:28:41 ARK-CENTOS-SMB4$@QA.ARKIVIO.COM
   8 08/04/2017 02:28:41 ARK-CENTOS-SMB4$@QA.ARKIVIO.COM
   8 08/04/2017 02:28:41 ARK-CENTOS-SMB4$@QA.ARKIVIO.COM
   7 08/04/2017 02:28:41 host/ark-centos-smb4.qa.arkivio.com@QA.ARKIVIO.COM
   7 08/04/2017 02:28:41 host/ARK-CENTOS-SMB4@QA.ARKIVIO.COM
   7 08/04/2017 02:28:41 host/ark-centos-smb4.qa.arkivio.com@QA.ARKIVIO.COM
   7 08/04/2017 02:28:41 host/ARK-CENTOS-SMB4@QA.ARKIVIO.COM
   7 08/04/2017 02:28:41 host/ark-centos-smb4.qa.arkivio.com@QA.ARKIVIO.COM
   1 08/04/2017 02:28:41 arkadmin@QA.ARKIVIO.COM
   1 08/04/2017 02:28:41 arkadmin@QA.ARKIVIO.COM
   8 08/04/2017 02:28:41 host/ark-centos-smb4.qa.arkivio.com@QA.ARKIVIO.COM
   8 08/04/2017 02:28:41 host/ark-centos-smb4.qa.arkivio.com@QA.ARKIVIO.COM
   8 08/04/2017 02:28:41 host/ark-centos-smb4.qa.arkivio.com@QA.ARKIVIO.COM
   8 08/04/2017 02:28:41 host/ARK-CENTOS-SMB4@QA.ARKIVIO.COM
   8 08/04/2017 02:28:41 host/ARK-CENTOS-SMB4@QA.ARKIVIO.COM
   7 08/04/2017 02:28:41 ARK-CENTOS-SMB4$@QA.ARKIVIO.COM
   7 08/04/2017 02:28:41 ARK-CENTOS-SMB4$@QA.ARKIVIO.COM
   8 08/04/2017 02:28:41 host/ARK-CENTOS-SMB4@QA.ARKIVIO.COM
   7 08/04/2017 02:28:41 ARK-CENTOS-SMB4$@QA.ARKIVIO.COM
   7 08/04/2017 02:28:41 host/ARK-CENTOS-SMB4@QA.ARKIVIO.COM
   8 08/04/2017 02:28:41 ARK-CENTOS-SMB4$@QA.ARKIVIO.COM
   8 08/04/2017 02:28:41 ARK-CENTOS-SMB4$@QA.ARKIVIO.COM
   8 08/04/2017 02:28:41 ARK-CENTOS-SMB4$@QA.ARKIVIO.COM
   7 08/04/2017 02:28:41 host/ark-centos-smb4.qa.arkivio.com@QA.ARKIVIO.COM
   7 08/04/2017 02:28:41 host/ARK-CENTOS-SMB4@QA.ARKIVIO.COM
   7 08/04/2017 02:28:41 ARK-CENTOS-SMB4$@QA.ARKIVIO.COM
   7 08/04/2017 02:28:41 ARK-CENTOS-SMB4$@QA.ARKIVIO.COM
   8 08/04/2017 02:28:41 host/ARK-CENTOS-SMB4@QA.ARKIVIO.COM
   7 08/04/2017 02:28:41 host/ark-centos-smb4.qa.arkivio.com@QA.ARKIVIO.COM
   7 08/04/2017 02:28:41 host/ARK-CENTOS-SMB4@QA.ARKIVIO.COM
   7 08/04/2017 02:28:41 host/ark-centos-smb4.qa.arkivio.com@QA.ARKIVIO.COM
   8 08/04/2017 02:28:41 host/ARK-CENTOS-SMB4@QA.ARKIVIO.COM
   7 08/04/2017 02:28:41 host/ARK-CENTOS-SMB4@QA.ARKIVIO.COM
   8 08/04/2017 02:28:41 host/ARK-CENTOS-SMB4@QA.ARKIVIO.COM
   1 08/04/2017 02:28:41 arkadmin@QA.ARKIVIO.COM
   1 08/04/2017 02:28:41 arkadmin@QA.ARKIVIO.COM
   8 08/04/2017 02:28:41 host/ark-centos-smb4.qa.arkivio.com@QA.ARKIVIO.COM
   8 08/04/2017 02:28:41 host/ark-centos-smb4.qa.arkivio.com@QA.ARKIVIO.COM
   8 08/04/2017 02:28:41 host/ark-centos-smb4.qa.arkivio.com@QA.ARKIVIO.COM
   7 08/04/2017 02:28:41 ARK-CENTOS-SMB4$@QA.ARKIVIO.COM
   8 08/04/2017 02:28:41 ARK-CENTOS-SMB4$@QA.ARKIVIO.COM
   8 08/04/2017 02:28:41 ARK-CENTOS-SMB4$@QA.ARKIVIO.COM
   8 08/04/2017 02:28:41 ARK-CENTOS-SMB4$@QA.ARKIVIO.COM
   7 08/04/2017 02:28:41 host/ark-centos-smb4.qa.arkivio.com@QA.ARKIVIO.COM
   7 08/04/2017 02:28:41 host/ARK-CENTOS-SMB4@QA.ARKIVIO.COM
   7 08/04/2017 02:28:41 host/ark-centos-smb4.qa.arkivio.com@QA.ARKIVIO.COM
   7 08/04/2017 02:28:41 host/ARK-CENTOS-SMB4@QA.ARKIVIO.COM
   7 08/04/2017 02:28:41 host/ark-centos-smb4.qa.arkivio.com@QA.ARKIVIO.COM
   1 08/04/2017 02:28:41 arkadmin@QA.ARKIVIO.COM
   1 08/04/2017 02:28:41 arkadmin@QA.ARKIVIO.COM
selinux context(server)

