You are not logged in.
- Topics: Active | Unanswered
#1 2016-10-06 12:24:02
- mober
- Member
- Registered: 2015-04-16
- Posts: 10
NFS + Kerberos Problem - Clients can't mount
Dear Community!
I'm desperate trying to kerberize my nfs server - anybody can see what I'm doing wrong?
I have an active directory running with samba 4 as PDC. My Linux clients are all kerberized - will say I have sssd working, I can log in locally on every client, I can authenticate on ssh with kerberos tickets, I can authenticate on Apache, ...
What I don't get to work is to get my nas / nfs-server to use kerberos.
Relevant Server-Settings:
[admin@server ~]$ cat /etc/krb5.conf
[libdefaults]
default_realm = EXAMPLE.DOMAIN
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
forwardable = true
proxiable = true
[logging]
kdc = CONSOLE
[realms]
EXAMPLE.DOMAIN = {
admin_server = pdc.example.domain
}
[domain_realm]
.example.domain = EXAMPLE.DOMAIN
[admin@server ~]$ cat /etc/sysconfig/nfs
#
# Optional arguments passed to in-kernel lockd
#LOCKDARG=
# TCP port rpc.lockd should listen on.
#LOCKD_TCPPORT=32803
# UDP port rpc.lockd should listen on.
#LOCKD_UDPPORT=32769
#
# Optional arguments passed to rpc.nfsd. See rpc.nfsd(8)
RPCNFSDARGS="-N 2 -N 3"
# Number of nfs server processes to be started.
# The default is 8.
# RPCNFSDCOUNT=16
#
# Set V4 grace period in seconds
#NFSD_V4_GRACE=90
#
# Set V4 lease period in seconds
#NFSD_V4_LEASE=90
#
# Optional arguments passed to rpc.mountd. See rpc.mountd(8)
RPCMOUNTDOPTS=""
#
# Optional arguments passed to rpc.statd. See rpc.statd(8)
STATDARG=""
# Optional arguments passed to sm-notify. See sm-notify(8)
SMNOTIFYARGS=""
#
#
# Optional arguments passed to rpc.idmapd. See rpc.idmapd(8)
RPCIDMAPDARGS=""
#
# Optional arguments passed to rpc.gssd. See rpc.gssd(8)
RPCGSSDARGS=""
# Enable usage of gssproxy. See gssproxy-mech(8).
GSS_USE_PROXY="yes"
#
# Optional arguments passed to rpc.svcgssd. See rpc.svcgssd(8)
RPCSVCGSSDARGS=""
#
# Optional arguments passed to blkmapd. See blkmapd(8)
BLKMAPDARGS=""
