FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora User

 
 
LinkBack Thread Tools
 
Old 04-07-2011, 04:24 PM
 
Default nsfs4 client with kerberos

Hi there,

I need to use OpenVPN to get to the company LAN and mount a NFS share. We use NFS to secure access to NFS. I can connect to the PVN and access web and ssh servers. Kinit to my own principal works fine. But root cannot get a valid kerneros ticket to mount NFS shares. I already tried doing the same on the local net (no VPN involved) with same results, and tried disabling SELinux and flusing iptables rules to no effect.

Another notebook works fine and it looks to me both have the same settings, except one has F13 (the one that works) and the other has F14 (the one that doesn't).

I added -v -v to rpcgssd and the logs show that:

Apr* 7 09:36:29 lgx200 rpc.gssd[2947]: handling gssd upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt0)
Apr* 7 09:36:29 lgx200 rpc.gssd[2947]: handle_gssd_upcall: 'mech=krb5 uid=0 enctypes=18,17,16,23,3,1,2 '
Apr* 7 09:36:29 lgx200 rpc.gssd[2947]: handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt0)
Apr* 7 09:36:29 lgx200 rpc.gssd[2947]: process_krb5_upcall: service is '<null>'
Apr* 7 09:36:40 lgx200 rpc.gssd[2947]: WARNING: Key table entry not found while getting initial ticket for principal 'nfs/lg.example.com@USERS' using keytab 'WRFILE:/etc/krb5.keytab'
Apr* 7 09:36:40 lgx200 rpc.gssd[2947]: ERROR: No credentials found for connection to server filesystem.example.com
Apr* 7 09:36:40 lgx200 rpc.gssd[2947]: doing error downcall

[all output was edted to change my employee dns domain name to example.com]

But the correct ticket (certificate?) is on the keytab, as shown by klist:

[root@lg etc]# hostname
lg

[root@lg etc]# klist -k
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
** 2 nfs/lg.example.com@USERS

Any idea one notebook can mount and authenticate root/the computer itself using kerberos, but the other, older Fedora can't, using the same configs?

I already tried moving the certificate from one computer to the other (and of course changing the hostname) and requesting a new certificate from the company sysadmin. Same results. I guess it should be something local to the netbook, like name resolution, but all network settings are the same for both notebooks. One works, other don't, whatever keytab I use.


[]s, Fernando Lozano

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 04-07-2011, 04:39 PM
Joe Zeff
 
Default nsfs4 client with kerberos

On 04/07/2011 09:24 AM, fernando@lozano.eti.br wrote:
> and tried disabling SELinux and flusing iptables rules to no effect.

What made you think SELinux was at fault? Did it report problems? Try
turning it back on and making sure it's set to notify you of any issues,
then try again. If you don't get any SELinux alerts, it's not involved.
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 04-07-2011, 07:27 PM
Nalin Dahyabhai
 
Default nsfs4 client with kerberos

On Thu, Apr 07, 2011 at 01:24:18PM -0300, fernando@lozano.eti.br wrote:
> Hi there,
> I need to use OpenVPN to get to the company LAN and mount a NFS share.
> We use NFS to secure access to NFS. I can connect to the PVN and access
> web and ssh servers. Kinit to my own principal works fine. But root
> cannot get a valid kerneros ticket to mount NFS shares. I already tried
> doing the same on the local net (no VPN involved) with same results,
> and tried disabling SELinux and flusing iptables rules to no effect.
> Another notebook works fine and it looks to me both have the same
> settings, except one has F13 (the one that works) and the other has F14
> (the one that doesn't).
> I added -v -v to rpcgssd and the logs show that:
> Apr 7 09:36:29 lgx200 rpc.gssd[2947]: handling gssd upcall
> (/var/lib/nfs/rpc_pipefs/nfs/clnt0)
> Apr 7 09:36:29 lgx200 rpc.gssd[2947]: handle_gssd_upcall: 'mech=krb5
> uid=0 enctypes=18,17,16,23,3,1,2 '
> Apr 7 09:36:29 lgx200 rpc.gssd[2947]: handling krb5 upcall
> (/var/lib/nfs/rpc_pipefs/nfs/clnt0)
> Apr 7 09:36:29 lgx200 rpc.gssd[2947]: process_krb5_upcall: service is
> '<null>'
> Apr 7 09:36:40 lgx200 rpc.gssd[2947]: WARNING: Key table entry not
> found while getting initial ticket for principal
> 'nfs/lg.example.com@USERS' using keytab 'WRFILE:/etc/krb5.keytab'
> Apr 7 09:36:40 lgx200 rpc.gssd[2947]: ERROR: No credentials found for
> connection to server filesystem.example.com
> Apr 7 09:36:40 lgx200 rpc.gssd[2947]: doing error downcall
> [all output was edted to change my employee dns domain name to
> example.com]
> But the correct ticket (certificate?) is on the keytab, as shown by
> klist:
> [root@lg etc]# hostname
> lg
> [root@lg etc]# klist -k
> Keytab name: WRFILE:/etc/krb5.keytab
> KVNO Principal
> ----
> -----------------------------------------------------------------------
> ---
> 2 nfs/lg.example.com@USERS
> Any idea one notebook can mount and authenticate root/the computer
> itself using kerberos, but the other, older Fedora can't, using the
> same configs?

Use "klist -k -e" to check the type of key you have. If it's DES, and
you don't have "allow_weak_crypto" enabled in the [libdefaults] section
of your /etc/krb5.conf, the key will be skipped over.

This is something that changed between the versions included in F13 and
F14, so from what I can tell, it fits.

HTH,

Nalin
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 04-08-2011, 04:05 AM
 
Default nsfs4 client with kerberos

Hi Joe,

Everywhere on the net it's told do turn off SElinux in case of problems... so i was making sure nobody was going to ask that. I actually used 'setenforce 0' to confirm it was not the cause.

Nalin's hint on allow_weak_crypto solved this issue, thaks a lot.


[]s, Fernando Lozano


>---- Original Message ----
>From: Joe Zeff <joe@zeff.us>
>To: "Community support for Fedora users" <users@lists.fedoraproject.org>
>Sent: Qui, Abr 7, 2011, 13:40 PM
>Subject: Re: nsfs4 client with kerberos
>
>On 04/07/2011 09:24 AM, fernando@lozano.eti.br wrote:
>> and tried disabling SELinux and flusing iptables rules to no effect.
>
>What made you think SELinux was at fault? Did it report problems? Try
>turning it back on and making sure it's set to notify you of any issues,
>then try again. If you don't get any SELinux alerts, it's not involved.
>--
>users mailing list
>users@lists.fedoraproject.org
>To unsubscribe or change subscription options:
>https://admin.fedoraproject.org/mailman/listinfo/users
>Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 04-08-2011, 06:43 AM
Joe Zeff
 
Default nsfs4 client with kerberos

On 04/07/2011 09:05 PM, fernando@lozano.eti.br wrote:
> Everywhere on the net it's told do turn off SElinux in case of problems... so i was making sure nobody was going to ask that. I actually used 'setenforce 0' to confirm it was not the cause.

Consider this: unless you've explicitly told SELinux not to tell you
when there are problems, the trouble-shooter pops up if there's either a
denial or a situation that would have caused a denial if the program
weren't running in permissive mode. If you've not turned that off, and
you're not getting alerts, SELinux isn't an issue. If you're getting
alerts, the trouble-shooter will generally tell you how to correct
whatever's causing the trouble. IMO, turning it off because it *might*
be causing a problem is throwing the baby out with the bathwater.
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 

Thread Tools




All times are GMT. The time now is 07:30 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org