Code: Select all

[root@ark-centos7-ker ~]# ls -lZ /etc/krb5.keytab && klist -kt /etc/krb5.keytab
-rw-------. root root system_u:object_r:krb5_keytab_t:s0 /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   8 07/27/2017 01:32:31 host/ark-centos7-ker.qa.arkivio.com@QA.ARKIVIO.COM
   8 07/27/2017 01:32:31 host/ark-centos7-ker.qa.arkivio.com@QA.ARKIVIO.COM
   8 07/27/2017 01:32:31 host/ark-centos7-ker.qa.arkivio.com@QA.ARKIVIO.COM
   8 07/27/2017 01:32:31 host/ark-centos7-ker.qa.arkivio.com@QA.ARKIVIO.COM
   8 07/27/2017 01:32:31 host/ark-centos7-ker.qa.arkivio.com@QA.ARKIVIO.COM
   8 07/27/2017 01:32:31 host/ARK-CENTOS7-KER@QA.ARKIVIO.COM
   8 07/27/2017 01:32:31 host/ARK-CENTOS7-KER@QA.ARKIVIO.COM
   8 07/27/2017 01:32:31 host/ARK-CENTOS7-KER@QA.ARKIVIO.COM
   8 07/27/2017 01:32:31 host/ARK-CENTOS7-KER@QA.ARKIVIO.COM
   8 07/27/2017 01:32:31 host/ARK-CENTOS7-KER@QA.ARKIVIO.COM
   8 07/27/2017 01:32:31 ARK-CENTOS7-KER$@QA.ARKIVIO.COM
   8 07/27/2017 01:32:31 ARK-CENTOS7-KER$@QA.ARKIVIO.COM
   8 07/27/2017 01:32:31 ARK-CENTOS7-KER$@QA.ARKIVIO.COM
   8 07/27/2017 01:32:31 ARK-CENTOS7-KER$@QA.ARKIVIO.COM
   8 07/27/2017 01:32:31 ARK-CENTOS7-KER$@QA.ARKIVIO.COM
   8 08/04/2017 01:50:22 host/ark-centos7-ker.qa.arkivio.com@QA.ARKIVIO.COM
   8 08/04/2017 01:50:22 host/ark-centos7-ker.qa.arkivio.com@QA.ARKIVIO.COM
   8 08/04/2017 01:50:22 host/ark-centos7-ker.qa.arkivio.com@QA.ARKIVIO.COM
   8 08/04/2017 01:50:22 host/ark-centos7-ker.qa.arkivio.com@QA.ARKIVIO.COM
   8 08/04/2017 01:50:22 host/ark-centos7-ker.qa.arkivio.com@QA.ARKIVIO.COM
   8 08/04/2017 01:50:22 host/ARK-CENTOS7-KER@QA.ARKIVIO.COM
   8 08/04/2017 01:50:22 host/ARK-CENTOS7-KER@QA.ARKIVIO.COM
   8 08/04/2017 01:50:22 host/ARK-CENTOS7-KER@QA.ARKIVIO.COM
   8 08/04/2017 01:50:22 host/ARK-CENTOS7-KER@QA.ARKIVIO.COM
   8 08/04/2017 01:50:22 host/ARK-CENTOS7-KER@QA.ARKIVIO.COM
   8 08/04/2017 01:50:22 ARK-CENTOS7-KER$@QA.ARKIVIO.COM
   8 08/04/2017 01:50:22 ARK-CENTOS7-KER$@QA.ARKIVIO.COM
   8 08/04/2017 01:50:22 ARK-CENTOS7-KER$@QA.ARKIVIO.COM
   8 08/04/2017 01:50:22 ARK-CENTOS7-KER$@QA.ARKIVIO.COM
   8 08/04/2017 01:50:22 ARK-CENTOS7-KER$@QA.ARKIVIO.COM
   9 08/27/2017 00:43:19 nfs/ark-centos-smb4.qa.arkivio.com@QA.ARKIVIO.COM
   9 08/27/2017 00:43:19 nfs/ark-centos7-ker.qa.arkivio.com@QA.ARKIVIO.COM
   9 08/27/2017 00:43:19 nfs/ark-centos7-ker.qa.arkivio.com@QA.ARKIVIO.COM
