You are not logged in.
I am trying to use Kerberos with NFS, but I am unable to do so.
Both NFS and Krb alone seems to work. I can mount NFS share with 'sec=sys', and I can get ticket using kinit.
However when combined I get:
mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting aaa.bbb.ccc:/srv/nfs/NASTo set things up I followed the wiki (without any problems).
My configuration is following:
/etc/exports:
/srv/nfs/NAS *(rw,sync,no_subtree_check,root_squash,sec=krb5p)/etc/krb5.conf: (same on both server and client)
[libdefaults]
default_realm = AAA.BBB.CCC
[realms]
AAA.BBB.CCC = {
admin_server = aaa.bbb.ccc
kdc = aaa.bbb.ccc
default_principal_flags = +preauth
}
[domain_realm]
aaa.bbb.ccc = AAA.BBB.CCC
.aaa.bbb.ccc = AAA.BBB.CCC
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log/var/lib/krb5kdc/kdc.conf:
[kdcdefaults]
kdc_ports = 88,749
[realms]
AAA.BBB.CCC = {
database_name = /var/lib/krb5kdc/principal
acl_file = /var/lib/krb5kdc/kadm5.acl
key_stash_file = /var/lib/krb5kdc/.k5.AAA.BBB.CCC
kdc_ports = 88,749
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
}On server:
user@server:$ sudo kadmin.local -p user/admin
Authenticating as principal user/admin with password.
kadmin.local: listprincs
K/M@AAA.BBB.CCC
host/aaa.bbb.ccc@AAA.BBB.CCC
kadmin/admin@AAA.BBB.CCC
kadmin/andromeda.localdomain@AAA.BBB.CCC
kadmin/changepw@AAA.BBB.CCC
kiprop/andromeda.localdomain@AAA.BBB.CCC
krbtgt/AAA.BBB.CCC@AAA.BBB.CCC
nfs/aaa.bbb.ccc@AAA.BBB.CCC
user/admin@AAA.BBB.CCC
user@AAA.BBB.CCC
user@server:$ sudo klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
2 host/aaa.bbb.ccc@AAA.BBB.CCC
2 host/aaa.bbb.ccc@AAA.BBB.CCCOn client:
user@client:$ kinit -p user@AAA.BBB.CCC
Password for user@AAA.BBB.CCC:
user@client:$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: user@AAA.BBB.CCC
Valid starting Expires Service principal
22.3.2019 12:33:37 22.3.2019 22:33:37 krbtgt/AAA.BBB.CCC@AAA.BBB.CCC
renew until 23.3.2019 12:33:24
user@client:$ sudo klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
2 nfs/aaa.bbb.ccc@AAA.BBB.CCC
2 nfs/aaa.bbb.ccc@AAA.BBB.CCCAll systemd services (nfs-server, krb5-kdec, krb5-kadmin, nfs-client, rpc-gssd) are running.
Mount attempt return this:
user@client:$ sudo mount -vv -t nfs4 -o sec=krb5p aaa.bbb.ccc:/srv/nfs/NAS /mnt
mount.nfs4: timeout set for Fri Mar 22 12:47:50 2019
mount.nfs4: trying text-based options 'sec=krb5p,vers=4.2,addr=xxx.xxx.xxx.xxx,clientaddr=yyy.yyy.yyy.yyy'
mount.nfs4: mount(2): Permission denied
mount.nfs4: trying text-based options 'sec=krb5p,vers=4,minorversion=1,addr=xxx.xxx.xxx.xxx,clientaddr=yyy.yyy.yyy.yyy'
mount.nfs4: mount(2): Permission denied
mount.nfs4: trying text-based options 'sec=krb5p,vers=4,addr=xxx.xxx.xxx.xxx,clientaddr=yyy.yyy.yyy.yyy'
mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting aaa.bbb.ccc:/srv/nfs/NASFinaly the output log:
<time> aaa krb5kdc[29003](Error): preauth pkinit failed to initialize: PKINIT initialization failed: No pkinit_identity supplied for realm AAA.BBB.CCC
<time> aaa krb5kdc[29003](info): setting up network...
krb5kdc: setsockopt(8,IPV6_V6ONLY,1) worked
krb5kdc: setsockopt(10,IPV6_V6ONLY,1) worked
krb5kdc: setsockopt(12,IPV6_V6ONLY,1) worked
<time> aaa krb5kdc[29003](info): set up 6 sockets
<time> aaa krb5kdc[29003](info): commencing operationSo there is only this preauth error, which sems not to have anything to do with the 'default_principal_flags = +preauth' configuration option (it remains even if I remove this option).
Any help will be appriciated.
Offline