[admin@server ~]$ cat /etc/exports
# /etc/exports - exports(5) - directories exported to NFS clients
#
# Example for NFSv2 and NFSv3:
# /srv/home hostname1(rw,sync) hostname2(ro,sync)
# Example for NFSv4:
# /srv/nfs4 hostname1(rw,sync,fsid=0)
# /srv/nfs4/home hostname1(rw,sync,nohide)
# Using Kerberos and integrity checking:
# /srv/nfs4 *(rw,sync,sec=krb5i,fsid=0)
# /srv/nfs4/home *(rw,sync,sec=krb5i,nohide)
#
# Use `exportfs -arv` to reload.
/zpool *(ro,sync,fsid=0)
[admin@server ~]$ sudo zfs get sharenfs | grep -vE "inher|@|off"
NAME PROPERTY VALUE SOURCE
zpool/users sharenfs sec=krb5p:sys,nohide,rw=*.example.domain,rw=*.another.domain local
zpool/hosts/hosta sharenfs sec=krb5p:sys,rw=hosta.example.domain received
zpool/hosts/hostb sharenfs sec=krb5p:sys,rw=hostb.example.domain received
zpool/hosts/hostc sharenfs sec=krb5p:sys,rw=hostc.example.domain received
zpool/multimedia sharenfs sec=krb5:sys,nohide,rw=*.example.domain,rw=*.another.domain local
zpool/multimedia/vdr sharenfs sec=krb5:sys,nohide,rw=vdr.example.domain,ro=*.example.domain,ro=*.another.domain local
zpool/pacman-cache sharenfs sec=krb5:sys,nohide,rw=*.example.domain,rw=*.another.domain local
[admin@server ~]$ sudo cat /etc/dfs/sharetab
/zpool/pacman-cache-armv6h - nfs sec=krb5:sys,nohide,rw=*.example.domain,rw=*.another.domain
/zpool/pacman-cache-x64 - nfs sec=krb5:sys,nohide,rw=*.example.domain,rw=*.another.domain
/zpool/pacman-cache-x86 - nfs sec=krb5:sys,nohide,rw=*.example.domain,rw=*.another.domain
/zpool/Users - smb on
/zpool/Users - nfs sec=krb5p:sys,nohide,rw=*.example.domain,rw=*.another.domain
/zpool/Users/usera - smb on
/zpool/Users/usera - nfs sec=krb5p:sys,nohide,rw=*.example.domain,rw=*.another.domain
/zpool/Users/userb - smb on
/zpool/Users/userb - nfs sec=krb5p:sys,nohide,rw=*.example.domain,rw=*.another.domain
/zpool/Users/useraunduserb - smb on
/zpool/Users/useraunduserb - nfs sec=krb5p:sys,nohide,rw=*.example.domain,rw=*.another.domain
/zpool/Users/userc - smb on
/zpool/Users/userc - nfs sec=krb5p:sys,nohide,rw=*.example.domain,rw=*.another.domain
/zpool/Users/userd - smb on
/zpool/Users/userd - nfs sec=krb5p:sys,nohide,rw=*.example.domain,rw=*.another.domain
/zpool/Users/usere - smb on
/zpool/Users/usere - nfs sec=krb5p:sys,nohide,rw=*.example.domain,rw=*.another.domain
/zpool/Multimedia - smb on
/zpool/Multimedia - nfs sec=krb5:sys,nohide,rw=*.example.domain,rw=*.another.domain
/zpool/Multimedia/Concerts - smb on
/zpool/Multimedia/Concerts - nfs sec=krb5:sys,nohide,rw=*.example.domain,rw=*.another.domain
/zpool/Multimedia/Movies - smb on
/zpool/Multimedia/Movies - nfs sec=krb5:sys,nohide,rw=*.example.domain,rw=*.another.domain
/zpool/Multimedia/VDR - smb on
/zpool/Multimedia/VDR - nfs sec=krb5:sys,nohide,rw=vdr.example.domain,ro=*.example.domain,ro=*.another.domain
/zpool/Multimedia/kodi - smb on
/zpool/Multimedia/kodi - nfs sec=krb5:sys,nohide,rw=*.example.domain,rw=*.another.domain
/zpool/Multimedia/Musicvideos - smb on
/zpool/Multimedia/Musicvideos - nfs sec=krb5:sys,nohide,rw=*.example.domain,rw=*.another.domain
/zpool/Multimedia/Series - smb on
/zpool/Multimedia/Series - nfs sec=krb5:sys,nohide,rw=*.example.domain,rw=*.another.domain
/zpool/Multimedia/import - smb on
/zpool/Multimedia/import - nfs sec=krb5:sys,nohide,rw=*.example.domain,rw=*.another.domain
/zpool/Multimedia/Music - smb on
/zpool/Multimedia/Music - nfs sec=krb5:sys,nohide,rw=*.example.domain,rw=*.another.domain
/zpool/tftp/hostc - nfs sec=krb5p:sys,rw=hostc.example.domain
/zpool/Hosts/hostc - nfs sec=krb5p:sys,rw=hostc.example.domain
/zpool/Hosts/hosta/boot - nfs sec=krb5p:sys,rw=hosta.example.domain
/zpool/Hosts/hosta - nfs sec=krb5p:sys,rw=hosta.example.domain
/zpool/Hosts/hostb - nfs sec=krb5p:sys,rw=hostb.example.domain
/zpool/Hosts/hostb/boot - nfs sec=krb5p:sys,rw=hostb.example.domainOn my clients I start rpc-gssd (as the wiki suggests) and try to mount a share like this:
[usera@client ~]$ sudo mount -vvv -t nfs4 -o sec=krb5,rw nas.example.domain:/Multimedia /mnt
mount.nfs4: timeout set for Thu Oct 6 14:00:27 2016
mount.nfs4: trying text-based options 'sec=krb5,vers=4.2,addr=192.168.1.37,clientaddr=192.168.1.158'
mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting nas.example.domain:/MultimediaHere's the log of rpc-gssd on the client:
[usera@client ~]$ sudo journalctl --unit rpc-gssd --since "1 minute ago"
Journal file /var/log/journal/5e0ef439f7994943a47bae508e7df148/system@000534f0cb33e28f-ab6e54659a0bab50.journal~ is truncated, ignoring file.