   8 08/04/2017 02:02:27 host/ark-centos7-ker.qa.arkivio.com@QA.ARKIVIO.COM
   8 08/04/2017 02:02:27 host/ark-centos7-ker.qa.arkivio.com@QA.ARKIVIO.COM
   8 08/04/2017 02:02:27 host/ark-centos7-ker.qa.arkivio.com@QA.ARKIVIO.COM
   8 08/04/2017 02:02:27 host/ark-centos7-ker.qa.arkivio.com@QA.ARKIVIO.COM
   8 08/04/2017 02:02:27 host/ark-centos7-ker.qa.arkivio.com@QA.ARKIVIO.COM
   8 08/04/2017 02:02:27 host/ARK-CENTOS7-KER@QA.ARKIVIO.COM
   8 08/04/2017 02:02:27 host/ARK-CENTOS7-KER@QA.ARKIVIO.COM
   8 08/04/2017 02:02:27 host/ARK-CENTOS7-KER@QA.ARKIVIO.COM
   8 08/04/2017 02:02:27 host/ARK-CENTOS7-KER@QA.ARKIVIO.COM
   8 08/04/2017 02:02:27 host/ARK-CENTOS7-KER@QA.ARKIVIO.COM
   8 08/04/2017 02:02:27 ARK-CENTOS7-KER$@QA.ARKIVIO.COM
   8 08/04/2017 02:02:27 ARK-CENTOS7-KER$@QA.ARKIVIO.COM
   8 08/04/2017 02:02:27 ARK-CENTOS7-KER$@QA.ARKIVIO.COM
   8 08/04/2017 02:02:27 ARK-CENTOS7-KER$@QA.ARKIVIO.COM
   8 08/04/2017 02:02:27 ARK-CENTOS7-KER$@QA.ARKIVIO.COM
   8 08/04/2017 02:02:27 host/ark-centos7-ker.qa.arkivio.com@QA.ARKIVIO.COM
   8 08/04/2017 02:02:27 host/ark-centos7-ker.qa.arkivio.com@QA.ARKIVIO.COM
   8 08/04/2017 02:02:27 host/ark-centos7-ker.qa.arkivio.com@QA.ARKIVIO.COM
   8 08/04/2017 02:02:27 host/ark-centos7-ker.qa.arkivio.com@QA.ARKIVIO.COM
   8 08/04/2017 02:02:27 host/ark-centos7-ker.qa.arkivio.com@QA.ARKIVIO.COM
   8 08/04/2017 02:02:27 host/ARK-CENTOS7-KER@QA.ARKIVIO.COM
   8 08/04/2017 02:02:27 host/ARK-CENTOS7-KER@QA.ARKIVIO.COM
   8 08/04/2017 02:02:27 host/ARK-CENTOS7-KER@QA.ARKIVIO.COM
   8 08/04/2017 02:02:27 host/ARK-CENTOS7-KER@QA.ARKIVIO.COM
   8 08/04/2017 02:02:27 host/ARK-CENTOS7-KER@QA.ARKIVIO.COM
   8 08/04/2017 02:02:27 ARK-CENTOS7-KER$@QA.ARKIVIO.COM
   8 08/04/2017 02:02:27 ARK-CENTOS7-KER$@QA.ARKIVIO.COM
   8 08/04/2017 02:02:27 ARK-CENTOS7-KER$@QA.ARKIVIO.COM
   8 08/04/2017 02:02:27 ARK-CENTOS7-KER$@QA.ARKIVIO.COM
   8 08/04/2017 02:02:27 ARK-CENTOS7-KER$@QA.ARKIVIO.COM
   8 08/04/2017 02:02:27 host/ark-centos7-ker.qa.arkivio.com@QA.ARKIVIO.COM
   8 08/04/2017 02:02:27 host/ark-centos7-ker.qa.arkivio.com@QA.ARKIVIO.COM
   8 08/04/2017 02:02:27 host/ark-centos7-ker.qa.arkivio.com@QA.ARKIVIO.COM
   8 08/04/2017 02:02:27 host/ark-centos7-ker.qa.arkivio.com@QA.ARKIVIO.COM
   8 08/04/2017 02:02:27 host/ark-centos7-ker.qa.arkivio.com@QA.ARKIVIO.COM
   8 08/04/2017 02:02:27 host/ARK-CENTOS7-KER@QA.ARKIVIO.COM
   8 08/04/2017 02:02:27 host/ARK-CENTOS7-KER@QA.ARKIVIO.COM
   8 08/04/2017 02:02:27 host/ARK-CENTOS7-KER@QA.ARKIVIO.COM
   8 08/04/2017 02:02:27 host/ARK-CENTOS7-KER@QA.ARKIVIO.COM
   8 08/04/2017 02:02:27 host/ARK-CENTOS7-KER@QA.ARKIVIO.COM
   8 08/04/2017 02:02:27 ARK-CENTOS7-KER$@QA.ARKIVIO.COM
   8 08/04/2017 02:02:27 ARK-CENTOS7-KER$@QA.ARKIVIO.COM
   8 08/04/2017 02:02:27 ARK-CENTOS7-KER$@QA.ARKIVIO.COM
   8 08/04/2017 02:02:27 ARK-CENTOS7-KER$@QA.ARKIVIO.COM
   8 08/04/2017 02:02:27 ARK-CENTOS7-KER$@QA.ARKIVIO.COM
   8 08/04/2017 02:02:27 host/ark-centos7-ker.qa.arkivio.com@QA.ARKIVIO.COM
   8 08/04/2017 02:02:27 host/ark-centos7-ker.qa.arkivio.com@QA.ARKIVIO.COM
   8 08/04/2017 02:02:27 host/ark-centos7-ker.qa.arkivio.com@QA.ARKIVIO.COM
   8 08/04/2017 02:02:27 host/ark-centos7-ker.qa.arkivio.com@QA.ARKIVIO.COM
   8 08/04/2017 02:02:27 host/ark-centos7-ker.qa.arkivio.com@QA.ARKIVIO.COM
   8 08/04/2017 02:02:27 host/ARK-CENTOS7-KER@QA.ARKIVIO.COM
   8 08/04/2017 02:02:27 host/ARK-CENTOS7-KER@QA.ARKIVIO.COM
   8 08/04/2017 02:02:27 host/ARK-CENTOS7-KER@QA.ARKIVIO.COM
   8 08/04/2017 02:02:27 host/ARK-CENTOS7-KER@QA.ARKIVIO.COM
   8 08/04/2017 02:02:27 host/ARK-CENTOS7-KER@QA.ARKIVIO.COM
   8 08/04/2017 02:02:27 ARK-CENTOS7-KER$@QA.ARKIVIO.COM
   8 08/04/2017 02:02:27 ARK-CENTOS7-KER$@QA.ARKIVIO.COM
   8 08/04/2017 02:02:27 ARK-CENTOS7-KER$@QA.ARKIVIO.COM
   8 08/04/2017 02:02:27 ARK-CENTOS7-KER$@QA.ARKIVIO.COM
   8 08/04/2017 02:02:27 ARK-CENTOS7-KER$@QA.ARKIVIO.COM
   9 08/27/2017 00:43:19 ARK-CENTOS7-KER$@QA.ARKIVIO.COM
   9 08/27/2017 00:43:19 ARK-CENTOS7-KER$@QA.ARKIVIO.COM
   9 08/27/2017 00:43:19 ARK-CENTOS7-KER$@QA.ARKIVIO.COM
   9 08/27/2017 00:43:19 host/ark-centos7-ker.qa.arkivio.com@QA.ARKIVIO.COM
   9 08/27/2017 00:43:19 host/ark-centos7-ker.qa.arkivio.com@QA.ARKIVIO.COM
   9 08/27/2017 00:43:19 host/ark-centos7-ker.qa.arkivio.com@QA.ARKIVIO.COM
   9 08/27/2017 00:43:19 host/ARK-CENTOS7-KER@QA.ARKIVIO.COM
   9 08/27/2017 00:43:19 host/ARK-CENTOS7-KER@QA.ARKIVIO.COM
   9 08/27/2017 00:43:19 host/ARK-CENTOS7-KER@QA.ARKIVIO.COM
   9 08/27/2017 00:43:19 nfs/ark-centos-smb4.qa.arkivio.com@QA.ARKIVIO.COM
   9 08/27/2017 00:43:19 nfs/ark-centos-smb4.qa.arkivio.com@QA.ARKIVIO.COM
   9 08/27/2017 00:43:19 nfs/ark-centos7-ker.qa.arkivio.com@QA.ARKIVIO.COM
two krb5.keytab files are different is it ok?

