I'm struggling to make NFS4 work with Kerberos but I'm finding certain behaviours I don't understand.
I have two CentOS 7.5 servers: a NFS/DNS/Kerberos server (nfs01.nfs.com), and a NFS client (nfs02.nfs.com), but I'm unable to make it work correctly. Depending on the path of the ccache they fail (or not).
- If the ccache resides in the Keyring I can mount the shares correctly.
- If the ccache resides in /var/lib/gssproxy/clients/{UID} I can mount the shares.
- If the ccache resides in /tmp I can't mount the shares ("Matching credential not found (filename: /tmp/krb5cc_0)").
Code: Select all
[root@nfs01 ~]# cat /etc/exports
/exports *(rw,root_squash,fsid=0,no_subtree_check,sync,sec=krb5)
/exports/prueba01 *(rw,sync,root_squash,insecure,nohide,no_subtree_check,anonuid=65000,anongid=65000,sec=krb5)
/exports/prueba02 *(rw,sync,root_squash,insecure,nohide,no_subtree_check,anonuid=65000,anongid=65000,sec=krb5)
[root@nfs01 ~]# ls -la /exports/
total 0
drwxr-xr-x. 4 root root 38 jul 25 10:27 .
dr-xr-xr-x. 19 root root 252 jul 25 10:26 ..
drwxr-xr-x. 2 root root 6 jul 25 10:27 prueba01
drwxr-x---. 2 paco paco 6 jul 25 10:27 prueba02
Code: Select all
[root@nfs02 ~]# showmount -e nfs01.nfs.com
Export list for nfs01.nfs.com:
/exports/prueba02 *
/exports/prueba01 *
/exports *
Code: Select all
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_realm = NFS.COM
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
NFS.COM = {
kdc = nfs01.nfs.com
admin_server = nfs01.nfs.com
default_domain = nfs.com
}
[domain_realm]
.nfs.com = NFS.COM
nfs.com = NFS.COM
- default_ccache_name = FILE:/var/lib/gssproxy/clients/%{uid}/krb5cc_%{uid}
- default_ccache_name = FILE:/tmp/krb5cc_%{uid}
Code: Select all
[service/nfs-client]
mechs = krb5
cred_store = keytab:/etc/krb5.keytab
cred_store = ccache:KEYRING:persistent:%U
cred_store = client_keytab:/var/lib/gssproxy/clients/%U/%U.keytab
cred_usage = initiate
allow_any_uid = yes
trusted = yes
euid = 0
- cred_store = client_keytab:/var/lib/gssproxy/clients/%U/%U.keytab
- cred_store = ccache:FILE:/tmp/krb5cc_%U
Code: Select all
[root@nfs02 ~]# klist -kt /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
4 30/07/18 13:26:20 nfs/nfs02.nfs.com@NFS.COM
4 30/07/18 13:26:20 nfs/nfs02.nfs.com@NFS.COM
4 30/07/18 13:26:20 nfs/nfs02.nfs.com@NFS.COM
4 30/07/18 13:26:20 nfs/nfs02.nfs.com@NFS.COM
4 30/07/18 13:26:20 nfs/nfs02.nfs.com@NFS.COM
4 30/07/18 13:26:20 nfs/nfs02.nfs.com@NFS.COM
4 30/07/18 13:26:20 nfs/nfs02.nfs.com@NFS.COM
4 30/07/18 13:26:20 nfs/nfs02.nfs.com@NFS.COM
4 30/07/18 13:26:21 host/nfs02.nfs.com@NFS.COM
4 30/07/18 13:26:21 host/nfs02.nfs.com@NFS.COM
4 30/07/18 13:26:21 host/nfs02.nfs.com@NFS.COM
4 30/07/18 13:26:21 host/nfs02.nfs.com@NFS.COM
4 30/07/18 13:26:21 host/nfs02.nfs.com@NFS.COM
4 30/07/18 13:26:21 host/nfs02.nfs.com@NFS.COM
4 30/07/18 13:26:21 host/nfs02.nfs.com@NFS.COM
4 30/07/18 13:26:21 host/nfs02.nfs.com@NFS.COM
None of them have IPtables or SElinux enabled (to minimize potential error they might cause). DNS resolution works correctly (tested it) and there are no connectivity problems (they are both VMs in my laptop).
Code: Select all
[root@nfs02 ~]# cat /etc/redhat-release
CentOS Linux release 7.5.1804 (Core)
[root@nfs02 ~]# rpm -qa | grep release
centos-release-7-5.1804.1.el7.centos.x86_64
[root@nfs02 ~]# getenforce
Disabled
[root@nfs02 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@nfs02 ~]# rpm -qa | grep nfs
libnfsidmap-0.25-19.el7.x86_64
nfs-utils-1.3.0-0.54.el7.x86_64
[root@nfs02 ~]# rpm -qa | grep gss
gssproxy-0.7.0-17.el7.x86_64
Could someone please help me to understand how does it work? Thank you very much!