-- Logs begin at Mon 2015-08-17 18:51:34 CEST, end at Thu 2016-10-06 13:58:56 CEST. --
Oct 06 13:58:27 client rpc.gssd[434]: handle_gssd_upcall: 'mech=krb5 uid=0 service=* enctypes=18,17,16,23,3,1,2 ' (nfs/clnt3)
Oct 06 13:58:27 client rpc.gssd[434]: krb5_use_machine_creds: uid 0 tgtname (null)
Oct 06 13:58:27 client rpc.gssd[434]: Full hostname for 'nas.example.domain' is 'server.example.domain'
Oct 06 13:58:27 client rpc.gssd[434]: Full hostname for 'client.example.domain' is 'client.example.domain'
Oct 06 13:58:27 client rpc.gssd[434]: Success getting keytab entry for 'CLIENT$@EXAMPLE.DOMAIN'
Oct 06 13:58:27 client rpc.gssd[434]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_EXAMPLE.DOMAIN' are good until 1475790496
Oct 06 13:58:27 client rpc.gssd[434]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_EXAMPLE.DOMAIN' are good until 1475790496
Oct 06 13:58:27 client rpc.gssd[434]: creating tcp client for server nas.example.domain
Oct 06 13:58:27 client rpc.gssd[434]: DEBUG: port already set to 2049
Oct 06 13:58:27 client rpc.gssd[434]: creating context with server nfs@nas.example.domain
Oct 06 13:58:27 client rpc.gssd[434]: WARNING: Failed to create krb5 context for user with uid 0 for server nfs@nas.example.domain
Oct 06 13:58:27 client rpc.gssd[434]: WARNING: Failed to create machine krb5 context with cred cache FILE:/tmp/krb5ccmachine_EXAMPLE.DOMAIN for server nas.example.domain
Oct 06 13:58:27 client rpc.gssd[434]: WARNING: Machine cache prematurely expired or corrupted trying to recreate cache for server nas.example.domain
Oct 06 13:58:27 client rpc.gssd[434]: Full hostname for 'nas.example.domain' is 'server.example.domain'
Oct 06 13:58:27 client rpc.gssd[434]: Full hostname for 'client.example.domain' is 'client.example.domain'
Oct 06 13:58:27 client rpc.gssd[434]: Success getting keytab entry for 'CLIENT$@EXAMPLE.DOMAIN'
Oct 06 13:58:27 client rpc.gssd[434]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_EXAMPLE.DOMAIN' are good until 1475790496
Oct 06 13:58:27 client rpc.gssd[434]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_EXAMPLE.DOMAIN' are good until 1475790496
Oct 06 13:58:27 client rpc.gssd[434]: creating tcp client for server nas.example.domain
Oct 06 13:58:27 client rpc.gssd[434]: DEBUG: port already set to 2049
Oct 06 13:58:27 client rpc.gssd[434]: creating context with server nfs@nas.example.domain
Oct 06 13:58:28 client rpc.gssd[434]: WARNING: Failed to create krb5 context for user with uid 0 for server nfs@nas.example.domain
Oct 06 13:58:28 client rpc.gssd[434]: WARNING: Failed to create machine krb5 context with cred cache FILE:/tmp/krb5ccmachine_EXAMPLE.DOMAIN for server nas.example.domain
Oct 06 13:58:28 client rpc.gssd[434]: ERROR: Failed to create machine krb5 context with any credentials cache for server nas.example.domain
Oct 06 13:58:28 client rpc.gssd[434]: doing error downcall
Oct 06 13:58:28 client rpc.gssd[434]: handle_gssd_upcall: 'mech=krb5 uid=0 service=* enctypes=18,17,16,23,3,1,2 ' (nfs/clnt3)
Oct 06 13:58:28 client rpc.gssd[434]: krb5_use_machine_creds: uid 0 tgtname (null)
Oct 06 13:58:28 client rpc.gssd[434]: Full hostname for 'nas.example.domain' is 'server.example.domain'
Oct 06 13:58:28 client rpc.gssd[434]: Full hostname for 'client.example.domain' is 'client.example.domain'
