fedora-users October 2011 archive
Main Archive Page > Month Archives  > fedora-users archives
fedora-users: NFS + Kerberos can't mount

NFS + Kerberos can't mount

From: <fernando_at_nospam>
Date: Thu Oct 06 2011 - 21:11:28 GMT
To: "Community support for Fedora users" <users@lists.fedoraproject.org>

Hi there,

Here I am again with problem mouting a remote NFS share using NFS. The
server is deban but the client is Fedora 15. It used to work using Fedora
14 but after a F15 fresh install I can't mount the remote share. My F15 box
has all updates so far.

I do have connectivity to the kerberos server because kinit my_principal
works fine:

[teste@lgx200 ~]S klist
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: my_principal@USERS

Valid starting Expires Service principal
10/06/11 16:23:35 10/07/11 16:23:12 krbtgt/USERS@USERS
    renew until 10/13/11 16:23:12

The host certificate (/etc/krb5.keytab) also looks fine:

[teste@lgx200 ~]S klist -k
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
---- -------------------------------------------------------------------------- 2 nfs/lgx200.example.com.br@USERS [teste@lgx200 ~]S klist -k -e Keytab name: WRFILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 2 nfs/lgx200.example.com.br@USERS (des-cbc-crc) I start rpcgssd (with -vvv) and rpcidmapd [root@lgx200 ~]# ps ax | grep rpc 1066 ? S< 0:00 [rpciod] 2878 ? Ss 0:00 rpc.idmapd 3747 ? Ss 0:00 rpc.gssd -v -v -v 3847 pts/0 S+ 0:00 grep --color=auto rpc but when I try to mount: mount -t nfs -o sec=krb5 192.168.0.3:/FILES /media/FILES mount.nfs: access denied by server while mounting 192.168.0.3:/FILES /var/log/messages show: Oct 6 17:56:16 lgx200 rpc.gssd[3747]: beginning poll Oct 6 17:57:12 lgx200 rpc.gssd[3747]: dir_notify_handler: sig 37 si 0xbfe6fbac data 0xbfe6fc2c Oct 6 17:57:12 lgx200 rpc.gssd[3747]: dir_notify_handler: sig 37 si 0xbfe6c4fc data 0xbfe6c57c Oct 6 17:57:12 lgx200 rpc.gssd[3747]: dir_notify_handler: sig 37 si 0xbfe6c3ec data 0xbfe6c46c Oct 6 17:57:21 lgx200 rpc.gssd[3747]: dir_notify_handler: sig 37 si 0xbfe6fbac data 0xbfe6fc2c Oct 6 17:57:21 lgx200 rpc.gssd[3747]: dir_notify_handler: sig 37 si 0xbfe6faec data 0xbfe6fb6c Oct 6 17:57:21 lgx200 rpc.gssd[3747]: handling gssd upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt8) Oct 6 17:57:21 lgx200 rpc.gssd[3747]: handle_gssd_upcall: 'mech=krb5 uid=0 enctypes=18,17,16,23,3,1,2 ' Oct 6 17:57:21 lgx200 rpc.gssd[3747]: handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt8) Oct 6 17:57:21 lgx200 rpc.gssd[3747]: process_krb5_upcall: service is '' Oct 6 17:57:21 lgx200 rpc.gssd[3747]: Full hostname for 'filesystem.example.com.br' is 'filesystem.example.com.br' Oct 6 17:57:21 lgx200 rpc.gssd[3747]: Name or service not known while getting full hostname for 'lgx200.example.com.br' Oct 6 17:57:21 lgx200 rpc.gssd[3747]: ERROR: gssd_refresh_krb5_machine_credential: no usable keytab entry found in keytab /etc/krb5.keytab for connection with host filesystem.4linux.com.br Oct 6 17:57:21 lgx200 rpc.gssd[3747]: ERROR: No credentials found for connection to server filesystem.4linux.com.br Oct 6 17:57:21 lgx200 rpc.gssd[3747]: doing error downcall Oct 6 17:57:21 lgx200 rpc.gssd[3747]: dir_notify_handler: sig 37 si 0xbfe6fbac data 0xbfe6fc2c Oct 6 17:57:21 lgx200 rpc.gssd[3747]: dir_notify_handler: sig 37 si 0xbfe6fbac data 0xbfe6fc2c Oct 6 17:57:21 lgx200 rpc.gssd[3747]: dir_notify_handler: sig 37 si 0xbfe6fbac data 0xbfe6fc2c Oct 6 17:57:21 lgx200 rpc.gssd[3747]: dir_notify_handler: sig 37 si 0xbfe6fbac data 0xbfe6fc2c Oct 6 17:57:21 lgx200 rpc.gssd[3747]: dir_notify_handler: sig 37 si 0xbfe6fbac data 0xbfe6fc2c Oct 6 17:57:21 lgx200 rpc.gssd[3747]: dir_notify_handler: sig 37 si 0xbfe6fbac data 0xbfe6fc2c Oct 6 17:57:21 lgx200 rpc.gssd[3747]: dir_notify_handler: sig 37 si 0xbfe6fbac data 0xbfe6fc2c Oct 6 17:57:21 lgx200 rpc.gssd[3747]: destroying client /var/lib/nfs/rpc_pipefs/nfs/clnt9 Oct 6 17:57:21 lgx200 rpc.gssd[3747]: destroying client /var/lib/nfs/rpc_pipefs/nfs/clnt8 It looks loke F15 doesn't like the keytab file that used to work on the same machine using F14. /etc/sysconfig/nfs has: SECURE_NFS="yes" And /etc/krb5.conf has: [libdefaults] default_realm = USERS dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true allow_weak_crypto = true As I said it used to work and could not find a clue about what to change on google. []s, Fernando Lozano

-- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines