FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 12-02-2009, 05:24 PM
Dan Burkland
 
Default Kerberos + NFSv4 difficulties

Hey All,


*


I recently have been trying to setup an NFSv4 share that
utilizes Kerberos. My experience in general with NFS is very slim however I
feel like I am very close to getting this project completed. Currently I have
the following things in place:


1) NFS server nfs.example.net (VM#2) – Running CentOS
5.4 with all of the latest updates and NFS-related packages


2) Kerberos KDC running on Kerberos.example.net (VM#1) –
Running CentOS 5.4 with all of the latest updates


3) NFS client nfs-client.example.net (VM#3) – Running CentOS
5.4 with all of the latest updates


*


Before I give you the error message I receive when I enable
NFS, I’ll first describe my setup process.


*


1)****** Verified
Kerberos works on all machines by attempting a kinit testuser which worked
properly.


2)****** Verified
that the clocks on all machines represent the same time (synced using a local
NTP server)


3)****** Created a service
principle for nfs.example.net by performing the following commands on the
nfs.example.net machine: - (Performed on NFS server)


a.****** kadmin (Logged
in as an admin principle)


b.****** addprinc –randkey
nfs/nfs.example.net


c.****** ktadd –e
des-cbc-crc:normal nfs/nfs.example.net


d.****** quit


e.****** kinit
nfs/nfs.example.net –k –t /etc/krb5.keytab


f.********
klist to verify


4)****** Edited
/etc/idmapd.conf with the following changes: - (Performed on NFS server)


a.****** changed
Nobody-{User,Group} to nfsnobody


b.****** changed
Domain to nfs.example.net


5)****** Mkdir /nfs/
- (Performed on NFS server)


6)****** Added the
following to /etc/exports - (Performed on NFS server)


a.****** /nfs gss/krb5p(rw,sync,fsid=0)


7)****** exportfs –rv
- (Performed on NFS server)


8)****** Verified all
relevant nfs services were stopped - (Performed on NFS server)


9)****** Uncommented
and made the following changes to /etc/sysconfig/nfs - (Performed on NFS server)


a.****** MOUNTD_NFS_V1=”no”


b.****** MOUNTD_NFS_V2=”no”


c.****** RPCNFSDARGS=”-N
2 -N 3 -U”


d.****** SECURE_NFS
= “yes”


10)** /etc/init.d/portmap
start; /etc/init.d/rpcidmapd start; /etc/init.d/nfs start - (Performed on NFS
server)


11)** And I
receive the following output when the nfs service starts:


a.****** Starting RPC
svcgssd: FAILED


b.****** Starting NFS
Services: OK


c.****** Starting NFS
quotas: OK


d.****** Starting NFS
daemon: NFSD: Using /var/lib/nfs/v4recovery as the NFSv4 state recovery
directory


e.****** NFSD:
starting 90-second grace period


f.********
Starting NFS mountd: OK


12)** I then
checked /var/log/messages to find the following log entries:


a.****** Dec* 2
12:16:51 nfs rpc.svcgssd[6018]: ERROR: GSS-API: error in gss_acquire_cred():
Unspecified GSS failure.* Minor code may provide more information - No
principal in keytab matches desired name


b.****** Dec* 2
12:16:51 nfs rpc.svcgssd[6018]: Unable to obtain credentials for 'nfs'


c.****** Dec* 2
12:16:51 nfs rpc.svcgssd[6018]: unable to obtain root (machine) credentials


d.****** Dec* 2
12:16:51 nfs rpc.svcgssd[6018]: do you have a keytab entry for
nfs/<your.host>@<YOUR.REALM> in /etc/krb5.keytab?


*


I seem to be stuck at this point and would appreciate your insight.



*


Thank you,


*


Dan







_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 12-03-2009, 10:37 AM
Miguel Di Ciurcio Filho
 
Default Kerberos + NFSv4 difficulties

Dan Burkland wrote:
>
> d. SECURE_NFS = “yes”
>

Uncomment this lines for a more much more verbose logging in
/etc/sysconfig/nfs:

RPCGSSDARGS="-vvv"
RPCSVCGSSDARGS="-vvv"

>
> a. Dec 2 12:16:51 nfs rpc.svcgssd[6018]: ERROR: GSS-API: error in
> gss_acquire_cred(): Unspecified GSS failure. Minor code may provide
> more information - No principal in keytab matches desired name
>
> b. Dec 2 12:16:51 nfs rpc.svcgssd[6018]: Unable to obtain
> credentials for 'nfs'
>
> c. Dec 2 12:16:51 nfs rpc.svcgssd[6018]: unable to obtain root
> (machine) credentials
>
> d. Dec 2 12:16:51 nfs rpc.svcgssd[6018]: do you have a keytab
> entry for nfs/<your.host>@<YOUR.REALM> in /etc/krb5.keytab?
>

Double check your /etc/krb5.keytab. On the server it must have the
nfs/server.exemple.net key and on the client it must have
nfs/client.exemple.net.


In idmapd.conf, leave it as the default:
[General]

Verbosity = 0
Pipefs-Directory = /var/lib/nfs/rpc_pipefs
Domain = localdomain

[Mapping]

Nobody-User = nobody
Nobody-Group = nobody

[Translation]
Method = nsswitch

Believe me, I've tried to understand[1] why Domain must be "localdomain"
but I've no been lucky.

Regards,

Miguel

[1] http://linux-nfs.org/pipermail/nfsv4/2009-September/011369.html
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 12-03-2009, 04:43 PM
Dan Burkland
 
Default Kerberos + NFSv4 difficulties

-----Original Message-----
From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Miguel Di Ciurcio Filho
Sent: Thursday, December 03, 2009 5:37 AM
To: CentOS mailing list
Subject: Re: [CentOS] Kerberos + NFSv4 difficulties

Dan Burkland wrote:
>
> d. SECURE_NFS = "yes"
>

Uncomment this lines for a more much more verbose logging in
/etc/sysconfig/nfs:

RPCGSSDARGS="-vvv"
RPCSVCGSSDARGS="-vvv"

>
> a. Dec 2 12:16:51 nfs rpc.svcgssd[6018]: ERROR: GSS-API: error in
> gss_acquire_cred(): Unspecified GSS failure. Minor code may provide
> more information - No principal in keytab matches desired name
>
> b. Dec 2 12:16:51 nfs rpc.svcgssd[6018]: Unable to obtain
> credentials for 'nfs'
>
> c. Dec 2 12:16:51 nfs rpc.svcgssd[6018]: unable to obtain root
> (machine) credentials
>
> d. Dec 2 12:16:51 nfs rpc.svcgssd[6018]: do you have a keytab
> entry for nfs/<your.host>@<YOUR.REALM> in /etc/krb5.keytab?
>

Double check your /etc/krb5.keytab. On the server it must have the
nfs/server.exemple.net key and on the client it must have
nfs/client.exemple.net.


In idmapd.conf, leave it as the default:
[General]

Verbosity = 0
Pipefs-Directory = /var/lib/nfs/rpc_pipefs
Domain = localdomain

[Mapping]

Nobody-User = nobody
Nobody-Group = nobody

[Translation]
Method = nsswitch

Believe me, I've tried to understand[1] why Domain must be "localdomain"
but I've no been lucky.

Regards,

Miguel

[1] http://linux-nfs.org/pipermail/nfsv4/2009-September/011369.html
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
_______________________________________________

I made the requested changes and when I start the nfs services (/etc/init.d/nfs start) I get the same error messages. I made sure that I have used kinit nfs/nfs.example.net -k -t /etc/krb5.keytab and verified that the principle was loaded by using klist. I have disabled SELINUX & iptables to make sure that neither are interfering with this. Thanks again for the help!

Dan Burkland
NMDP Helpdesk Technician
3001 Broadway Street N. E. Suite 100, Minneapolis, MN 55413-1753

Phone (612) 362-3411 Toll Free: (800) 526-7809 Ext. 8123
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 12-03-2009, 07:36 PM
Dan Burkland
 
Default Kerberos + NFSv4 difficulties

-----Original Message-----
From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Dan Burkland
Sent: Thursday, December 03, 2009 11:44 AM
To: CentOS mailing list
Subject: Re: [CentOS] Kerberos + NFSv4 difficulties

-----Original Message-----
From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Miguel Di Ciurcio Filho
Sent: Thursday, December 03, 2009 5:37 AM
To: CentOS mailing list
Subject: Re: [CentOS] Kerberos + NFSv4 difficulties

Dan Burkland wrote:
>
> d. SECURE_NFS = "yes"
>

Uncomment this lines for a more much more verbose logging in
/etc/sysconfig/nfs:

RPCGSSDARGS="-vvv"
RPCSVCGSSDARGS="-vvv"

>
> a. Dec 2 12:16:51 nfs rpc.svcgssd[6018]: ERROR: GSS-API: error in
> gss_acquire_cred(): Unspecified GSS failure. Minor code may provide
> more information - No principal in keytab matches desired name
>
> b. Dec 2 12:16:51 nfs rpc.svcgssd[6018]: Unable to obtain
> credentials for 'nfs'
>
> c. Dec 2 12:16:51 nfs rpc.svcgssd[6018]: unable to obtain root
> (machine) credentials
>
> d. Dec 2 12:16:51 nfs rpc.svcgssd[6018]: do you have a keytab
> entry for nfs/<your.host>@<YOUR.REALM> in /etc/krb5.keytab?
>

Double check your /etc/krb5.keytab. On the server it must have the
nfs/server.exemple.net key and on the client it must have
nfs/client.exemple.net.


In idmapd.conf, leave it as the default:
[General]

Verbosity = 0
Pipefs-Directory = /var/lib/nfs/rpc_pipefs
Domain = localdomain

[Mapping]

Nobody-User = nobody
Nobody-Group = nobody

[Translation]
Method = nsswitch

Believe me, I've tried to understand[1] why Domain must be "localdomain"
but I've no been lucky.

Regards,

Miguel

[1] http://linux-nfs.org/pipermail/nfsv4/2009-September/011369.html
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
_______________________________________________

I made the requested changes and when I start the nfs services (/etc/init.d/nfs start) I get the same error messages. I made sure that I have used kinit nfs/nfs.example.net -k -t /etc/krb5.keytab and verified that the principle was loaded by using klist. I have disabled SELINUX & iptables to make sure that neither are interfering with this. Thanks again for the help!
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
_______________________________________________

I finally figured out what the heck was causing the problem, it was the following line in my /etc/hosts file:
127.0.0.1 localhost localhost.localdomain nfs.example.net nfs

Once I removed the "nfs.example.net" & "nfs" entries the rpc.svcgssd service started fine.

Regards,

Dan
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 04:11 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org