Oct 06 13:58:28 client rpc.gssd[434]: Success getting keytab entry for 'CLIENT$@EXAMPLE.DOMAIN'
Oct 06 13:58:28 client rpc.gssd[434]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_EXAMPLE.DOMAIN' are good until 1475790496
Oct 06 13:58:28 client rpc.gssd[434]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_EXAMPLE.DOMAIN' are good until 1475790496
Oct 06 13:58:28 client rpc.gssd[434]: creating tcp client for server nas.example.domain
Oct 06 13:58:28 client rpc.gssd[434]: DEBUG: port already set to 2049
Oct 06 13:58:28 client rpc.gssd[434]: creating context with server nfs@nas.example.domain
Oct 06 13:58:28 client rpc.gssd[434]: WARNING: Failed to create krb5 context for user with uid 0 for server nfs@nas.example.domain
Oct 06 13:58:28 client rpc.gssd[434]: WARNING: Failed to create machine krb5 context with cred cache FILE:/tmp/krb5ccmachine_EXAMPLE.DOMAIN for server nas.example.domain
Oct 06 13:58:28 client rpc.gssd[434]: WARNING: Machine cache prematurely expired or corrupted trying to recreate cache for server nas.example.domain
Oct 06 13:58:28 client rpc.gssd[434]: Full hostname for 'nas.example.domain' is 'server.example.domain'
Oct 06 13:58:28 client rpc.gssd[434]: Full hostname for 'client.example.domain' is 'client.example.domain'
Oct 06 13:58:28 client rpc.gssd[434]: Success getting keytab entry for 'CLIENT$@EXAMPLE.DOMAIN'
Oct 06 13:58:28 client rpc.gssd[434]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_EXAMPLE.DOMAIN' are good until 1475790496
Oct 06 13:58:28 client rpc.gssd[434]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_EXAMPLE.DOMAIN' are good until 1475790496
Oct 06 13:58:28 client rpc.gssd[434]: creating tcp client for server nas.example.domain
Oct 06 13:58:28 client rpc.gssd[434]: DEBUG: port already set to 2049
Oct 06 13:58:28 client rpc.gssd[434]: creating context with server nfs@nas.example.domain
Oct 06 13:58:28 client rpc.gssd[434]: WARNING: Failed to create krb5 context for user with uid 0 for server nfs@nas.example.domain
Oct 06 13:58:28 client rpc.gssd[434]: WARNING: Failed to create machine krb5 context with cred cache FILE:/tmp/krb5ccmachine_EXAMPLE.DOMAIN for server nas.example.domain
Oct 06 13:58:28 client rpc.gssd[434]: ERROR: Failed to create machine krb5 context with any credentials cache for server nas.example.domain
Oct 06 13:58:28 client rpc.gssd[434]: doing error downcall
Oct 06 13:58:28 client rpc.gssd[434]: handle_gssd_upcall: 'mech=krb5 uid=0 enctypes=18,17,16,23,3,1,2 ' (nfs/clnt3)
Oct 06 13:58:28 client rpc.gssd[434]: krb5_use_machine_creds: uid 0 tgtname (null)
Oct 06 13:58:28 client rpc.gssd[434]: Full hostname for 'nas.example.domain' is 'server.example.domain'
Oct 06 13:58:28 client rpc.gssd[434]: Full hostname for 'client.example.domain' is 'client.example.domain'
Oct 06 13:58:28 client rpc.gssd[434]: Success getting keytab entry for 'CLIENT$@EXAMPLE.DOMAIN'
Oct 06 13:58:28 client rpc.gssd[434]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_EXAMPLE.DOMAIN' are good until 1475790496
Oct 06 13:58:28 client rpc.gssd[434]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_EXAMPLE.DOMAIN' are good until 1475790496
Oct 06 13:58:28 client rpc.gssd[434]: creating tcp client for server nas.example.domain
Oct 06 13:58:28 client rpc.gssd[434]: DEBUG: port already set to 2049
