I've been struggling for a few days now with mounting an NFS4 share from a CentOS 7 workstation. For this thread, let's say the client is at nfsclient.domain, and the server (running CentOS 6) is at nfsserver.domain. nfsserver.domain is also the primary Kerberos server for this network, and Kerberos has been working between these two machines for over a year now with no issues.
I have been trying to mount the NFS share using the following command:
Code: Select all
# mount -t nfs4 -o sec=krb5p nfsserver.domain:/ /mnt/nfs
Code: Select all
mount.nfs4: access denied by server while mounting nfsserver.domain:/
Code: Select all
# showmount -e nfsserver.domain
Export list for nfsserver.domain:
/export/home *
/export *
Going down the list of possible Kerberos issues, I've ensured:
- The keytab on nfsserver.domain holds keys for nfs/nfsserver.domain and host/nfsserver.domain.
- The keytab on nfsclient.domain holds keys for nfs/nfsclient.domain and host/nfsclient.domain.
- nfsclient.domain can obtain keys from the KDC on nfsserver.domain.
- nfsclient.domain and nfsserver.domain resolve to the correct IP addresses.
- NTP is set up correctly on both machines.
Just to make sure this wasn't a weird firewall thing, I flushed all of the iptables chains. Same error message. Again, NFS and Kerberos work fine independently with my current firewall configuration.
Finally, I've tried to track down the problem by looking in the system logs. Right after trying to mount the share on nfsclient.domain, this shows up in /var/log/messages:
Code: Select all
Jun 22 18:27:13 nfsclient gssproxy: gssproxy[769]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. Minor code may provide more information, No credentials cache found
Jun 22 18:27:13 nfsclient gssproxy: gssproxy[769]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. Minor code may provide more information, No credentials cache found
Jun 22 18:27:13 nfsclient gssproxy: gssproxy[769]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. Minor code may provide more information, No credentials cache found
Jun 22 18:27:13 nfsclient gssproxy: gssproxy[769]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. Minor code may provide more information, No credentials cache found
Jun 22 18:27:13 nfsclient gssproxy: gssproxy[769]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. Minor code may provide more information, No credentials cache found
Jun 22 18:27:13 nfsclient gssproxy: gssproxy[769]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. Minor code may provide more information, No credentials cache found
Here is my /etc/gssproxy/gssproxy.conf:
Code: Select all
[gssproxy]
[service/HTTP]
mechs = krb5
cred_store = keytab:/etc/gssproxy/http.keytab
cred_store = ccache:/var/lib/gssproxy/clients/krb5cc_%U
euid = 48
[service/nfs-server]
mechs = krb5
socket = /run/gssproxy.sock
cred_store = keytab:/etc/krb5.keytab
trusted = yes
kernel_nfsd = yes
euid = 0
[service/nfs-client]
mechs = krb5
cred_store = keytab:/etc/krb5.keytab
cred_store = ccache:FILE:/var/lib/gssproxy/clients/krb5cc_%U
cred_store = client_keytab:/var/lib/gssproxy/clients/%U.keytab
cred_usage = initiate
allow_any_uid = yes
trusted = yes
euid = 0
Thanks for any help!
EDIT: Figured it out. I pointed gss-proxy to /tmp for its credentials caches, which made it start talking to the server (but still with an access denied message). Then I had to set SECURE_NFS=yes in /etc/sysconfig/nfs on the server so that rpc.svcgssd would start (apparently this was the real problem - the client couldn't authenticate via the GSS protocol because the server GSS daemon wasn't starting).