You are not logged in.

#1 2016-12-22 18:58:30

Uzytkownik
Member
Registered: 2007-07-07
Posts: 20
Website

Problem with NFSv4 + KRB5 on AD

Sorry - I found a lot of description of similar problems in google but I'm stuck nonetheless as the solution described don't seem to work/are not applicable. I'm trying to mount NFS from Gentoo on Arch using Kerberos (I don't have problems with sec=sys). However in logs I get the following:

Dec 22 10:10:38 client rpc.gssd[430]: handle_gssd_upcall: 'mech=krb5 uid=0 service=* enctypes=18,17,16,23,3,1,2 ' (nfs/clnt6)
Dec 22 10:10:38 client rpc.gssd[430]: krb5_use_machine_creds: uid 0 tgtname (null)
Dec 22 10:10:39 client rpc.gssd[430]: Full hostname for 'server.domain' is 'server.domain'
Dec 22 10:10:39 client rpc.gssd[430]: Full hostname for 'client.domain' is 'client.domain'
Dec 22 10:10:39 client rpc.gssd[430]: No key table entry found for client$@DOMAIN while getting keytab entry for 'client$@DOMAIN'
Dec 22 10:10:39 client rpc.gssd[430]: Success getting keytab entry for 'CLIENT$@DOMAIN'
Dec 22 10:10:39 client rpc.gssd[430]: gssd_get_single_krb5_cred: principal 'CLIENT$@DOMAIN' ccache:'FILE:/tmp/krb5ccmachine_DOMAIN'
Dec 22 10:10:39 client rpc.gssd[430]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_DOMAIN' are good until 1482466238
Dec 22 10:10:39 client rpc.gssd[430]: creating tcp client for server server.domain
Dec 22 10:10:39 client rpc.gssd[430]: DEBUG: port already set to 2049
Dec 22 10:10:39 client rpc.gssd[430]: creating context with server nfs@server.domain
Dec 22 10:10:39 client rpc.gssd[430]: WARNING: Failed to create krb5 context for user with uid 0 for server nfs@server.domain
Dec 22 10:10:39 client rpc.gssd[430]: WARNING: Failed to create machine krb5 context with cred cache FILE:/tmp/krb5ccmachine_DOMAIN for server server.domain
Dec 22 10:10:39 client rpc.gssd[430]: WARNING: Machine cache prematurely expired or corrupted trying to recreate cache for server server.domain

In the tcpdump I see that client tries to send KRB5_AP_REQ to server but server terminates the connection. I don't see anything in server logs but when I run gssproxy in debug mode I see it handles a request. Any idea what may be wrong/how to fix it?


I've probably left my head... somewhere. Please wait untill I find it.

Offline

#2 2016-12-22 23:35:35

Uzytkownik
Member
Registered: 2007-07-07
Posts: 20
Website

Re: Problem with NFSv4 + KRB5 on AD

Ok it looks like misconfiguration of server - lack of gssproxy cache dir. Filling bug against gentoo.


I've probably left my head... somewhere. Please wait untill I find it.

Offline

Board footer

Powered by FluxBB