Oct 06 13:58:28 client rpc.gssd[434]: creating context with server nfs@nas.example.domain
Oct 06 13:58:28 client rpc.gssd[434]: WARNING: Failed to create krb5 context for user with uid 0 for server nfs@nas.example.domain
Oct 06 13:58:28 client rpc.gssd[434]: WARNING: Failed to create machine krb5 context with cred cache FILE:/tmp/krb5ccmachine_EXAMPLE.DOMAIN for server nas.example.domain
Oct 06 13:58:28 client rpc.gssd[434]: WARNING: Machine cache prematurely expired or corrupted trying to recreate cache for server nas.example.domain
Oct 06 13:58:28 client rpc.gssd[434]: Full hostname for 'nas.example.domain' is 'server.example.domain'
Oct 06 13:58:28 client rpc.gssd[434]: Full hostname for 'client.example.domain' is 'client.example.domain'
Oct 06 13:58:28 client rpc.gssd[434]: Success getting keytab entry for 'CLIENT$@EXAMPLE.DOMAIN'
Oct 06 13:58:28 client rpc.gssd[434]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_EXAMPLE.DOMAIN' are good until 1475790496
Oct 06 13:58:28 client rpc.gssd[434]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_EXAMPLE.DOMAIN' are good until 1475790496
Oct 06 13:58:28 client rpc.gssd[434]: creating tcp client for server nas.example.domain
Oct 06 13:58:28 client rpc.gssd[434]: DEBUG: port already set to 2049
Oct 06 13:58:28 client rpc.gssd[434]: creating context with server nfs@nas.example.domain
Oct 06 13:58:28 client rpc.gssd[434]: WARNING: Failed to create krb5 context for user with uid 0 for server nfs@nas.example.domain
Oct 06 13:58:28 client rpc.gssd[434]: WARNING: Failed to create machine krb5 context with cred cache FILE:/tmp/krb5ccmachine_EXAMPLE.DOMAIN for server nas.example.domain
Oct 06 13:58:28 client rpc.gssd[434]: ERROR: Failed to create machine krb5 context with any credentials cache for server nas.example.domain
Oct 06 13:58:28 client rpc.gssd[434]: doing error downcall
Oct 06 13:58:28 client rpc.gssd[434]: handle_gssd_upcall: 'mech=krb5 uid=0 enctypes=18,17,16,23,3,1,2 ' (nfs/clnt3)
Oct 06 13:58:28 client rpc.gssd[434]: krb5_use_machine_creds: uid 0 tgtname (null)
Oct 06 13:58:28 client rpc.gssd[434]: Full hostname for 'nas.example.domain' is 'server.example.domain'
Oct 06 13:58:28 client rpc.gssd[434]: Full hostname for 'client.example.domain' is 'client.example.domain'
Oct 06 13:58:28 client rpc.gssd[434]: Success getting keytab entry for 'CLIENT$@EXAMPLE.DOMAIN'
Oct 06 13:58:28 client rpc.gssd[434]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_EXAMPLE.DOMAIN' are good until 1475790496
Oct 06 13:58:28 client rpc.gssd[434]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_EXAMPLE.DOMAIN' are good until 1475790496
Oct 06 13:58:28 client rpc.gssd[434]: creating tcp client for server nas.example.domain
Oct 06 13:58:28 client rpc.gssd[434]: DEBUG: port already set to 2049
Oct 06 13:58:28 client rpc.gssd[434]: creating context with server nfs@nas.example.domain
Oct 06 13:58:28 client rpc.gssd[434]: WARNING: Failed to create krb5 context for user with uid 0 for server nfs@nas.example.domain
Oct 06 13:58:28 client rpc.gssd[434]: WARNING: Failed to create machine krb5 context with cred cache FILE:/tmp/krb5ccmachine_EXAMPLE.DOMAIN for server nas.example.domain
Oct 06 13:58:28 client rpc.gssd[434]: WARNING: Machine cache prematurely expired or corrupted trying to recreate cache for server nas.example.domain