hunter86_bg
Posts: 2019
Joined: 2015/02/17 15:14:33
Location: Bulgaria
Contact:

Re: Cannot mount nfsv4 exports

Post by hunter86_bg » 2017/08/29 04:21:42

I didn't expect such large keytabs.
You have to check why the nfs-secure-server.service fails.Read the service file via

Code: Select all

systemctl cat nfs-secure-server.service
and check what is the dependency.
Then edit the /etc/sysconfig/nfs and add "-vvv" to the last 2 entries (rpc...).
By the way how old is this CentOS?
About the difference in the keytabs - that's acceptable as long as the KVNO number is the same on AD,server and host for the nfs/fqdn@REALM entries.

Did you check if the ip's resolve to their FQDNs ?
If this is a very old machine - you have to update it as RHEL7.0(and CentOS respectively) had very nasty bugs.

xq10907
Posts: 27
Joined: 2017/08/08 03:33:41

Re: Cannot mount nfsv4 exports

Post by xq10907 » 2017/08/29 06:57:10

hunter86_bg wrote:I didn't expect such large keytabs.
You have to check why the nfs-secure-server.service fails.Read the service file via

Code: Select all

systemctl cat nfs-secure-server.service
and check what is the dependency.
Then edit the /etc/sysconfig/nfs and add "-vvv" to the last 2 entries (rpc...).
By the way how old is this CentOS?
About the difference in the keytabs - that's acceptable as long as the KVNO number is the same on AD,server and host for the nfs/fqdn@REALM entries.

