NFS4 mount with kerberos and automount

Support for security such as Firewalls and securing linux
Post Reply
pinkunicorn
Posts: 11
Joined: 2010/05/18 14:30:35

NFS4 mount with kerberos and automount

Post by pinkunicorn » 2010/10/15 13:31:29

I have an nfs server running Solaris. It works fine and a large number of clients happily mount directories from it. But only almost all clients.

All clients that have problem run CentOS (5.4 and 5.5). I've found one or two of each version that fail, but also a couple of each version that work.

The mounting is done via autofs but that doesn't seem to make any difference. Kerberos is used for authentication.

When I try to mount a directory manually I get this:
[code]
# mount -vvvv -t nfs4 -o sec=krb5 triangulum.ifm.liu.se:/export/users/hans /mnt
mount: pinging: prog 100003 vers 4 prot tcp port 2049
mount.nfs4: Permission denied
[/code]

I get this in /var/log/messages:
[code]
Oct 15 15:15:12 pc13287 rpc.gssd[2780]: rpcsec_gss: gss_init_sec_context: (major) Unspecified GSS failure. Minor code may provide more information - (minor) Unknown code krb5 60
Oct 15 15:15:12 pc13287 rpc.gssd[2780]: WARNING: Failed to create krb5 context for user with uid 0 with any credentials cache for server triangulum.ifm.liu.se
[/code]

This particular machine runs CentOS 5.5 current as of a couple of hours ago.

If I run the same command on one of the machines where mounting works I get the first line of output ("pinging") and nothing more. On the other hand I get a mounted directory.

I can't find any relevant differences in configuration. I've gone through at least these files on a working and a non-working machine:
[code]
/etc/sysconfig/nfs
/etc/hosts
/etc/idmapd.conf
/etc/krb5.conf
/etc/host.conf
/etc/nsswitch.conf
/etc/resolv.conf
[/code]

SELinux is not running.

[code]
# klist -k -e
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
3 host/pc13287.ad.ifm.liu.se@IFM.LIU.SE (DES cbc mode with RSA-MD5)
3 nfs/pc13287.ad.ifm.liu.se@IFM.LIU.SE (DES cbc mode with RSA-MD5)
[/code]

Obviously, I need to check something else, but what? Please help!

pinkunicorn
Posts: 11
Joined: 2010/05/18 14:30:35

Re: NFS4 mount with kerberos and automount

Post by pinkunicorn » 2010/10/15 14:15:42

I just noted that the working clients had keytabs that looked like this:
[code]
kadmin: [root@pc14079 etc]# klist -k -e
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
5 host/pc14079.ad.ifm.liu.se@IFM.LIU.SE (DES cbc mode with RSA-MD5)
4 nfs/pc14079.ad.ifm.liu.se@IFM.LIU.SE (DES cbc mode with CRC-32)
[/code]

(CRC-32 instead of RSA-MD5 on the nfs principal)

I've changed that on a non-working client, but it makes no difference.

pschaff
Retired Moderator
Posts: 18276
Joined: 2006/12/13 20:15:34
Location: Tidewater, Virginia, North America
Contact:

NFS4 mount with kerberos and automount

Post by pschaff » 2010/10/21 13:56:06

This seems to be the same issue as your later [url=https://www.centos.org/modules/newbb/viewtopic.php?viewmode=flat&topic_id=28534&forum=38]topic[/url]. Please avoid dual-posting. As that tread is active I am locking this one.

Post Reply