Oct 06 13:58:28 client rpc.gssd[434]: Full hostname for 'nas.example.domain' is 'server.example.domain'
Oct 06 13:58:28 client rpc.gssd[434]: Full hostname for 'client.example.domain' is 'client.example.domain'
Oct 06 13:58:28 client rpc.gssd[434]: Success getting keytab entry for 'CLIENT$@EXAMPLE.DOMAIN'
Oct 06 13:58:28 client rpc.gssd[434]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_EXAMPLE.DOMAIN' are good until 1475790496
Oct 06 13:58:28 client rpc.gssd[434]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_EXAMPLE.DOMAIN' are good until 1475790496
Oct 06 13:58:28 client rpc.gssd[434]: creating tcp client for server nas.example.domain
Oct 06 13:58:28 client rpc.gssd[434]: DEBUG: port already set to 2049
Oct 06 13:58:28 client rpc.gssd[434]: creating context with server nfs@nas.example.domain
Oct 06 13:58:28 client rpc.gssd[434]: WARNING: Failed to create krb5 context for user with uid 0 for server nfs@nas.example.domain
Oct 06 13:58:28 client rpc.gssd[434]: WARNING: Failed to create machine krb5 context with cred cache FILE:/tmp/krb5ccmachine_EXAMPLE.DOMAIN for server nas.example.domain
Oct 06 13:58:28 client rpc.gssd[434]: ERROR: Failed to create machine krb5 context with any credentials cache for server nas.example.domain
Oct 06 13:58:28 client rpc.gssd[434]: doing error downcall
Oct 06 13:58:28 client rpc.gssd[434]: handle_gssd_upcall: 'mech=krb5 uid=0 enctypes=18,17,16,23,3,1,2 ' (nfs/clnt3)
Oct 06 13:58:28 client rpc.gssd[434]: krb5_use_machine_creds: uid 0 tgtname (null)
Oct 06 13:58:28 client rpc.gssd[434]: Full hostname for 'nas.example.domain' is 'server.example.domain'
Oct 06 13:58:28 client rpc.gssd[434]: Full hostname for 'client.example.domain' is 'client.example.domain'
Oct 06 13:58:28 client rpc.gssd[434]: Success getting keytab entry for 'CLIENT$@EXAMPLE.DOMAIN'
Oct 06 13:58:28 client rpc.gssd[434]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_EXAMPLE.DOMAIN' are good until 1475790496
Oct 06 13:58:28 client rpc.gssd[434]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_EXAMPLE.DOMAIN' are good until 1475790496
Oct 06 13:58:28 client rpc.gssd[434]: creating tcp client for server nas.example.domain
Oct 06 13:58:28 client rpc.gssd[434]: DEBUG: port already set to 2049
Oct 06 13:58:28 client rpc.gssd[434]: creating context with server nfs@nas.example.domain
Oct 06 13:58:28 client rpc.gssd[434]: WARNING: Failed to create krb5 context for user with uid 0 for server nfs@nas.example.domain
Oct 06 13:58:28 client rpc.gssd[434]: WARNING: Failed to create machine krb5 context with cred cache FILE:/tmp/krb5ccmachine_EXAMPLE.DOMAIN for server nas.example.domain
Oct 06 13:58:28 client rpc.gssd[434]: WARNING: Machine cache prematurely expired or corrupted trying to recreate cache for server nas.example.domain
Oct 06 13:58:28 client rpc.gssd[434]: Full hostname for 'nas.example.domain' is 'server.example.domain'
Oct 06 13:58:28 client rpc.gssd[434]: Full hostname for 'client.example.domain' is 'client.example.domain'
Oct 06 13:58:28 client rpc.gssd[434]: Success getting keytab entry for 'CLIENT$@EXAMPLE.DOMAIN'
Oct 06 13:58:28 client rpc.gssd[434]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_EXAMPLE.DOMAIN' are good until 1475790496
Oct 06 13:58:28 client rpc.gssd[434]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_EXAMPLE.DOMAIN' are good until 1475790496