Did you check if the ip's resolve to their FQDNs ?
If this is a very old machine - you have to update it as RHEL7.0(and CentOS respectively) had very nasty bugs.
yes keytab files looks pretty bad,i added nfs/ark-centos-smb4.qa.arkivio.com nfs/ark-centos7-ker.qa.arkivio.com to krb5.keytab file manually... because after joined AD via realm command there is no such nfs/* principals in both keytab files
from klist result their KVNO number is not the same

investigated disabled nfs-secure-server.service found its required service nfs-config service was down too,manually enable didn't working
/var/log/messages reports some ldap errors instead
did some research seems in centos7.3 nfs-secure-server is not working anymore(only take effect in 7.0)

Code: Select all

Aug 28 23:44:24 ark-centos7-ker nslcd[995]: [89544e] <group/member="arkadmin@QA.ARKIVIO.COM"> ldap_result() failed: Operations error: 000004DC: LdapErr: DSID-0C090A22, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v3839
Aug 28 23:44:24 ark-centos7-ker systemd: Starting Preprocess NFS configuration...
Aug 28 23:44:24 ark-centos7-ker nslcd[995]: [89544e] <group/member="arkadmin@QA.ARKIVIO.COM"> ldap_result() failed: Operations error: 000004DC: LdapErr: DSID-0C090A22, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v3839
Aug 28 23:44:24 ark-centos7-ker nslcd[995]: [1c355c] <group/member="arkadmin@QA.ARKIVIO.COM"> ldap_result() failed: Operations error: 000004DC: LdapErr: DSID-0C090A22, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v3839
Aug 28 23:44:24 ark-centos7-ker nslcd[995]: [1c355c] <group/member="arkadmin@QA.ARKIVIO.COM"> ldap_result() failed: Operations error: 000004DC: LdapErr: DSID-0C090A22, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v3839
Aug 28 23:44:24 ark-centos7-ker systemd: Started Preprocess NFS configuration.
Aug 28 23:44:24 ark-centos7-ker nslcd[995]: [6e3b11] <group/member="arkadmin@QA.ARKIVIO.COM"> ldap_result() failed: Operations error: 000004DC: LdapErr: DSID-0C090A22, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v3839
Aug 28 23:44:24 ark-centos7-ker nslcd[995]: [6e3b11] <group/member="arkadmin@QA.ARKIVIO.COM"> ldap_result() failed: Operations error: 000004DC: LdapErr: DSID-0C090A22, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v3839
Aug 28 23:44:24 ark-centos7-ker nslcd[995]: [035eb3] <group/member="arkadmin@QA.ARKIVIO.COM"> ldap_result() failed: Operations error: 000004DC: LdapErr: DSID-0C090A22, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v3839
Aug 28 23:44:24 ark-centos7-ker nslcd[995]: [035eb3] <group/member="arkadmin@QA.ARKIVIO.COM"> ldap_result() failed: Operations error: 000004DC: LdapErr: DSID-0C090A22, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v3839
both forward,backward DNS lookup are working,it's centos7.3
I used RHEL7 documents to configure my cnetos since there is no relevant doc specific to centos7 since it was acquired by redhat
Thanks

hunter86_bg
Posts: 2019
Joined: 2015/02/17 15:14:33
Location: Bulgaria
Contact:

Re: Cannot mount nfsv4 exports

Post by hunter86_bg » 2017/08/29 15:10:30

The entries in the keytabs reflect what services are allowed in AD.
Better remove the nfs/server_fqdn@REALM and nfs/client_fqdn@REALM (from the AD)and then add them again and only then export the 2 keytabs.
'ktutil' can help you to merge keytabs, as it might be needed.
I've done nfs with kerberos on RHEL7.0 only but with FreeIPA.There was a major rework on nfs later(7.1+).
CentOS is not a property of redhat, but it uses their source after stripping all logos and trademarks.

xq10907
Posts: 27
Joined: 2017/08/08 03:33:41

Re: Cannot mount nfsv4 exports

Post by xq10907 » 2017/08/30 09:51:10

figured it out,re-join domain by realm command for both client,server
realm join --user=admin@QA.ARKIVIO.COM --user-principal=nfs/ark-centos-smb4.qa.arkivio.com@QA.ARKIVIO.COM QA.ARKIVIO.COM

it will create relevant nfs/* credentials for client,server then mount nfsv4 exports with sec=krb5 option succeeded

thanks for the patient explanation!

hunter86_bg
Posts: 2019
Joined: 2015/02/17 15:14:33
Location: Bulgaria
Contact:

Re: Cannot mount nfsv4 exports

Post by hunter86_bg » 2017/08/31 03:54:41

Have you modified the AD?

Post Reply