Oct 06 13:58:28 client rpc.gssd[434]: creating tcp client for server nas.example.domain
Oct 06 13:58:28 client rpc.gssd[434]: DEBUG: port already set to 2049
Oct 06 13:58:28 client rpc.gssd[434]: creating context with server nfs@nas.example.domain
Oct 06 13:58:28 client rpc.gssd[434]: WARNING: Failed to create krb5 context for user with uid 0 for server nfs@nas.example.domain
Oct 06 13:58:28 client rpc.gssd[434]: WARNING: Failed to create machine krb5 context with cred cache FILE:/tmp/krb5ccmachine_EXAMPLE.DOMAIN for server nas.example.domain
Oct 06 13:58:28 client rpc.gssd[434]: ERROR: Failed to create machine krb5 context with any credentials cache for server nas.example.domain
Oct 06 13:58:28 client rpc.gssd[434]: doing error downcallThe keytabs look like this:
Server Keytab:
[admin@server ~]$ sudo klist -k /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
1 server$@EXAMPLE.DOMAIN
1 server$@EXAMPLE.DOMAIN
1 server$@EXAMPLE.DOMAIN
1 server$@EXAMPLE.DOMAIN
1 server$@EXAMPLE.DOMAIN
1 host/server.example.domain@EXAMPLE.DOMAIN
1 host/server.example.domain@EXAMPLE.DOMAIN
1 host/server.example.domain@EXAMPLE.DOMAIN
1 host/server.example.domain@EXAMPLE.DOMAIN
1 host/server.example.domain@EXAMPLE.DOMAIN
1 host/server@EXAMPLE.DOMAIN
1 host/server@EXAMPLE.DOMAIN
1 host/server@EXAMPLE.DOMAIN
1 host/server@EXAMPLE.DOMAIN
1 host/server@EXAMPLE.DOMAIN
1 nfs/server.example.domain@EXAMPLE.DOMAIN
1 nfs/server.example.domain@EXAMPLE.DOMAIN
1 nfs/server.example.domain@EXAMPLE.DOMAIN
1 nfs/server.example.domain@EXAMPLE.DOMAIN
1 nfs/server.example.domain@EXAMPLE.DOMAIN
1 nfs/server@EXAMPLE.DOMAIN
1 nfs/server@EXAMPLE.DOMAIN
1 nfs/server@EXAMPLE.DOMAIN
1 nfs/server@EXAMPLE.DOMAIN
1 nfs/server@EXAMPLE.DOMAIN
1 SERVER$@EXAMPLE.DOMAIN
1 SERVER$@EXAMPLE.DOMAIN
1 SERVER$@EXAMPLE.DOMAIN
1 SERVER$@EXAMPLE.DOMAIN
1 SERVER$@EXAMPLE.DOMAINClient Keytab:
[usera@client ~]$ sudo klist -k /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
1 host/client.example.domain@EXAMPLE.DOMAIN
1 host/client.example.domain@EXAMPLE.DOMAIN
1 host/client.example.domain@EXAMPLE.DOMAIN
1 host/client.example.domain@EXAMPLE.DOMAIN
1 host/client.example.domain@EXAMPLE.DOMAIN
1 host/client@EXAMPLE.DOMAIN
1 host/client@EXAMPLE.DOMAIN
1 host/client@EXAMPLE.DOMAIN
1 host/client@EXAMPLE.DOMAIN
1 host/client@EXAMPLE.DOMAIN
1 CLIENT$@EXAMPLE.DOMAIN
1 CLIENT$@EXAMPLE.DOMAIN
1 CLIENT$@EXAMPLE.DOMAIN
1 CLIENT$@EXAMPLE.DOMAIN
1 CLIENT$@EXAMPLE.DOMAIN
1 nfs/client.example.domain@EXAMPLE.DOMAIN
1 nfs/client.example.domain@EXAMPLE.DOMAIN
1 nfs/client.example.domain@EXAMPLE.DOMAIN
1 nfs/client.example.domain@EXAMPLE.DOMAIN
1 nfs/client.example.domain@EXAMPLE.DOMAIN
1 nfs/client@EXAMPLE.DOMAIN
1 nfs/client@EXAMPLE.DOMAIN
1 nfs/client@EXAMPLE.DOMAIN
1 nfs/client@EXAMPLE.DOMAIN
1 nfs/client@EXAMPLE.DOMAINI walked through several HowTos but didn't get it working. I read about a bug in gssproxy 0.5 here and tried to downgrade to 0.4.1 - but it didn't solve my issue either. So I'm stuck with sec=sys 
I can't see what I'm doing wrong - maybe anybody of you can?
Regards,
MOber
Offline
#2 2016-10-10 13:10:56
- Elizine
- Member
- From: United Kingdom
- Registered: 2015-10-07
- Posts: 39
- Website
Re: NFS + Kerberos Problem - Clients can't mount
Please refer to this thread - https://forums.freenas.org/index.php?th … ork.26753/
Offline